EN
What are the ground rules you should follow when collecting, using and securing personal data? The European Privacy Day on 28 January lets us pause to reflect on the procedures to ensure personal data protection. This is also relevant in the HR world, as organisations often hold all kinds of personal data on their employees.
The General Data Protection Regulation (GDPR) went into effect on 25 May 2018. This European Regulation lays down the ground rules for the collection, use and security of personal data. It concerns personal data of your employees, but by extension, data of customers too.
Personal data is a broad term. It's not just about classic data (such as name and surname), but also reports, evaluation forms, photos at the staff party or training, etc.
Not following the rules of the game? Then you risk a significant fine. For example, a fine of 15,000 euros was imposed by the Data Protection Authority (GBA) on an SME that refused to close the mailboxes of former employees.
The GDPR matter is a complex one. The conceptual framework is not simple, and there are various obligations, such as a documentation obligation and an information obligation. Employers often don't know where to start. This roadmap can give you a nudge in the right direction:
1. Map out personal data using a processing register (data registry).
This registry replaces the former declaration to the GBA, and is part of your documentation requirement. In the event of an audit, you can expect the request for this register for sure. The processing register must be continuously updated.
2. Identify the legal basis on which the processing is done.
There are 4 legal grounds:
In the case of the data subject's consent, it is stated that such consent must be free, explicit and informed.
3. Keep in mind the retention periods for this personal data.
The data should not be kept longer than strictly necessary. So you need to work with rules specific to applicable local regulations to map out these retention periods. As part of transparency, you also provide these retention periods by topic in the processing register.
4. Be aware of your information obligation.
For example, you must inform your employees what data is being processed, the retention periods, the right to information if it is necessary to correct the data, etc.
As part of this information obligation, you must also record what ground rules are used internally with regard to the handling of customer data, access to customer data, any sanctions in the event of a breach of these agreements.
You can regulate your information obligation in this context by working with a specific privacy policy, for example.
Elections are coming up: what remains to be decided?
In the run-up to the elections on 9 June 2024, there are still some labour issues to be completed and consequently some decisions that remain to be taken. What is the impact on you as an employer?
Read moreWhat will change for employers in April 2024?
Legislation is changing at a rapid pace and, as an employer, it is important to keep pace and know what changes may impact your organisation. We list all the most important changes for April 2024.
Read morePurchasing power bonus: 31 March is fast approaching
If you awarded your employees a purchasing power bonus in 2023, you are required to issue this bonus in the form of consumption vouchers by 31 March 2024 at the latest.
Read more
