Employers process personal data of their staff on a large scale.
“Personal data” is an umbrella term for any information by which one can identify a person, directly or indirectly, such as the name, the address, the national registry number, the salary data, the online profile, or the log-in details.
The concept of “processing” is defined so broadly that almost any operation performed on personal data is considered as processing, such as collection, recording, storage, adaptation, alteration, consultation, use, disclosure by transmission, dissemination, or erasure. However, one condition is that the processing is at least partially carried out by automated means or, if not, that the personal data are intended to be contained in a filing system.
Confirmation and reinforcement of existing principles
The Regulation mainly confirms the existing principles, for example with respect to the processing of personal data in an acceptable, legitimate and secure way. The basic rules with respect to the transfer of personal data to countries outside Europe remain largely the same as well. Furthermore, the existing rights and obligations are reinforced.
Think about employees’ right to have access to, rectify or erase personal data (the so-called “right to be forgotten”) or to transmit them to a third party (“data portability”). But also the employer’s obligation to process personal data as securely as possible, using safeguards such as anonymisation, pseudonymisation or encryption, is reinforced (‘data protection by design and by default’). Employers also will still have to enter into contracts with companies who process personal data on their behalf (e.g. payroll administrators, external IT service providers, insurance companies). However, the processors themselves will have greater responsibility than they have today.
The "one-stop-shop" principle
In the future, companies doing business in different European Member States will only have to work with one single central administration, whereas previously they had to verify in each Member State separately which actions they had to undertake.
Reinforcement of the information obligation
Under the current rules, the employer has to provide specific information to (potential) employees when processing their personal data. For example, the persons concerned have to know for which purposes their data are processed, to whom the data are communicated and who they can contact to execute their rights.
This information obligation is further reinforced by the Regulation.
Henceforth, the employer will for instance have to indicate, in addition to the information which is currently already required, on which legal ground the processing of personal data is based.
In the employment context, employees’ personal data are often processed because it suits the employer’s legitimate interests. This is one of the possible grounds on the basis of which data may be processed. The Regulation now obliges the employer to describe this legitimate interest in the information.
Employers will also, for example, have to communicate in advance if they intend to transfer data outside the European Union, the period for which the data will be stored, the right to lodge a complaint with the Belgian supervisory authority (the Commission on the Protection of Privacy, the “Privacy Commission”) the right to withdraw consent (in case the processing is based on that, wholly or in part), the identity of the “Data Protection Officer” (if applicable).
This more extensive information has to be provided in an intelligible and easily accessible form, using clear and plain language. The information should, as a general rule, be provided in writing either on paper or electronically.
Consent as a legal ground for the processing
Under the current legislation, the employee’s consent is already a potential legal ground for the processing of personal data. Nevertheless, there has always been some debate about whether employees can “freely” give their consent.
Although the Regulation maintains consent as a legal ground, this consent is subject to stricter conditions.
A declaration of consent should be freely given, specific, informed and unambiguous and should be provided by using clear and intelligible language. In this case, the employer will have to demonstrate that the employee has given consent. Therefore, consent must be explicit. The employee also has the right to withdraw consent at any time.
For this purpose, we advise you to provide consent as an additional legal ground, but to ensure that, as an employer, you also have another legal ground for the processing of personal data.
As of the entry into force of the Regulation, companies employing 250 employees or more will probably no longer be obliged to report to the Privacy Commission, but will have to maintain a written or electronic register of all processing activities which are carried out under their responsibility. This register should contain a number of mandatory provisions and should be submitted at the request of the Privacy Commission. In case a company employs fewer than 250 persons, this register will also have to be kept if the processing of personal data is likely to result in a risk to the rights and freedoms of data subject, is not occasional or if sensitive data are processed.
Mandatory appointment of a "data protection officer" for some companies
Some employers, such as public authorities or companies whose core activities consist in processing personal or sensitive data, will be obliged to designate a so-called “data protection officer”. The data protection officer may be a staff member, or fulfil the tasks on the basis of a service contract. This person will advise the employer of the measures which have to be taken pursuant to the new Regulation and will also monitor compliance with the principles of this Regulation. This officer should be in a position to perform his duties within the company in an independent manner. He will have to report to the highest management level and may not be dismissed for performing his tasks.
Mandatory notification of breaches
If employees’ personal data were to fall into the wrong hands, for example because the data have been hacked or due to a human or system error, the employer will in some cases be obliged to report this to the Privacy Commission and to the individual concerned. Just think of an employee whose laptop, on which personal data are stored, is stolen or of an e-mail containing personal data which is accidentally sent to the wrong address. A policy with a description of the various possible situations and its affiliated actions can be useful.
Higher risk of penalties
Today, we feel that employers on the Belgian market do not see it as a top priority to comply with the rules on the processing of personal data. This is, among other things, due to the fact that under the current Belgian legislation, unlike in some of our neighbouring countries, there is no real risk of penalties: criminal sanctions are provided, but are rarely applied. The Privacy Commission also does not have sanctioning powers.
This will change drastically under the new Regulation.
Employees will be able to lodge a complaint with the Privacy Commission and may file a claim for damages.
Henceforth, companies that do not respect the rules will run the risk of being substantially fined by the Privacy Commission, with administrative fines of up to EUR 20 million or 4% of the company’s annual global turnover.