During these final weeks before General Data Protection Regulation (GDPR) implementation, you’re surely all but ready to give your boss a long-awaited ‘thumbs up’. But while day-to-day procedures and corporate policies have been updated, have you looked at the company’s Employee Contracts? GDPR expects these to be in order too.
You already know that the content of any contract is extremely important, with legally binding terms that make clear the conditions of employment. And you also know that where terms have not been lived up to, the consequences can be significant – for either party.
Because at its core, the GDPR establishes accountability for the privacy rights of employees and their right to control their data, the contract they work under has to reflects this.
The challenge is identifying what amendments to existing contracts need to be made to ensure contracts comply with the new regulations.
Why Reviewing Employee Contracts Is So Important
Given its significance, and that employee awareness and employer accountability are such key parts of GDPR compliance, the details in any Employee Contract should now include clear reference to employee privacy, data retention, data sharing, data amending and data protection.
Logically, written contracts need to be unambiguous in their wording, since both parties have to understand exactly where their responsibilities lie and what is expected of them. Any data protection provisions, therefore, must be clear, specific and plainly worded.
The GDPR will add several paragraphs to a contract, so much of an existing document will remain intact. However, new factors like employee consent will need to be highlighted.
From the content of the employee contract, employees must clearly understand:
- Employee consent is a requirement
- Consent must be requested by the employer
- Consent must be unambiguous and specific
- Consent must be given freely to the employer, without fear of consequences
- Employees can opt out, and consent be withdrawn, at any time
Traditional general consent and opt-out mechanisms currently appearing in contracts are not sufficient.
There are other situations where consent is needed but is not covered by the employment contract. In such cases, separate consent will need to be secured, requiring a procedure complete with official forms. HR will need to demonstrate that attaining and processing this data is in line with GDPR.
Other Key Points To Include
- Clearly state why data protection is important, and how it benefits all parties
- Clearly state what personal data is, and the variety of forms it takes (CCTV, employee records, social media etc)
- In clear and plain language, describe the data rights of the employee Like ‘the right to be forgotten’, ‘the right to restrict processing’ and ‘the right to data portability’.
- Details on the responsibilities of the employer
- Details on the responsibilities of the employee
- Understanding of the consequences non-compliance will bring
- Employees are expected to undergo GDPR training to ensure long-term compliance
- Explain the role of the Data Protection Officer (DPO)
- Describe clearly the employer’s systems for detecting, reporting and investigating any personal data breaches
- Share the fact that all procedures will be intricately documented
- Highlight the process by which employees can withdraw their consent
- Provide details on the required timeframe for responding to data subject access requests ‘without undue delay’ and within one month
- Clearly reveal the process by which international transfer of data will take place, such as how and when this occurs and the safeguards in place to protect against breaches.