GDPR is around the corner - employers must prepare to comply with stricter data protection rules
The most significant regulatory change of the last few decades in EU data protection law is drawing nearer: the General Data Protection Regulation, known as the 'GDPR', becomes applicable in May 2018. The GDPR sets out harmonised core principles and rules on data protection across all EU Member States, therefore requiring them to review national data protection laws, amending or repealing those that overlap with the GDPR.
In Finland, the work for reviewing national legislation took a significant step forward in the run up to Midsummer when a Working Group set up by the Finnish Ministry of Justice gave a memorandum of proposed amendments to general data protection laws. When it comes to special laws concerning privacy in employment, more information about the proposed changes is expected in late 2017. While Finland currently has strict laws which aim to ensure privacy in employment and it is not expected that any significant amendments to these rules are necessary for the GDPR, Member States are allowed to introduce additional data protection rules, through derogations, on a range of areas including employment practices.
In addition to these derogations, the GDPR itself is directly applicable to processing personal data of employees. In practice, this means that all employers must be able to comply with the rules set in the GDPR in addition to those set out in national law. For example, each employer must prepare for the GDPR by updating current information to employees, such as privacy policies, and by reviewing contracts concerning outsourced payroll and accounting functions. As the GDPR is based on the so-called risk-based approach, employers are also expected to recognise areas that might be especially risky to employees' privacy, with video camera surveillance and the monitoring of the location of employees at the top of the list. Employers must then focus on minimising those risks with technical and organisational measures.
In conclusion, while the full picture of legislation concerning privacy in employment is still unclear in most Member States, it is highly recommendable that all employers start to prepare for the GDPR as early as possible given the potential organisational, technical and administrative impact of the new rules on many organisations in all business sectors.
Our experienced lawyers are known for their expertise in data protection and employment. To know more about what is just around the corner, see also our Guide to the GDPR.
Read how our Bird & Bird colleagues from Denmark and Sweden have commented the topic:
Mia Boesen (Associate, Denmark): "As in Finland, this is a very "hot topic" in Denmark as well! Under current Danish Data Protection legislation, it is a requirement that personnel administration is notified to the Data Protection Agency if sensitive data is processed such as health information, whistleblower information etc. Since GDPR does not contain any requirements for notification in relation to personnel administration, it is likely that the notification obligation will be attempted to be uphold in a new Danish Data Protection Act.
Parallel with the proposal for a Data Protection Act, the Ministry of Justice has pronounced that it will issue a number of practical guides to supplement the GDPR report and the Data Protection Act proposal. It is expected that these guides will address areas such as use of consent in employment relationships.
Ottilia Boström (Counsel, Sweden): "Whilst many of the principles and concepts of the GDPR are in line with the current Swedish data protection regulation, the GDPR does implement some new rules and a somewhat harsher regime. In addition, national supplementary provisions are expected in Sweden, however; these are not anticipated to restrict the processing of personal data beyond the restrictions set out in the GDPR."
