This paper poses the following questions: What do companies have to consider to act compliant to GDPR? And which restrictions apply to companies in context with employee data processing? The objective of this paper is to find answers to these questions and to derive appropriate recommendations for action to support German companies in implementing appropriate measures for GDPR compliance. Companies need to collect and process personal data about their employees over the whole employee life cycle, from recruiting, over development until exit of employees. Consequently, companies are affected by the European Union’s General Data Protection Regulation (GDPR), which came into effect on the 25th of May 2018.
It regulates the processing of personal data by a company, an organization or an individual related to natural persons, also called data subjects. As in companies, the human resource department is involved in the whole employee journey, they play a major role as an entity which controls and processes personal data. Therefore, the implementation of appropriate measures to comply with the GDPR as laid out in this paper is essential for all companies who employ people. In the course of the advancing digitization, companies depend more and more on data and face several challenges, ranging from a frequently changing workforce, to ever-changing regulations to the unexpected pandemic with a shift of the way of working with employees and the enforcement to re-think the way employees are managed.
According to Statista, Germany has the second highest aggregated value of GDPR fines imposed in Europe between May 2018 and January 2021 with 69 million euro. Only Italy registered 300.000 euro more fines during that period. No deviation between the kind of data breaches, whether related to customers or to employees could be identified. The author assumes there are employee data breaches included, especially in cases when employees are not satisfied with the company anymore or when they got fired. Fines resulting from non-compliance with GDPR are set at 20 million euro or up to 4 per cent of the annual total income of the preceding financial year, whichever is higher.
Table of Contents
1 Introduction
1.1 Problem and objectives
1.2 Methodology and structure
2 Basic Definitions
2.1 Personal data
2.2 Processing
2.3 Restriction of processing
2.4 Controller
2.5 Processor
3 Analysis of data processing restrictions concerning employees
3.1 Personal data protection rights of a natural person
3.2 Obligations of personal data controllers and processors
3.3 Personal data processing restrictions during the employee life cycle
3.3.1 Restrictions in recruiting activities
3.3.2 Restrictions during employment and performance measurement
3.3.3 Restrictions after termination of employment
4 Compliance implementation recommendation for German companies
5 Conclusion and Outlook
Objectives and Research Focus
This paper examines the restrictions on processing personal data of employees throughout their entire employment lifecycle in Germany, with the objective of providing actionable recommendations for companies to ensure GDPR compliance.
- Analysis of employee data processing rights and controller obligations under GDPR.
- Evaluation of data restrictions during the specific stages of recruitment, active employment, and post-employment.
- Review of technical and organizational measures (TOMs) for data security.
- Development of a roadmap for German companies to minimize legal and financial risks associated with GDPR non-compliance.
Excerpt from the Book
3.3.3 Restrictions after termination of employment
After termination of an employment most of the purposes to process personal data terminate as well. Consequently, only a minimum of necessary data as of other legal obligations are allowed to keep (e.g., retention periods for financial purposes) (Calopereanu, et al., 2019). Important is the fact that employers must guide employees on how to process personal data during their work activities, but additionally on the obligation of confidentiality they have regarding personal data to which they have or have had access in their employment period. Thus, the obligation of confidentiality exists not only during the period of employment but also for a time period determined after their exit (Tataru & Tataru, 2020).
Summary of Chapters
1 Introduction: This chapter introduces the role of HR departments in processing employee data and outlines the core problem of GDPR compliance in the context of advancing digitalization.
2 Basic Definitions: This chapter defines key terminology mandated by the GDPR, including concepts such as personal data, processing, and the roles of controller and processor.
3 Analysis of data processing restrictions concerning employees: This chapter provides an in-depth review of individual data rights, organizational obligations, and the specific limitations on data processing across the employee lifecycle.
4 Compliance implementation recommendation for German companies: This chapter offers strategic advice and actionable steps for German companies to mitigate risks and implement GDPR-compliant processes.
5 Conclusion and Outlook: This chapter summarizes the identified rights and obligations and reaffirms the importance of a risk-based approach to GDPR compliance.
Keywords
GDPR, Employee Data, Data Processing, Controller, Processor, Employee Lifecycle, Recruitment, Performance Measurement, Data Protection, Compliance, TOMs, DPIA, Data Privacy, HR, Germany
Frequently Asked Questions
What is the core focus of this research paper?
The paper explores how German companies must manage the processing of personal employee data to remain compliant with the GDPR throughout the entire employee lifecycle.
What are the central thematic areas?
The primary themes include legal definitions under the GDPR, the specific rights of data subjects, organizational duties for controllers, and practical steps for compliance management.
What is the primary objective of the study?
The objective is to identify restrictions in employee data processing and derive appropriate implementation recommendations to support German companies in avoiding regulatory sanctions.
Which scientific methodology is applied?
The author utilizes a secondary literature review, analyzing current academic journals, legal reports, and the GDPR framework itself.
What is covered in the main body of the work?
The main body covers basic definitions, a detailed analysis of data processing restrictions during recruitment, active employment, and post-employment, followed by compliance recommendations.
Which keywords best characterize this work?
The work is best characterized by terms like GDPR compliance, data controller obligations, employee lifecycle, and technical and organizational measures (TOMs).
Why is the recruitment phase specifically mentioned as a risk?
Recruitment involves handling personal data of candidates; companies must ensure that only relevant data is collected and that data is deleted if a candidate is not hired, unless consent for further use is provided.
How should companies handle data after an employee leaves?
Companies must delete non-essential data, keeping only what is required by law (e.g., for financial retention purposes), while ensuring the employee remains bound by confidentiality obligations.
- Arbeit zitieren
- Claudia Peter (Autor:in), 2021, Personal data processing restrictions concerning employees. Implementation recommendation for German companies, München, GRIN Verlag, https://www.grin.com/document/1168644
