Personal data processing restrictions concerning employees. Implementation recommendation for German companies


Academic Paper, 2021

25 Pages, Grade: 1,3


Excerpt

Table of Contents

Table of Contents

List of Figures

List of Abbreviations

1 Introduction
1.1 Problem and objectives
1.2 Methodology and structure

2 Basic Definitions
2.1 Personal data
2.2 Processing
2.3 Restriction of processing
2.4 Controller
2.5 Processor

3 Analysis of data processing restrictions concerning employees 5
3.1 Personal data protection rights of a natural person
3.2 Obligations of personal data controllers and processors
3.3 Personal data processing restrictions during the employee life cycle
3.3.1 Restrictions in recruiting activities
3.3.2 Restrictions during employment and performance measurement
3.3.3 Restrictions after termination of employment

4 Compliance implementation recommendation for German companies Conclusion and Outlook

Bibliography

ITM-Checklist

List of Figures

Figure 1: Rights of data subjects (overview)

Figure 2: Obligations of data controllers and processors (overview)

Figure 3: Organizational measures

Figure 4: Personal data processed during execution of employment contract

Figure 5: Information details to be provided to data subjects

List of Abbreviations

Abbildung in dieser Leseprobe nicht enthalten

1 Introduction

Companies need to collect and process personal data about their employees over the whole employee life cycle, from recruiting, over development until exit of employ­ees (Rakoski, 2021). Consequently, companies are affected by the European Un­ion's General Data Protection Regulation (GDPR), which entered into force on 25th of May 2018 (European Commission, 2018, p. 87). It regulates the processing of personal data by a company, an organization or an individual related to natural per­sons, also called data subjects. (Zanker, et al., 2021).

As in companies the human resource department is involved in the whole employee journey, they play a major role as an entity which controls and processes personal data. Therefore, the implementation of appropriate measures to comply with the GDPR as laid out in this paper is essential for all companies who employ people.

1.1 Problem and objectives

In the course of the advancing digitalization companies depend more and more on data (Rakoski, 2021) and face several challenges, ranging from a frequently chang­ing workforce, to ever-changing regulations to the unexpected pandemic with a shift of the way of working with employees and the enforcement to re-think the way how to manage employees (Tataru & Tataru, 2020).

According to Statista, Germany has the second highest aggregated value of GDPR fines imposed in Europe between May 2018 and January 2021 with 69 million euro. Only Italy registered 300.000 euro more fines during that period (Statista, 2021). No deviation between the kind of data breaches, whether related to customers or to em­ployees could be identified. The author assumes there are employee data breaches included, especially in cases when employees are not satisfied with the company anymore or when they got fired.

Fines resulting from non-compliance with GDPR are set at 20 million euro or up to 4 per cent of the annual total income of the preceding financial year, whichever is higher (Zanker, et al., 2021), (European Commission, 2018). This poses the following questions. What have companies to consider acting compliant to GDPR? And which restrictions apply to companies in context to employee data processing? The objec­tive of this paper is to find answers to these questions and to derive appropriate recommendations for action to support German companies to implement appropriate measures for GDPR compliance.

1.2 Methodology and structure

Secondary literature review has been chosen by studying current literature, journals, GDPR, and reports. The limitation of this paper is given by the nature of the research method. Further empirical studies on interpretation of measure implementation is recommended. As the focus here is on Germany, a global research could also give further insights in this topic.

The paper is structured into four main chapters. First, the author gives an overview of basic definitions. The second chapter deals with an analysis of data processing restrictions concerning employees, beginning with personal data protection rules, fol­lowed by a deep dive into the data processing restrictions during the employee life cycle. In the third chapter compliance implementation recommendation for German companies will be derived. The last chapter summarizes the findings from the anal­ysis and the derived compliance implementation recommendations for German com­panies.

2 Basic Definitions

2.1 Personal data

The term ‘Personal data' „means any information relating to an identified or identifi­able natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“ (European Commission, 2018, p. 33).

2.2 Processing

The term ‘Processing' „means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alter­ation, retrieval, consultation, use, disclosure by transmission, dissemination or oth­erwise making available, alignment or combination, restriction, erasure or destruc- tion“ (European Commission, 2018, p. 33).

2.3 Restriction of processing

The term ‘Restriction of processing' „means the marking of stored personal data with the aim of limiting their processing in the future“ (European Commission, 2018, p. 33).

2.4 Controller

The term ‘Controller' „means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such pro­cessing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (Euro­pean Commission, 2018, p. 33)

2.5 Processor

The term ‘Processor' “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (European Commission, 2018, p. 33)

3 Analysis of data processing restrictions concerning employees

3.1 Personal data protection rights of a natural person

To understand the personal data processing restrictions concerning employees the personal data protection rights of natural persons will be examined. Pursuant to GDPR, citizens have the following rights:

Figure 1: Rights of data subjects (overview)

Abbildung in dieser Leseprobe nicht enthalten

Source: own exhibit according to (European Commission, 2018)

Art. 15 of the GDPR specifies the right of the data subject to request and obtain confirmation from the Controller, whether he or she processes personal data of the data subject. In case of an affirmative answer, the Controller shall give the data sub­ject access to that data (European Commission, 2018), (Tataru & Tataru, 2020). Art. 16 of the GDPR regulates the right of the data subject to request rectification of in­accurate personal data concerning him or her from the Controller without undue de­lay (ibid.) Art. 17 of the regulation provides the right of the data subject to request the deletion of his or her personal data from the Controller. The Controller is obligated to delete all personal data, without undue delay, in case the data subject has withdrawn his or her consent to their processing or when these data are no longer needed to fulfill the purpose for which they were collected (ibid.) Art. 18 of the GDPR describes the right of the data subject to request and obtain the restriction of processing of his or her personal data from the Controller. Once processing of personal data has been restricted, these personal data shall only be processed with the consent of the data subject or for the defense, exercise, or establishment of legal claims or for the safe­guard of the rights of another legal or natural person or for reasons of significant public interest of the Union or of a Member State (ibid.).

The right of data portability, regulated by art. 20 of the regulation, is the right of the data subject to receive his or her personal data from the Controller in a commonly used, structured and automatically readable format, and the right of the data subject to transmit those data to another Controller, without any impediments from the Con­troller (ibid.). Art. 21 of the GDPR regulates the right of the data subject to object to the processing of his or her personal data at any time. The Controller shall then cease the data processing unless he or she proves the existence of legitimate and persua­sive reasons justifying the data processing (ibid.).

3.2 Obligations of personal data controllers and processors

Beside the rights of the data subject the obligations of personal data Controllers and Processors have an impact on restrictions concerning employee's personal data pro­cessing. Pursuant to art. 29 para 1 of the GDPR, the Controller is the main respon­sible entity for any damage caused by his or her processing operation. Only if proved that the processor would have acted beyond its authorization, he or she shall be held accountable towards the data subjects (Cimina, 2021). Key obligations of data con­trollers and processors are summarized in the following figure.

Figure 2: Obligations of data controllers and processors (overview)

Abbildung in dieser Leseprobe nicht enthalten

Source: own exhibit according to (European Commission, 2018), (Zanker, et al.,2021), (Hintze, 2018), (Ogriseg, 2017)

Data protection by design and by default, regulated in art. 25 of the GDPR, is the obligation of a Controller to design technology in a privacy-friendly way. To meet the requirements of this regulation, “the controller shall, both at the time of the determi­nation of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisa­tion, in an effective manner and to integrate the necessary safeguards into the pro­cessing” (European Commission, 2018, p. 48).

Especially organizations with more that 250 persons need to record its personal data processing activities in writing or electronically as regulated in art. 30 of the GDPR. The record shall contain information like which and why personal data is processed, how long they are stored, who has access to them, and which security measures have been implemented (Hoofnagle, et al., 2019). The same obligation applies on companies with less than 250 employees in case the processing performed poten­tially creates “a risk to the rights and freedoms of the data subject, in particular in respect of criminal convictions and offenses.” (European Commission, 2018, p. 51), (Calopereanu, et al., 2019). These records might be needed in case of personal data breaches when the data subject and the supervisory authority must be informed about the processing activities. In this context, the regulation stipulates an obligation to conduct a data protection impact assessment (DPIA) where the “processing, is likely to result in a high risk to the rights and freedoms of natural persons” (European Commission, 2018, p. 53) pursuant to art. 35 of the GDPR (Selle, 2020). The Data Protection Officer (DPO) determines whether the processing is classified as ‘high risk'. In this case, despite compensating safeguards are implemented, he or she must inform the Data Protection Authority (Hoofnagle, et al., 2019).

Art. 32 of the GDPR, sets out an obligation for Controllers and Processors to imple­ment appropriate technical and organisational measures (TOM's) to avoid unauthor­ized intervention on personal data processing operations. Data protection is not only achieved by implementing technical measures via hardware and software, but also by organizational procedures such as illustrated in following figure.

[...]

Excerpt out of 25 pages

Details

Title
Personal data processing restrictions concerning employees. Implementation recommendation for German companies
College
The FOM University of Applied Sciences, Hamburg
Grade
1,3
Author
Year
2021
Pages
25
Catalog Number
V1168644
ISBN (Book)
9783346582959
Language
English
Keywords
GDPR, Personal Data Processing, Employees, Germany, Restrictions, Implementation recommendation
Quote paper
Claudia Peter (Author), 2021, Personal data processing restrictions concerning employees. Implementation recommendation for German companies, Munich, GRIN Verlag, https://www.grin.com/document/1168644

Comments

  • No comments yet.
Read the ebook
Title: Personal data processing restrictions concerning employees. Implementation recommendation for German companies



Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free