GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Norway
Norway implemented the GDPR through the Law on the processing of personal data (Personal Data Act, 2018). Under this law, employees’ personal information may be processed when necessary to meet labor law requirements and the rights of employees.
One aspect of the Personal Data Act which may impact Norway employers is the additional limitations on processing unique identifiers, including birth IDs. Employers (and others who manage data) can only use birth IDs to identify individual employees when there is a need for secure identification and the method used by employers is necessary to achieve such identification.
Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.