What employers do to comply with GDPR
Data protection regulations in Sweden
There are several reasons why employers should do the right thing when it comes to complying with the GDPR rules. First, the fines can be high, but above all, it is stupid that employees can have a hold on their employer for not following the rules. The Data Protection Regulation consists of 99 articles and 173 reasons. This means that the work with data protection can be done extensively, this text can of course not be exhaustive. But with this guide that you can get through in 10 minutes, you can do it better than most.
The Data Protection Regulation, which was enacted in 2016 by the European Parliament and the Council of Europe, applies throughout the EU. It came into force in 2018. In Sweden, we apply this regulation, together with the Swedish Supplementary Act (2018:218), to all processing of personal data. There are several laws that regulate the processing of personal data. However, when it comes to employers' processing of personal data, it is primarily the Data Protection Regulation that applies, also known as the GDPR (General Data Protection Regulation). These are in principle the same rules that apply to employers such as companies without employees, with some exceptions. IMY is responsible for monitoring compliance with the Data Protection Regulation and receiving complaints from the public.
What is personal data?
All information that can identify a currently living person is personal data and is covered by the General Data Protection Regulation. Various pieces of information that can be linked to a person are also considered personal data. For example, photos, personal identification numbers, registration numbers on cars owned by individuals, films, IP addresses and telephone numbers.
Employer's responsibilities
The Eight Principles
There are a number of principles that employers should have as golden rules in their processing of personal data. These are: legality, accuracy, transparency, purpose limitation, data minimization, storage minimization, integrity/confidentiality and accountability. These principles are explained in many places. But in short, personal data may only be processed with a legal basis, one of which is an employment contract. Furthermore, the data stored must be accurate, it must be done in an open and transparent manner, it may only be processed based on the purposes, the personal data that is processed must be a minimum in relation to the purpose. It must also be stored for as short a time as possible. The data must be protected and the data controller, usually the employer, is responsible for compliance with the rules.
Data Protection by Design Plan
Furthermore, the employer needs to consider how to apply data protection by design in its operations. That is, appropriate technical and organizational measures to support the principles, such as pseudonymization.
When you enter your social security number when you go to the dentist, the last four digits usually become squares. This is an example of how the operator has thought about built-in data protection.
Establish data processing agreements with your suppliers
The employer must establish personal data processing agreements with the companies that the employer collaborates with and shares employees' personal data with, such as an accounting firm or occupational health.
Treatment records
A register of how the employer processes the personal data needs to be established. IMY should be able to access this if they request it. The register should include the name and contact details of the employer, what data is processed, what purposes the employer bases its reasons for processing on, etc.
Data protection plan
The employer must have a structure and plan for how they work with the security of the personal data they store.
Obligation to report incidents
If an incident occurs, for example a computer is stolen, the incident sometimes needs to be reported to IMY within 72 hours.
High-risk impact assessments
The employer needs to carry out impact assessments if the treatment poses a high risk to the employees and document this. If there is a high risk with the treatment, the employer must consult with IMY.
Obligation to appoint a data protection officer for certain processing operations
There are mainly three different areas that require the employer to appoint a data protection officer. These are if the employer's core business and, due to its nature and purpose, requires regular and systematic monitoring of the data subjects or if the employer processes sensitive personal data on a large scale.
The nine fundamental rights of the employee
Information about treatment and incidents
When the employee starts work, he has the right to receive information about how the employer will use his personal data. This is why the personal data policy has been created. The information that must be included is stated in Article 13 of the Data Protection Regulation. If the employer receives the employee's information from someone other than the employee, for example a recruitment agency, he also has the right to receive a personal data policy, the content of which is stated in Article 14.
Access
The employee has the right to find out what personal data the employer handles. A so-called register extract. In addition to what personal data is being processed, the employee must also find out what the personal data is used for, how long it will be saved, where it comes from, whether the personal data is shared with someone else, for example an accounting firm, whether the data is used for automated decision-making or profiling, etc. However, this right is not absolute. There are exceptions if, for example, the employee makes the request frequently or if the request would negatively affect the rights and freedoms of other people, which should, however, be rare in a normal workplace. However, there may be such situations, for example to protect whistleblowers.
Amendment
If the personal data is incorrect, the employee has the right to have it corrected and also to have it supplemented if this is consistent with the purpose of the processing.
Deletion (right to be forgotten)
There are several conditions that must be met for an employee to have the right to have their data deleted. This may be the case, for example, if the employment has ended and the employer's original purpose for the processing is no longer relevant. However, just because an employment has ended does not mean that there is no basis for having the data deleted for that reason. For example, the employer still needs to be able to administer pensions and store employment contracts.
Limitation of processing
Restriction, as it sounds, means that processing is limited to individual areas and purposes. For example, while correction is in progress.
Data portability (the employer sending the data on)
For example, if the employee changes jobs, the employer is obliged to facilitate the transfer of personal data to the new employer at the employee's request. However, this only applies to data that the employee has provided to the employer and if it is technically possible.
Objection
For the majority of the data that the employer processes, it can use the legal basis of a contract. If the employer also applies the legal basis of balancing interests to process individual data for other data, the employee has the right to object to that processing. The employer then has an obligation to demonstrate that his interest outweighs that of the employee, otherwise the processing must cease.
Automated decisions
In the vast majority of cases, automated decisions and profiling based on personal data should not occur within the framework of employees and employers. An exception could be in connection with the employee having saved too many vacation days, where these are paid to the employee. In that case, however, there is an exception if it is necessary to be able to fulfill the fulfillment of a contract, which is the employment contract.
Control of IT systems, camera surveillance and GPS tracking of company cars
There is a specific part of employment law around employee privacy that is linked to GDPR. It is in the nature of things that employers sometimes need to monitor the workplace and its employees. The purpose does not have to be to monitor employees to ensure that they behave, but there are usually more legitimate reasons such as safety, work environment or to comply with other laws and regulations, such as GPS in cars in the form of electronic driving logs. But what is important to keep in mind here is that this is also personal data that is covered by the rules.
Specific GDPR rules for employer whistleblower handling
The Whistleblower Act (2021:890) contains specific rules regarding the handling of personal data. What stands out is that only those who are authorized to receive, follow up and provide feedback on reports are allowed to have access to the personal data being processed. Access to personal data should be limited to what each person needs to be able to fulfill their job duties. The maximum period for which an employer may store the information is two years.
Data protection rules in collective agreements
Collective agreements may contain rules regarding the processing of personal data, both central and local.
Does it feel big? Start with the privacy policy
Establishing a personal data policy is what I recommend smaller employers start with. It is your outward facade regarding the processing of personal data and what an outsider immediately notices whether you have any thoughts at all regarding the processing of personal data. The second is to document all your considerations. In accordance with the principle of accountability, it is the employer's responsibility to be able to prove to IMY that they comply with the GDPR.
Good luck, and don't forget to get in touch if you have any questions.
Kind regards,
Christoffer Lewinowitz
Employer lawyer
With us, the first call is free!
We believe it should be easy as an employer and manager to do the right thing. The distance to ask for help must be short, which is why an initial consultation is always free with us. We will hear from you within 24 hours.
Security agreement for employers...
The subscription includes:
A good complement to the company's legal expenses insurance. Labor disputes are usually an exception in business insurance. For terms and conditions, application and price list, click here.