New guidelines on data protection in employment relationships
The Data Protection Agency has issued revised guidelines on data protection in employment relationships
The Data Protection Agency recently revised its guidelines on data protection in employment relationships on the basis of, among other things, collection of input from a wide range of stakeholders and consultations by the Ministry of Justice as well as recent decisions by the Agency. Some of the changes and clarifications are described below.
Consent as legal basis for processing
As a new element, it is stated in the revised guidelines that consent in employment relationships will rarely meet the condition of validity of being freely given due to the unequal relationship which typically exists between an employer and employee. Even though it cannot be excluded that the processing of personal data in an employment relationship can take place on the basis of the employee’s consent, the employer must consider whether consent is an appropriate basis for processing. This also applies to recruitment processes.
The guidelines now specify when the data protection rules apply in the context of exchanging employment references. Electronic exchange of references will automatically be covered by the rules, while verbal exchange of references will generally only be covered if the information is or will be stored electronically.
With regard to the collection of references, this means that the data protection rules apply if the information is registered electronically, or if the information is intended to be registered electronically.
As mentioned above, consent can no longer, at least in principle, constitute a legal basis for the collection or disclosure of references.
When obtaining references, the legal basis will instead have to be found in article 6(1)(e) of the GDPR concerning exercise of official authority by public employers, or the “balancing of interests” rule in article 6(1)(f) by private employers. The legal basis for processing in relation to disclosure of references will, for public as well as private employers, be the balancing of interests under article 6(1)(f).
As a novelty, it is also stated in the revised guidelines that – as a general rule – special categories of personal data can no longer be disclosed when references are exchanged.
The guidelines further specify that hiring employers – in order to ensure predictability and transparency – should inform candidates that references will be collected, from whom and when, and ensure that the candidates agree to this. The employer providing the reference can, as a general rule, assume that the candidate agrees to the reference being obtained.
Employers’ right to collect criminal records and statements of no previous convictions in respect of children (”børneattester”) is described in detail in the revised guidelines. Among other things, it is clarified that it will not be in accordance with the data protection rules to collect criminal records of candidates as a matter of standard, as it depends on a specific assessment in the individual employment situation or in connection with recruitment for a specific job category whether the collection will be objective and proportionate.
It is specified that the recruitment process must be sufficiently advanced so as to consider the candidate for the position.
It is also stated in the guidelines that employers may collect criminal records of employees on an ongoing basis. This is essentially the same right as when obtaining criminal records of candidates. However, employers can always obtain criminal records or statements of no previous convictions in respect of children if so required by law.
Employee photos etc.
According to the revised guidelines, employee photos may be published based on the balancing of interests in article 6(1)(e) (for public employers) or article 6(1)(f) (for private employers) of the GDPR when it is necessary for the purposes of the position or the work functions to be performed by the employee.
In other situations, the employer must ensure that the employee agrees – in the form of consent – to the publication of photos or videos featuring them. However, in case of videos that are costly to produce, such as marketing videos, the employer will not be able to base the processing of personal data on consent.
Information on the employee’s name, areas of work, contact details and products of professional content, such as webinars, can, however, be published by the employer based on article 6(1)(e) or (f).
Norrbom Vinding notes
- that it is advisable for employers to review their data protection policies etc. in order to ensure that the contents, including the legal bases for processing, are in accordance with the revised guidelines of the Data Protection Agency.
The content of the above is not, and should not be a substitute for legal advice.
The bill, which introduces a requirement for registration of working time for each individual employee and provides the opportunity to derogate from the 48-hour rule for certain employees, has been adopted.
Ius Laboris recently received the prestigious Global Network of the Year award at The Lawyer European Awards 2023.
The long-awaited bill, which introduces a requirement for registration of working time for each individual employee and provides the opportunity to derogate from the 48-hour rule for certain employee groups, has been submitted to the Parliament. The effective date has been postponed to 1 July 2024.
In a new article, Ius Laboris takes a closer look at the issue of whether employers can monitor employees’ social media posts.
On the first Tuesday of October, the parliamentary year kicked off and, as usual, the Government announced its legislative programme for the parliamentary year 2023/2024.
The opportunities associated with AI are immense, but right now it is necessary to address a number of concerns about the use and potential of AI in the workplace.