Data protection in human resources: The legal basics

With the increasing digitalization of society and therefore also of companies, data protection is becoming increasingly important. However, this not only has an impact on the relationship between customers and companies but also between employees and employers: GDPR-specific rights for employees and applicants, deletion deadlines, high requirements for the secure handling of their data, and the sheer variety of legal standards pose a huge challenge for small and medium-sized companies. You can find an overview of the most important points for HR managers here.

Employee data protection: The legal principles

There are many legal sources for employee data protection: In addition to the aforementioned GDPR ("General Data Protection Regulation"), the BDSG ("Federal Data Protection Act") is of particular importance. In special cases, for example, industry-specific special law may also come into consideration. Employee data protection aims to protect the personal rights of employees and applicants. 

To this end, as little personal data as possible should be collected, which corresponds to the principle of data minimization from Art. 5 para. 1 lit. c of the GDPR. 

Furthermore, once data has been collected, it may not be processed arbitrarily: According to the principle of purpose limitation from Art. 5 para. 1 lit. b of the GDPR, data may only be processed for the purpose for which it was originally collected.

For example, if an applicant's address data was collected as part of the application process to contact them, it may not be used later, to send them a newsletter. This also means that when data is collected, everyone involved must be aware of the purpose for which this data is being collected.

In addition to a precisely defined purpose, the collection and ongoing storage of personal data always requires a legal basis. These legal requirements can be found in Section 26 BDSG for employee data protection. According to this, processing is possible in particular if it is necessary for the decision on the establishment of an employment relationship or later for its implementation. 

Leaving the company - deletion of data? 

According to the principles described above, the personal data collected about an employee must be deleted immediately after the termination of the employment relationship. In principle, this includes not only entries in databases but also every e-mail, every note, every memo, and every other medium that contains the personal data of the former employee. It is not only possible to delete the documents concerned, but also to anonymize the respective employee, e.g. to blacken them.

But be careful! The obligation to delete has important exceptions: Data that may be significant for employment law disputes must be kept for three years, documents and business letters (including emails) relevant to tax law must be kept for six years and documents relevant to the company's profit calculation must be kept for 10 years - even if they contain the name of the employee who has left the company.

Even more caution is needed with unsuccessful applicants, as they may use incorrect data processing as an excuse to take action against the company. Employers must be prepared to identify, locate, and delete applicants' data. Data of rejected applicants may be retained to protect the company against possible legal action under the General Equal Treatment Act. However, the deadlines for this are short - they must be deleted after a maximum of six months after the position has been filled.

Does data protection mean the end of talent pools?

The procedure described above makes the popular practice of storing candidates in talent pools impossible: in this practice, the data of good applicants is stored for a later date when a new position needs to be filled. Without effective consent, however, applicants' data may not be stored, meaning that companies run the risk of losing interesting candidates from their pool. We therefore recommend taking the necessary care when formulating and documenting consent. 

Employees have these rights

In addition to this basic protection, employees have certain rights that they can assert against their employer at any time - even after the employment relationship has ended:

• Incorrect, outdated, or unlawfully recorded data must be deleted, corrected, or blocked from further access by the employer at the employee's request.
• The employer must protect special personal data, such as data relating to health, religion, or sexuality, from access by unauthorized persons, and an employee or applicant may withhold certain particularly sensitive data, even from the employer. If the employer attempts to obtain data that is not subject to the obligation to provide information, the employee or applicant has the right to refuse to answer or to tell the untruth.

 The monitoring of employees, for example by video, is particularly critical. The data protection authorities set strict limits on this practice and have already imposed fines in the millions on companies for unlawful surveillance practices on several occasions.  Every company should carefully consider whether surveillance is really necessary. The data protection officer should always be involved in the decision-making process.

Duty to provide information: Transparency for data subjects

Under Art. 15 of the GDPR, data processors, i.e. the employer in the context of the employment relationship, are obliged to provide a range of information. This includes, in particular, the categories of data collected, the purposes for which the data is processed, the recipients of the data, and the planned duration of storage. The information must also be provided if data is transferred to third countries, e.g. in cloud applications.

However, companies are also obliged to be transparent even without an employee's request. They must already proactively provide the aforementioned data, e.g. as part of a privacy policy for employees. 

Data security: The standards

The respective security standards are of particular importance: the processor is obliged to ensure "appropriate" standards at all times to prevent unauthorized persons from accessing the data or to prevent data from being falsified or lost. What exactly is considered appropriate depends heavily on the situation. Guidelines may apply:

• Data may only be transmitted via secure channels. Particularly sensitive data (e.g. health data) may only be sent in encrypted e-mails and faxes are no longer appropriate.
• Only authorized persons may have access to data. An access system with passwords or other access restrictions must therefore be set up.
• Where possible, different personal data must be separated from each other to minimize the damage in the event of a data leak.
• Data must be stored on secure data carriers, e.g. in an encrypted database, or a locked filing cabinet for paper files.