|Austria||05.06.2018||No, the ADPA does not provide for special provisions on the processing of personal data in the context of employment. However, the Austrian Data Protection Authority always had a very strict and reluctant approach as regards the processing of employees' data which is expected to be upheld.
|Belgium||08.10.2018||No special provisions|
|Denmark||06.09.2018||§ 12 permits data processing in the employment context when:
(1) it is necessary for compliance with employment obligations or rights laid down by law or collective agreements;
(2) it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.
|Finland||13.11.2018||Section 30 of the Data Protection Act states that privacy in the employment context is covered by the Act on the Protection of Privacy in Working Life. The Ministry of Economic Affairs and Employment has suggested a few changes to the current act for it to comply with the GDPR. The government proposals for the changes are currently under review in the Parliamentary committees.
|France||11.02.2019||No special provisions.
§ 26 FDPA constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data.
§ 26 FDPA also contains certain justifications for the use of special categories of employee data (""sensitive data"") and a definition of the term ""employee"". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in HR context.
|Hungary||01/04/2019||Covered by the Labor Code.|
|Ireland||12.09.2017||Under section 46 of the Act, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.|
|Italy||25.10.2018||Section 111 of IDPA states that the Authority promotes the adoption of ethical rules for public and private subjects interested in the processing of personal data carried out in the context of employment.
Section 111-bis IDPA provides that the information referred to in Article 13 of the GDPR, in cases of receipt of a direct application is provided at the time of the first contact. Within the limits of the purposes referred to in Article 6, paragraph 1, letter b) of the Regulations, consent to the processing of personal data contained in curricula CV is not required.
Section 21 of the Decree states that the Authority is to identify, within 90 days following the entry into force of the Decree itself (before the end of the calendar year), which of the general regulatory measures will remain fully valid (e.g. guidelines on biometric data, processing of data at work).
No material derogations.
Based on article 9 (2) sub b GDPR, article 30(1) UAVG provides the exceptions to the prohibition to process health data in an employment context. Processing health data is not prohibited if the processing is done by employers or institutions working for them, and in so far as the processing is necessary for:
a. proper implementation of statutory regulations, pension schemes or collective agreements that provide for entitlements that depend on the health status of the data subject; or
b. the reintegration or supervision of employees or benefit recipients in connection with illness or incapacity for work.
Based on article 9 (2) sub g GDPR, article 25 UAVG provides the exceptions to the prohibition to process ethnical and racial data: such data can be processed for positive discrimination/equal treatment purposes.
Based on article 9 (2) sub g GDPR, article 29 UAVG provides the exceptions to the prohibition to process biometric data: such data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.
Article 33(3) UAVG states that personal data of a criminal nature relating to personnel employed by the controller may only be processed if this is done in accordance with the procedures to follow based on the Works Councils Act.
Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).
|Slovakia||13.09.2018||An employer, as a controller, is allowed to process or publish personal data in the extent of title, name, surname, relevant position, employee's work ID, place of work, telephone number, fax number, email and employer's identification data, if it is necessary in relation to the fulfilment of work tasks and duties of the data subject. Such processing or publishing must not undermine data subject's seriousness, dignity and security. (Article 78 (3) of New DPA).
Article 24 of the SDPA addresses whistleblowing and introduces the possibility of anonymous reporting. It regulates whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoing in companies. Given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. The Act provides that whistleblowing data shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).
Article 22 of the SDPA allows the use of CCTV systems for security purposes.
Article 89 regulates the use of video and voice recording systems in the field of employment. These systems can be used for the supervision and monitoring of employees' compliance with their duties, as long as the monitoring activities comply with Spanish Labour laws and employees are informed of their existence.
Article 87 of the SDPA recognises employees' right to privacy and use of digital devices in the workplace: It states that:
a. Workers shall have a right to privacy when using digital devices provided by their employers.
b. Employers may access such devices with the purpose of verifying workers' fulfilment of their obligations and in order to verify the integrity of the devices.
c. Employers shall establish criteria for the use of such devices (workers' representatives shall participate in deciding these criteria). Acceptable uses need to be specified and the employer needs to put in place enough guarantees to protect the employees privacy, who need to be duly informed of such acceptable uses.
Article 88 of the Act recognises employees' right to digital disconnection - internal policies regulating this shall be put in place with the collaboration of the workers' representatives.
Article 90 of the Act recognises employees' right to privacy against the use of geolocation systems in the workplace and allows the employers to use geolocation systems for the supervision of employees, as long as this processing complies with Spanish Labour laws and employees are informed about it.
|Sweden||06.09.2018||Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.|
The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):
The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
Enforced subject access
The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
Equal opportunity and treatment
The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.