All these privacy policies, notices and declarations popping up all over the Internet trick our mind into thinking that GDPR concerns only the relations between businesses and their customers. A major group of data subjects often drops out of the GDPR equation despite its importance – employees.


Remember employees are also data subjects in the sense of GDPR

It is important to keep in mind that employees are also data subjects. Processing of their personal data deserves the same level or even higher level of transparency and care.

Employees’ personal information in often falls into the scope of the so called “special categories of data” (Art. 9) GDPR, which shall be handled responsibly and with strict and reliable data security measures.

In the text bellow you can find some really useful guidelines on how to handle personal data related with recruiting or employment relations:


What actions should you undertake in order to collect or use information about job applicants?

  • Identify your organization properly in your recruitment advert – all candidates should know what they are applying for.
  • Do NOT collect more personal information than you need – it is a violation to collect irrelevant or excessive personal information.
  • Secure all the personal information that you collect – prevention is better than the cure.


How should you store you employees’ records?

Consent from your workers is not required to keep their records. However, you need to ensure the perfect balance between the need to keep a record and the due respect for private life. That’s why:

  • Make sure that workers are aware of how the record will be kept and what information will be collected.
  • The information is supposed to be relevant, proper and up-to-date.
  • Bear in mind that those who have the authority to access employment records must handle them with respect.
  • Security is a must – limit access, use strong passwords and keep manual record under key.
  • Disclose personal information only if you are 100% sure that your workers would agree to that.
  • Delete information that you no longer need / no longer have the duty to keep.


What are the rights of your employees under GDPR?

Employees have the same range of data protection rights that any other data subject has under GDPR. Most common requests for exercising data protection rights at the workplace are related to:

  • Employee’s access to his/her personal data upon request
  • Keep their data accurate and up-to-date
  • Deleting personal information upon their request

Note that any request in relation to the GDPR rights shall be handled timely and responsibly. Neglecting such a request, no matter how unimportant it may seem, is a breach of the data protection rules and may result complaints before the local supervisory authority.


This publication is written in the context of EU legislation, effective on September 12, 2018. Please note that future amendments in the relevant legislative acts, court decisions or opinions of official authorities or other sources of legal obligations, which became effective after the quoted date, may affect the accuracy of the information above. This is one-time publication and Prosperamo is not responsible to keep it up-to-date. For more information – please read the following disclaimer.


Sharing is caring!


Social media & sharing icons powered by UltimatelySocial