GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in France
In France, Law n° 2018-493 of 20 June “relating to personal data protection” modified the former French Data Protection Act and implemented the GDPR in the country. Under the Law, there are a few specific provisions which can impact HR-related data.
Sensitive Personal Data: Employers are permitted to process biometric data when it’s strictly necessary to control access to the workplace, to apparatus, or to software applications. Sensitive personal information can also be processed when it is rapidly anonymized (using a method approved by the CNIL, the Data Protection Authority).
National Registration Numbers (NIRs): NIRs can only be processed in limited circumstances under the French Data Protection Act. Per the CNIL, employers can process NIRs for the management of payroll and for the calculation of contributions paid to welfare organizations.
Criminal History: While the Law implementing the GDPR does not include requirements for employers relating to criminal records, the use of criminal history for employment purposes is governed by French Criminal Procedure Code (Art. R. 82) and the French Labor Code (Art. L. 1221-6, 1222-2). Employers are generally not able to request criminal records directly from law enforcement. Instead, they can ask applicants and employees to obtain this information from law enforcement. Note that this is only permitted if the criminal history is directly related to the job or, the employer is permitted to request the information through a collective agreement or regulation.
Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.