Employee Data Privacy

Does HR data processing require registration under data protection laws?

Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits. The General Data Protection Regulation (GDPR), which became effective on May 25, 2018, has helped make the requirements within the European Economic Area more uniform. That said, each Data Protection Authority remains independent and can create their own conformity assessments.

The GDPR is oriented on “privacy by design” and “privacy by default.” Controllers (employers) and Processors (subcontractors) must implement all technical and organizational measures necessary to ensure the protection of personal data. In practical terms, the processing of personal data in every instance should be accompanied with the privacy concern in order to limit the amount of data processed from the outset (so-called "minimization" principle). Two key considerations are the reasons for collecting the data and the potential consequences (risks) of maintaining and processing this data.

The consequence of this accountability principle is the reduction of required employee notifications, once controllers and processors conclude that processing the personal data does not constitute a risk to privacy. Prior to the GDPR going into effect, processing personal data was subject to authorization from the competent data protection authority. Going forward, the new procedure involves privacy impact assessments.

The GDPR has a few new compliance requirements to demonstrate accountability, such as:

• maintaining a register of treatments implemented
• the notification of security breaches (to the authorities and persons concerned)
• certifications
• adherence to codes of conduct
• the DPO (Data Protection Officer)
• Privacy Impact Assessments (PIAs)

 

Works Council Requirements

While employers in Belgium are not required to register with the data protection authorities, there are cases where the works council and/or employees will need to be informed prior to implementing technology that may impact employee privacy. This includes:

• Collective Bargaining Agreement 68 of June 6 1998, which places requirements on employers including the requirement to notify the local works council prior to posting cameras in the workplace;
  
  

• the updated Camera Surveillance Act (March 2018), which requires employees to be informed when video surveillance is used by the employer (this can be done via a privacy policy). The Act also contains the obligation to keep a register of camera surveillance related activities (including publicly disclosed visuals of where the cameras are placed) until video surveillance ends. Note that recordings generally must be destroyed within one month; and,
  
  

• Collective Bargaining Agreement 81 of 26 April 2002 on the protection of workers' privacy with regard to the control of networked electronic communication data. This Agreement requires employers to inform the works council prior to installing an electronic communication data control system. Monitoring employee email and internet access is limited to what’s proportionally appropriate given the reason for monitoring. Permitted reasons are limited (ex. securing systems, preventing illicit/defamatory facts, protecting the financial interests of the company, etc.).