GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in France
In France, Law n° 2018-493 of 20 June “relating to personal data protection” modified the former French Data Protection Act and implemented the GDPR in the country. Under the Law, there are a few specific provisions which can impact HR-related data.
Sensitive Personal Data: Employers are permitted to process biometric data when it’s strictly necessary to control access to the workplace, to apparatus, or to software applications. Sensitive personal information can also be processed when it is rapidly anonymized (using a method approved by the CNIL, the Data Protection Authority).
National Registration Numbers (NIRs): NIRs can only be processed in limited circumstances. Decree n° 2019-341 of April 2019, 19th, permits employers to process NIRs for specific purposes, including: employment declarations, payment of social security contributions, working accidents, employee savings, etc.
Criminal History: While the Law implementing the GDPR does not include requirements for employers relating to criminal records, the use of criminal history for employment purposes is governed by French Criminal Procedure Code (Art. R. 82) and the French Labor Code (Art. L. 1221-6, 1222-2). Employers are generally not able to request criminal records directly from law enforcement. Instead, they can ask applicants and employees to obtain this information from law enforcement. Note that this is only permitted if the criminal history is directly related to the job or, the employer is permitted to request the information through a collective agreement or regulation.