Go back

How do you protect your employees' personal data?

26 January 2022 Miet Vanhegen Employers

What are the ground rules you should follow when collecting, using and securing personal data? The European Privacy Day on 28 January lets us pause to reflect on the procedures to ensure personal data protection. This is also relevant in the HR world, as organisations often hold all kinds of personal data on their employees.

Reading time: Read later?

Here's where the GDPR guards

The General Data Protection Regulation (GDPR) went into effect on 25 May 2018. This European Regulation lays down the ground rules for the collection, use and security of personal data. It concerns personal data of your employees, but by extension, data of customers too.  

Personal data is a broad term. It's not just about classic data (such as name and surname), but also reports, evaluation forms, photos at the staff party or training, etc.

Not following the rules of the game? Then you risk a significant fine. For example, a fine of 15,000 euros was imposed by the Data Protection Authority (GBA) on an SME that refused to close the mailboxes of former employees.

Step by step to optimal protection

The GDPR matter is a complex one. The conceptual framework is not simple, and there are various obligations, such as a documentation obligation and an information obligation. Employers often don't know where to start. This roadmap can give you a nudge in the right direction:

1. Map out personal data using a processing register (data registry).

This registry replaces the former declaration to the GBA, and is part of your documentation requirement. In the event of an audit, you can expect the request for this register for sure. The processing register must be continuously updated. 

2. Identify the legal basis on which the processing is done.

There are 4 legal grounds:

  • execution of the agreement;
  • legal obligation;
  • legitimate interest;
  • consent of the person concerned. 

In the case of the data subject's consent, it is stated that such consent must be free, explicit and informed.

3. Keep in mind the retention periods for this personal data.

The data should not be kept longer than strictly necessary. So you need to work with rules specific to applicable local regulations to map out these retention periods. As part of transparency, you also provide these retention periods by topic in the processing register.

4. Be aware of your information obligation. 

For example, you must inform your employees what data is being processed, the retention periods, the right to information if it is necessary to correct the data, etc.

As part of this information obligation, you must also record what ground rules are used internally with regard to the handling of customer data, access to customer data, any sanctions in the event of a breach of these agreements.

You can regulate your information obligation in this context by working with a specific privacy policy, for example.

Do you have any questions?

Our experts are ready to inform, advise and support you.

Contact us

Share this post

Acerta_Miet Vanhegen.png

Written by Miet Vanhegen

Juridisch adviseur

Related articles

What if the World Cup lives on in the workplace?

What if the World Cup lives on in the workplace?

18 November 2022 Nele Mertens

The kick-off of the World Cup is also the kick-off of ‘football mania’. What if your employees can’t kick the football spirit during working hours?

Read more
Four-day working week? Eight out of ten SMEs not behind the idea

Four-day working week? Eight out of ten SMEs not behind the idea

05 October 2022 Annelies Bries

Our survey reveals that barely 10% of SMEs are considering introducing the four-day working week.

Read more
Labour deal: overview of measures

Labour deal: overview of measures

30 September 2022 Annelies Bries

The labour deal bill has been passed. The aim of the labour deal is to get as many people as possible working. The emphasis is on flexibility, both employers and employees. What does the bill entail? What measures will be coming into effect?

Read more