GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation, going into effect May 25, 2018, sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Ireland
Ireland’s new Data Protection Act 2018 (DPA) implemented the General Data Protection Regulation in Ireland and set a few rules which may impact employers, including:
Sensitive personal data – Can be processed in certain circumstances when “suitable and specific” measures have been taken to safeguard the fundamental rights and freedoms of the employee (and other data subjects).
Examples of appropriate circumstances include when data is being processed:
- on the basis of a legal obligation on the employer (i.e., the data controller) or employee (i.e., the data subject) relating to employment (or social welfare);
- for legal advice/procedures or establishing/defending/exercising legal rights;
- for the performance of a function conferred on a person by enactment or the Constitution;
- when necessary and proportionate for insurance, life assurance policies, pensions or mortgages; or,
- for health/social care purposes.
Criminal background checks – Under the DPA, the processing of criminal conviction data, such as background checks, is allowed in specific situations, including: with the individual’s consent; when necessary and proportionate to perform a contract to which the individual is a party (or, to take steps at the request of the individual prior to entering a contract); or, the processing is necessary for legal advice/proceedings or for establishing/exercising/defending legal rights. That said, it’s generally not legal for employers to request criminal records on employees and job applicants. One exception to this rule is when an employee or job applicant will have access to, or contact with, children or vulnerable individuals. Employees and job applicants have to request their criminal records directly from the authorities (the employer cannot request them).
Access requests – Employers cannot require employees, job applicants or contractors to make access requests or provide personal data that was obtained as a result of an access request.