GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in the Czech Republic
The Data Processing Act, which came into force in April 2019, implemented the GDPR in the Czech Republic.
The Data Processing Act does not include any specific regulations relating employee data privacy. That said, note that the Czech Labor Code (Sec. 316) has set specific requirements relating to employee privacy, including:
- Informing employees in advance of any employee monitoring (both in scope and method). Monitoring of employee emails, letters or calls is restricted unless there is a serious cause, and employees have been informed of the scope and method of monitoring.
- Only permitting employers to request employee information that directly relates to performance of work or the basic employer relationship (i.e. you can’t require unnecessary personal information). Employers can’t require information relating to sexual orientation, origin (i.e. ethnicity), trade union membership, membership in political parties or movements, religion/confession or criminal records.
- Employers can only request information relating to pregnancy, family/property situation, or criminal records when there is cause (i.e. when it may impact the work to be performed), and if the request for information is appropriate or necessary to comply with the Labor Code or other legal acts. This information must be obtained directly from employees, and can’t be obtained in other ways such as through third parties.