Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

GDPR human resources - Preamble

The GDPR has profoundly impacted the field of human resources, revolutionizing the management of personal data within companies. In this article, we'll look at the key points of this regulation for HR.

The General Data Protection RegulationGDPR) came into force on May 25, 2018. Its aim is to protect the personal data of all individuals within the European Union. It is important for all companies to ensure they are compliant with this regulationGDPR HR).

Penalties for non-compliance can be severe. They can amount to up to 20 million euros, or in the case of a company, up to 4% of annual worldwide sales. These penalties can be made public, jeopardizing a company's reputation.

In summary, the key points for reducing the risks associated with non-compliance with the General Data Protection RegulationGDPR) for the human resources field are to: 

  • GDPR compliance
  • raise employee awareness of data protection
  • share your privacy policy
  • Check your technical service providers for HR tools, accounting, etc.
  • regularly consult the resources provided by the Commission National de l'Informatique et des LibertésCNIL (National Commission for Information Technology and Civil Liberties)NationalCNIL (National Commission for Information Technology and Civil Liberties))

It's also advisable to work with a Data Protection Officer (DPO) who can help you set up effective procedures and meet the requirements of the GDPR and the CNIL (National Commission for Information Technology and Civil Liberties). 

Finally, it's also important to remember that compliance is an ongoing process that needs to be maintained, and that one-off compliance is not recommended because a company will evolve over time. 

Data processed in HR

The field of human resources is very much affected by the General Data Protection Regulation. For example, recruitment is managed by human resourcesHR), so they are particularly concerned by GDPR compliance.

A great deal of personal data is collected: surnames, first names, e-mail addresses, CVs, unsolicited job applications, etc. The HR department must guarantee the compliance of the personal data it processes (personal data processing, duration of Data retention, etc.).

The HR department is also involved in the processing of financial data. The company must ensure the security of this information and, above all, respect the Data retention period. (For example, pay slips may be retained by the company for 5 years after the employee has left).

HR tasks involving the collection, processing or Data retention of personal data must be described in a data processing register.

Human resources manage a large amount of personal data in the course of their activities. Here are just a few examples of the types of data that may be collected, stored and processed by the HR department:

1. Personal data :

This includes data such as name, address, telephone number, e-mail address and identification information, such as social security numbers or passport numbers. This data is used to establish and maintain employee files, to communicate with employees and to set up pay slips or other documents related to the employee's activity.

2. Employment data :

This includes data such as position held, salary, benefits, compensation details, leave information, hire and departure dates, work history details and professional reference information.

3. Training and development data :

This includes data such as details of training programs taken, assessment results, information on skills and certifications obtained.

4. Medical data

This includes data relating to employee health, such as disabilities and the means required for an employee to work, details of absences, details of accessibility requirements or requests for accommodation.

5. Performance data :

This is data relating to the evaluation of employee performance, such as the results of profitability assessments, comments on performance, details of promotions, salary increases, bonuses and other rewards.

It is important to note that this list is not exhaustive, and that companies may collect, store and process other types of personal data depending on their activities and specific needs. 

Can we keep information on employees?

It is perfectly possible to store information on employees, but care must be taken to minimize data and respect the Data retention period.

Only personal data required for the proper functioning of the company may be stored. Data relating to an employee is kept for the duration of his or her presence in the organization. If the employee leaves, certain information must be retained by the employer (for example, pay slips must be kept for 5 years after the employee's departure). 

Data retention period for personal data

Data retention retention rules in human resources are about managing and supervising employee information responsibly and securely. They aim to protect employees' personal information while complying with regulations.

As an employer, you can keep certain data relating to your employees, but each piece of data has a time limit for use and a prescription period that must be respected.

For example:

  • information concerning absences can be retained for the duration of the employment contract. After the employee has left the company, the Data retention period is 5 years.
  • Information concerning a work-related accident may only be used for the duration of the accident. If the employee resigns, the data must be deleted after 5 years.
  • Social security charges may be retained during data processing.
  • They must be discontinued after 3 years from the end of the calendar year in respect of which the charges are due.

For more information about the duration of Data retention of personal data concerning HR, marketing, commercial prospecting, accounting, invoicing, company life, etc ... you can consult our article here.

GDPR Human Resources

The main risks of GDPR non-compliance

There are several risks associated with GDPR non-compliance in Human Resources. The main risks are as follows:

1. Employee complaints

Employees can complain to theCNIL (National Commission for Information Technology and Civil Liberties) (National CommissionCNIL (National Commission for Information Technology and Civil Liberties)) if they find that their personal data is not properly protected. Companies can be prosecuted and sanctioned if they fail to comply with the GDPR.

2. Candidate complaints

Job applicants can also complain if their personal data is not properly protected. This can lead to financial penalties for companies, as well as a loss of credibility with potential candidates.

3. Video surveillance risks

Job applicants can also complain if their personal data is not properly protected. This can lead to financial penalties for companies, as well as a loss of credibility with potential candidates.

4. Control by the CNIL (National Commission for Information Technology and Civil Liberties)

In the event of a complaint from an employee or applicant, the CNIL (National Commission for Information Technology and Civil Liberties) may decide to carry out a GDPR compliance check on the company, and not just on the human resources aspects. Checks can be burdensome and lead to sanctions if the company is found not to be compliant.

GDPR human resources: Data security

Data security is important for GDPR HR compliance. Companies must implement security measures to protect employees' personal data from loss, misuse or unauthorized access.

Here are some security measures that companies can put in place to protect employees' personal data:

  • Data encryption
  • Regular backups
  • Secure access
  • Password management policy
  • Regular monitoring and audits

Finally, it's important to remember that data security is an ongoing process, and it's important to keep up to date with new technologies to implement foolproof data security.

GDPR Human Resources

GDPR HR : How to reduce these risks?

There are several ways for companies to reduce the risks associated with GDPR non-compliance in human resources:

1. Writing an employee privacy policy

Creating a privacy policy for employees is an effective way to reduce the risks associated with GDPR non-compliance. This policy should describe what data the company collects (data collection), how it is used (personal data processing), how long it is kept ( Data retention period) and how it is protected (data security). 

It is important to make this policy available to employees and to train them in good privacy practices, so that they understand their rights and the company's obligations in terms of data protection.

2. Mention in employee contracts

Companies can reduce risks by including a statement on personal data protection in employees' employment contracts. This helps employees understand the company's requirements and obligations. The clause should describe what data is collected, how it will be used, how long the data will be Data retention , employees' rights and the security measures taken to protect the data.

3. Drafting a candidate privacy policy

Companies should also draw up a privacy policy for candidates. It is important to make this policy available on the recruitment area of the website for candidates to consult.

4. Process for data access requests.

You also need to set up processes to manage requests for access to employees' personal data . It is important to clearly define with the Data Protection Officer the mandatory data to be transmitted. This will ensure that access requests are properly processed and that employees have access to their personal data.

Dipeeo
Dipeeo