GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Denmark
The new Danish Data Protection Act implemented the GDPR in the country and further clarified when employee data is allowed be processed by employers, including:
- when necessary to observe employment law obligations and, to meet the rights of the employee or employer as set out through other legal or collective agreements;
- when necessary to allow the employer or a third-party to pursue legitimate interests based on a law or collective agreement, as long as those interests don’t override the fundamental rights or freedoms of the employee;
- with employee consent, as long as the consent is in accordance with GDPR requirements (note that consent has been questioned in the employment context given the unequal relationship between employee and employer).