Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) went into effect on May 25, 2018 and has become new cornerstone of data protection laws throughout the EU. Organizations in the European Economic Area (EEA) must comply with EU data protection laws when retaining documents containing personal data. The EEA includes the EU countries as well as Norway, Lichtenstein, and Iceland.
While the GDPR has been implemented at a national level by each EU member state, data privacy laws differ slightly from one EU country to another.
The Law on the protection of natural persons with regard to the processing of personal data (July 2018) sets a few requirements relating to processing personal information in Belgium, particularly genetic, biometric and health data.
There are also collective bargaining agreements in place relating to protecting employee’s personal information. For example, Collective Bargaining Agreement 68 of June 6 1998, places certain requirements on employers, including the requirement to notify the local works council prior to posting cameras in the workplace.
Separately, the works council must be informed when an employer wishes to install an electronic communication data control system (Collective Bargaining Agreement 81 of 26 April 2002 on the protection of workers' privacy with regard to the control of networked electronic communication data). Monitoring the use of employee email and internet access is limited to what’s proportionally appropriate given the reason for monitoring.
Firstly, it is important to understand who is the “data controller” under the EU legislative framework. An organization is a data controller when it determines the purposes and manner in which personal data is processed. “Personal data” refers to “any information relating to an identified or identifiable natural person.” That person is considered a “data subject” under the GDPR and may “be identified, directly or indirectly…by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”Clearly, a lot of employee-related information collected by employers qualifies as personal data, thereby subjecting European employers to EU data privacy regulations. The employer collecting the employee-related data is the data controller, and every HR solution adopted might be qualified as a sub-processing activity.
Regardless of whether an employer utilizes subcontractors to process information, data management processing principles will still need to be followed. This is because the “processing of personal data” is construed broadly and includes physical and automated procedures such as: collecting, recording, organizing, structuring, storing, adapting/altering, retrieving, consulting, using, disclosing by transmission, disseminating, making available, aligning/combining, restricting and erasing/destructing.
Therefore, as controllers of employee personal data collected in the employment context, employers must comply with the following personal data processing principles:
Employers should be able to provide a documented rationale for processing each piece of personal data. Processing can be legally justified if the:
If the employee data qualifies as sensitive personal data, then a narrower set of conditions applies. For example, one such condition is that a data subject has given explicit consent to the processing of his/her sensitive personal data. “Sensitive personal data” is the personal data consisting of information about the data subject’s racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; trade union membership; physical or mental health or condition; or sexual life.
______________________________________
The current authority responsible for enforcement of data privacy law and regulations in Belgium is the:
Belgium Data Protection Authority