The Danish Data Protection Agency is to investigate how public and private bodies treat employee data, particularly in relation to (i) deletion of information collected in connection with recruitment and (ii) control measures.
The Danish Data Protection Agency (Datatilsynet) has just issued a notice that the processing of personal data in employment relationships is one of the areas that will be focused on in connection with inspections to be made by the agency in the second half of 2019. The inspections will take place in a wide range of organizations, including the private sector, municipalities, state bodies and charities.
As the central authority in the field of data protection, Datatilsynet supervises compliance with the rules on data protection. In this connection, Datatilsynet regularly carries out various types of supervision among public bodies and private companies, which can be both planned or ad hoc supervision, and which is carried out as a result of specific events.
Twice a year Datatilsynet selects which areas will be focused on, and the Authority has now chosen that the processing of personal data in employment conditions should be a focus area for the second half of 2019. The issues that the Authority will focus on are: (i) deletion of information collected in connection with recruitment and (ii) control measures.
Accordingly, it is recommended that all companies have a recruitment policy which includes, amongst other things, guidelines for handling applications received (both applications sent on the basis of a vacancy notice and unsolicited applications), sharing of applications internally within the company, reference taking and submission of references and deletion of applications. In addition, it is recommended that on the organisation’s website and in the individual job advertisements, the applicants should be informed about the processing of personal data that will be carried out in the recruitment process, including which information the company does not want to receive from the applicants. For example, potential applicants can be informed that the organization specifically does not want to receive information about an applicant that is not relevant to the recruitment, for instance including religion, marital status and CPR numbers.
It is also a requirement that the company inform the current employees about how their personal data is treated. This also applies if the company has initiated control measures in the form of video surveillance, review of emails or the like. The disclosure obligation under Articles 13 and 14 of the General Data Protection Regulation (GDPR) is not conditioned on the employee requesting information on a given treatment. This means that the company must inform the employee about the treatment, regardless of the fact that an employee may not have directly enquired.
Therefore, if an organization does choose to process employees’ personal data, for instance with the use of internal control measures, the organization must first be award that the employee must be informed, including as to the purpose of this processing of data.
Mette Klingsten Law Firm assists companies in data protection cases, and in addition offers a document package that includes a recruitment and deletion policy which is adapted to the nuances and requirements of the individual company. Any organization can contact Mette Klingsten Law Firm for more information about advice on data protection law, including our data protection document package.