GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Belgium
Belgium has updated laws to align with the GDPR and has some collective bargaining agreements in place relating to protecting employee’s personal data.
The Law on the protection of natural persons with regard to the processing of personal data (July 2018) sets a few requirements. Under the Law, employers (and others responsible for personal data) are expected to take additional steps when processing genetic, biometric or health data, including:
- designating the categories of individuals who can have access to personal health/biometric/genetic data and clearly defining their roles in terms of processing that data;
- retaining a list of the categories of persons (and making the list available to the relevant supervisory authority if requested);
- ensuring the individuals who are processing that data are legally or contractually bound to retain the confidentiality of that data.
Separately, designating a Data Protection Officer (DPO) may be required for employers (and others) who process personal data for or from Federal authorities if the data processing could result in a high risk to individuals’ rights and freedoms.
Works Council & Employee Notification Requirements
There are some cases where the works council or employees will need to be informed prior to implementing technology that may impact employee privacy.
- Collective Bargaining Agreement 68 of June 6 1998, places certain requirements on employers, including notifying the local works council prior to posting cameras in the workplace.
- The works council must be informed when an employer wishes to install an electronic communication data control system (Collective Bargaining Agreement 81 of 26 April 2002 on the protection of workers' privacy with regard to the control of networked electronic communication data). Monitoring the use of employee email and internet access is limited to what’s proportionally appropriate given the reason for monitoring. Permitted reasons are limited (ex. securing systems, preventing illicit/defamatory facts, protecting the financial interests of the company, etc.).