Last reviewed
Employment context

Austria  05.06.2018 No, the ADPA does not provide for special provisions on the processing of personal data in the context of employment. However, the Austrian Data Protection Authority always had a very strict and reluctant approach as regards the processing of employees' data which is expected to be upheld.
Belgium 08.10.2018 No special provisions
Czech Republic 13.09.2018 n/a
Denmark 06.09.2018 § 12 permits data processing in the employment context when: 
(1)  it is necessary for compliance with employment obligations or rights laid down by law or collective agreements; 
(2)  it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.
Finland 13.11.2018 Section 30 of the Data Protection Act states that privacy in the employment context is covered by the Act on the Protection of Privacy in Working Life. The Ministry of Economic Affairs and Employment has suggested a few changes to the current act for it to comply with the GDPR. The government proposals for the changes are currently under review in the Parliamentary committees.
France 11.02.2019 No special provisions.
Germany 23.05.2018

§ 26 FDPA constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data. 

§ 26 FDPA also contains certain justifications for the use of special categories of employee data (""sensitive data"") and a definition of the term ""employee"". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in HR context.

Hungary 01/04/2019 Covered by the Labor Code.
Ireland  12.09.2017  Under section 46 of the Act, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. 
Italy 25.10.2018 Section 111 of IDPA states that the Authority promotes the adoption of ethical rules for public and private subjects interested in the processing of personal data carried out in the context of employment.

Section 111-bis IDPA provides that the information referred to in Article 13 of the GDPR, in cases of receipt of a direct application is provided at the time of the first contact. Within the limits of the purposes referred to in Article 6, paragraph 1, letter b) of the Regulations, consent to the processing of personal data contained in curricula CV is not required. 

Section 21 of the Decree states that the Authority is to identify, within 90 days following the entry into force of the Decree itself (before the end of the calendar year), which of the general regulatory measures will remain fully valid (e.g. guidelines on biometric data, processing of data at work).
Netherlands 17.09.2018 No material derogations.

Based on article 9 (2) sub b GDPR, article 30(1) UAVG provides the exceptions to the prohibition to process health data in an employment context. Processing health data is not prohibited if the processing is done by employers or institutions working for them, and in so far as the processing is necessary for:
a. proper implementation of statutory regulations, pension schemes or collective agreements that provide for entitlements that depend on the health status of the data subject; or
b. the reintegration or supervision of employees or benefit recipients in connection with illness or incapacity for work.

Based on article 9 (2) sub g GDPR, article 25 UAVG provides the exceptions to the prohibition to process ethnical and racial data: such data can be processed for positive discrimination/equal treatment purposes.

Based on article 9 (2) sub g GDPR, article 29 UAVG provides the exceptions to the prohibition to process biometric data: such data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Article 33(3) UAVG states that personal data of a criminal nature relating to personnel employed by the controller may only be processed if this is done in accordance with the procedures to follow based on the Works Councils Act. 
Poland 07.09.2018

Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).

However, the processing of a candidate/employee's special categories of personal data by the (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided on the candidate/employee initiative. It is also prohibited in all circumstances to process a candidate/employee's personal data relating to criminal convictions and offences by the (potential) employer if such processing is based on his/her consent. The only basis for such processing is a legal obligation.

Employers may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring the are appropriated for a work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.

Slovakia 13.09.2018  An employer, as a controller, is allowed to process or publish personal data in the extent of title, name, surname, relevant position, employee's work ID, place of work, telephone number, fax number, email and employer's identification data, if it is necessary in relation to the fulfilment of work tasks and duties of the data subject. Such processing or publishing must not undermine data subject's seriousness, dignity and security. (Article 78 (3) of New DPA).
Spain 05.03.2019 Article 24 of the SDPA addresses whistleblowing and introduces the possibility of anonymous reporting. It regulates whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoing in companies. Given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. The Act provides that whistleblowing data shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).

Article 22 of the SDPA allows the use of CCTV systems for security purposes.

Article 89 regulates the use of video and voice recording systems in the field of employment. These systems can be used for the supervision and monitoring of employees' compliance with their duties, as long as the monitoring activities comply with Spanish Labour laws and employees are informed of their existence.

Article 87 of the SDPA recognises employees' right to privacy and use of digital devices in the workplace: It states that:
a. Workers shall have a right to privacy when using digital devices provided by their employers.
b. Employers may access such devices with the purpose of verifying workers' fulfilment of their obligations and in order to verify the integrity of the devices.
c. Employers shall establish criteria for the use of such devices (workers' representatives shall participate in deciding these criteria). Acceptable uses need to be specified and the employer needs to put in place enough guarantees to protect the employees privacy, who need to be duly informed of such acceptable uses.

Article 88 of the Act recognises employees' right to digital disconnection - internal policies regulating this shall be put in place with the collaboration of the workers' representatives.

Article 90 of the Act recognises employees' right to privacy against the use of geolocation systems in the workplace and allows the employers to use geolocation systems for the supervision of employees, as long as this processing complies with Spanish Labour laws and employees are informed about it. 
Sweden 06.09.2018 Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.
UK 23.05.2018
  • Employment, social security and social protection
    For processing necessary to perform or exercise obligations or rights of the controller or of the data subject under employment, social security or social protection law, the Data Protection Act 2018 introduces a requirement on the controller to put into place an ""appropriate policy document"" 
    (Paragraph 1 of Schedule 1 to the Data Protection Act 2018).
    An appropriate policy document must:
  • explain the controller's procedures for complying with the data protection principles laid out in Article 5 of the GDPR;
  • explain the controller's policies as regards the retention and erasure of personal data, including providing an indication of how long the personal data are likely to be retained; and
  • be retained for as long as the processing takes place (and then for six months when the relevant processing ceases), review it from time to time (if appropriate), and make the policy document available to the ICO without charge (if requested).

The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):

  • includes details on the controller's processing of personal data in the context of employment, social security and social protection;
  • describes how the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
  • includes details on whether the personal data are retained and erased in accordance with the controller's policies.
    (Paragraphs 38 – 41 of Schedule 1 to the Data Protection Act 2018)

Employment references

The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)

Enforced subject access

The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)

Equal opportunity and treatment

The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)