Professional career: how should my personal data be used?
As we mentioned in our first article about personal data in companies, organisations regularly collect and generate personal data throughout an employee’s career (job applications, pay slips, evaluations, etc.). This data is growing thanks to new technological devices (from recruitment to departure).
Obligations and limits of collection according to the GDPR
- Purpose limitation and legitimacy: data must only be collected and processed for a specific, pre-determined purpose, which must of course be justified, legitimate and not excessive.
- Transparency and communication: the company must obviously keep its employees informed of the data it collects and processes. They must be aware of the purpose of the processing, its legal justification, its basis and legitimate interest, as well as the length of time the data is kept. They must also be informed in case of automated processing of data, or transfer outside the European Union. Finally, they must know their rights under the GDPR and how to exercise them, as well as the contact details of the data controller and the data protection officer (DPO).
- Data minimisation: only the data necessary for the intended processing and purposes should be collected.
- Data accuracy: the data collected by the company must be accurate and not altered. Employees have the possibility to modify their data in order to correct it in case of inaccuracy.
- Retention limits: data retention periods have been clearly defined according to their nature and purpose, and the employer must obviously respect them. Thus, data relating to personnel management may be kept for 5 years after the departure of the employee concerned. Payroll data may be kept for 5 years after the dates of payment, except for information necessary for establishing employees’ rights, such as pension rights, which may be stored without limitation. Recruitment files, on the other hand, must be destroyed if the applicant is not successful, unless the company informs the applicant and obtains his/her agreement, in which case the CV may be kept for 2 years.
- Confidentiality and security: the employer must itself ensure that the data it collects and processes is secure. It is the employer’s responsibility and must be able to demonstrate the implementation of appropriate protection measures.
Obviously, personal data in the professional context are not limited to those collected by the employer, nor to those that remain there. The company may indeed call on subcontractors for certain processing operations. Certain data concerning an employee may be regularly transmitted to various organisations or administrations throughout his or her career. But in both cases, their security is ensured by the requirements set by the GDPR.
Transfer of personal data to third parties
If the company uses one or more subcontractors to manage the personal data it collects, it must ensure, according to Article 28 of the GDPR, that they:
“present sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of this Regulation and guarantees the protection of the data subject’s rights”.
Personal data may be sent to administrations or public services. Most of them comply with the GDPR and certify this on their websites. This is the case, for example, with URSSAF, AMELI and Pôle emploi.
Thus, in addition to preventing any abuse, the GDPR allows personal data to be secured in the professional context, regardless of their nature or the number of transfers they are subject to. Like citizens, employees can exercise their GDPR rights regarding their personal data with the companies they work for or with public administrations. The free Myfairdata application allows them to easily exercise these rights.
If you would like to learn more about Fair&Smart and our personal data management solutions, click on the button below:
Follow us on social networks:
