The European Union’s General Data Protection Regulation, going into effect May 25, 2018, sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
Ireland’s new Data Protection Act 2018 (DPA) implemented the General Data Protection Regulation in Ireland and set a few rules which may impact employers, including:
Sensitive personal data – Can be processed in certain circumstances when “suitable and specific” measures have been taken to safeguard the fundamental rights and freedoms of the employee (and other data subjects).
Examples of appropriate circumstances include when data is being processed:
Criminal background checks – Under the DPA, the processing of criminal conviction data, such as background checks, is allowed in specific situations, including: with the individual’s consent; when necessary and proportionate to perform a contract to which the individual is a party (or, to take steps at the request of the individual prior to entering a contract); or, the processing is necessary for legal advice/proceedings or for establishing/exercising/defending legal rights. That said, it’s generally not legal for employers to request criminal records on employees and job applicants. One exception to this rule is when an employee or job applicant will have access to, or contact with, children or vulnerable individuals. Employees and job applicants have to request their criminal records directly from the authorities (the employer cannot request them).
Access requests – Employers cannot require employees, job applicants or contractors to make access requests or provide personal data that was obtained as a result of an access request.