December 21st, 2017 | Sterling

What is Processing in the Employment Context as Detailed by Article 88 GDPR?

Sterling is offering a 10-part webinar series about the changes to the way personal data is protected in the European Union when the EU General Data Protection Regulation (GDPR) applies on 25 May 2018. The webinars share key steps HR and legal personnel can take now to help ensure full compliance from day one. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduced the changes to data privacy laws to come. The sixth webinar in the series, “Processing in the Employment Context (Article 88 GDPR)” is now available on demand. The webinar, describing Article 88 of the GDPR and how it will affect processing data in the employment context, was presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher of Sterling.

What is Article 88 GDPR and What Does It Mean?

Article 88 allows member states to enact more specific rules for processing employees’ personal data in the employment context. A variety of human resources services are affected by this rule including recruitment, performance of an employment contract, management planning & organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property, employment rights and benefits relating to employment and for the termination of employment.

The focus of the rules of Article 88 is to safeguard the individual’s human dignity, legitimate interest and fundamental rights with a particular regard to the transparency of processing, the transfer of personal data within a group of companies engaged in a joint economic activity and monitoring systems at the workplace.

 The Impact of Article 88 GDPR on Background Screening

Article 88 may result in a patchwork of laws relating to background screening. Any Member State that wishes to enact national rules under Article 88 must notify the European Commission who will, in turn, maintain a register of those specific rules. That register will mean that there’ll be a single source to understand how you may need to adapt your background screening programme to ensure compliance with local rules.

Which Countries Have Enacted Rules Under Article 88 GDPR?

Member States have started to enact national laws to ensure the GDPR is enshrined within their region. At the moment, Germany is the only Member State which has made such a change and is the only country that has made use of the derogations introduced by Article 88 GDPR. The new German data protection law contains provisions relating to the processing of employee data. Overall, it does not introduce a fundamental change to German law but, instead, consolidates existing legal provisions as well as case law and literature on the matter. Employment-related provisions are contained in §26 BDSG.

For consent to be valid according to §26, the employer must ensure that the consent is submitted voluntarily despite the dependent relationship. This can be the case if the employee gains an advantage from the consent or the interests of the parties are similar. Consent must generally be obtained in writing, although as a result of the circumstances, other forms are also possible. The purposes of the processing must be clearly stated and the employees must be informed clearly of the processing and must be informed of their right of withdrawal. Processing of special categories of personal data, such as health information, information on race or ethnic origin or union membership may be performed if this is necessary for the exercising of rights or the fulfillment of legal obligations under employment law or social security and social protection law.

Tips for Processing the Employment Context

Oran and Beatriz shared a few best practices for conducting cross-border data transfers relevant to a background screening program:

  • Identify which European countries your background screening programme currently applies to
  • Identify if these countries have introduced local rules under Article 88 GDPR
  • Determine what changes (if any) you may need to ensure your background screening programme accommodates local variances
  • Keep an eye out for additional local laws that may introduce derogations under Article 88 GDPR

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

On 25 May, 2018, the EU General Data Protection Regulation (GDPR) takes full effect. Sterling has been planning for the GDPR changes that will affect the background screening industry since 2016. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign-up for the Sterling GDPR 10-part webinar series. We are offering On-Demand webinars that tackle the many aspects of the GDPR, from privacy notices to candidate rights and how the changes will affect the background screening industry. Sign up today for our next webinar, “GDPR: Profiling and Automated Decision Making.”

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.