The General Data Protection Regulation (GDPR) and the French social law

The General Data Protection Regulation (GDPR) came into force on May 25^th, 2018, to better regulate and strengthen data processing. This law sets new standards on the processing of personal data of individuals. This article will oversee what are the implications for human resources (HR) departments.

I. The GDPR definition and its impact on social law

GDPR is a continuation of the French law “Informatique et Libertés – Information Technology and Civil Liberties” of 1978, amended by the law of June 20^th, 2018, relating to the protection of personal data, establishing rules on collecting and using data in France. It was designed around three main goals:

Strengthen people’s rights
Empowering the actors which are processing personal data
Increase the credibility of regulation through enhanced cooperation between data protection authorities.

GDPR applies to any private or public structures collecting and/or processing data, regardless of its sector of activity and size. The regulation applies to all organizations established on an EU state, but also to any organization established outside of the E.U. whose activities are directly targeting European individuals.Note that the GDPR also involves subcontractors who process and/or collect personal data on behalf of another entity.

Personal data definition

Personal data means any information that makes it possible to identify an individual, directly (first and last name, etc.) or indirectly (customer number, phone number, social security ID, biometric data, etc.).

Impact of GDPR on social law

In regards of social law, an employer collecting data on employees is regular. It begins at the recruitment stage and continues when hiring this employee, and within the length of the employment contract, throughout the employee’s career (social declarations, tax declarations, various correspondence, etc.). The GDPR applies to all employees as long as they reside in an EU country.

II. Risks for the employer

Social jurisprudences have developed a lot in terms of personal data protection. Many employees no longer hesitate to invoke the data protection provisions when they are the subject, for example, of a disciplinary sanction, a dismissal, to dispute a given decision.

Since the adoption of the GDPR laws, the national regulator (known as the CNIL), can impose fines of several million euros against a data controller, an employer which, for instance, does not comply with the provisions of the GDPR.

The main points to which an employer must pay attention

Previously, when setting up data processing, the employer had to send a prior declaration to the CNIL. This obligation is now discontinued (exception made for certain sensitive data).

The June 20^th 2018 law recalls that some data cannot be collected (data in relation to ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric genetic data, health, or sexual orientation).

In regard to biometric data, the employer is only authorized to collect those which are strictly necessary to control access to the workplace as well as to the devices used in the context of the employees’ missions.

In addition, the employer must define a restraint period for the data (it is recommended one month for CCTV footages and five years for information related to payroll and working hours). In practice, it will be necessary to take into account legal actions and allow the employer to exercise their rights of defense beyond the termination of the employment contract.

Clarification

The employer must ensure the compliance to the data processing by its subcontractors (payroll service providers for instance).The employer, in their position as data controller, is also particularly required to notify personal data breaches to the CNIL.

Other risks that may arise from a breach in compliance with GDPR rules

There is a risk of non-compliance when security breaches occur in relation to the personal data of employees (or customers) which have been hacked.Added to this, is the risk of poor publicity that could be done on a data controller if it is indicated that he does not respect the privacy of his employees.

III. Obligations in terms of Labor law

Information and consent of employees

Employees as well as job applicants must be informed of the data being collected and its purpose. This can take the form of the delivery of an information letter.If the data collected is strictly necessary for the purposes of payroll and human resources in accordance with the law and the legitimate interests of the employer, the express consent of the employee is not necessary.

Minimization of personal data collected

The data collected by the employer must be kept to a strict minimum and their processing proportionate to the purpose of their collection.

For example, during the recruitment process, the collected data must be limited to those necessary to assess the candidate’s abilities for the open position. It is not possible to request information from an application in relation to its marital status or the extent of paternity on application forms.

Special terms and conditions are provided for positions where an extract of the criminal record is required. In this case, the employer is prohibited from keeping the extract or notes relating to it.

Guarantee of security and confidentiality on the collected personal data

The data controller must determine and implement the technical and organizational measures necessary to ensure the confidentiality of employees’ personal data in order to avoid any disclosure or leak (Art. 32 of the GDPR).

Beyond the technical considerations to ensure the physical security of the premises or servers and computer devices, it is necessary to provide the list of people who will have access to employee data within the company. In fact, a distinction is usually made between the person in charge of recruitment, the person who manages payroll and the person who processes occupational health data. Therefore, these different internal employees must not have access to the same personal data and it is up to the employer to clearly define the people and the data to which they will have access to, and to distribute these access.

Retention of personal data of employees

The personal data of employees can only be kept for the necessary period (Art. 5 of the GDPR).

As previously mentioned, the employer must define a retention period for the collected data. It is recommended up to a (1) month for CCTV footages and five (5) years for information related to payroll and working hours.

Keeping a processing record

The record is provided for by Article 30 of the GDPR. This document must reflect the reality of the processing of personal data and make it possible to identify precisely:

Stakeholders (representative, contractors, joint controllers, etc.) involved in the data processing
The categories of processed data
The purpose and use of this data
To whom the access to this data has been granted
Security methods

This record must be updated on an on-going basis, and especially after a change in procedure in the collection, processing, or storage of data.

Exemption for companies with less than 250 employees:

These companies benefit from an exemption regarding those kinds of records. They must register only the following data processing operations in the record:

Non-occasional processing (example: payroll management)
Processing which are likely to entail a risk for the rights and freedoms of any individuals (example: geolocation systems, video surveillance, etc.)
Processing of sensitive data (example: health data, offences, etc.)

In practice, this derogation is therefore limited to very specific cases of processing, implemented on an occasional and non-routine basis. If in doubt about the application of this derogation to a processing operation, the CNIL recommends including it in this record.

Practice of “Privacy by Design”

This approach aims to integrate data protection from the technical design of an IT tool, trainings, or staff awareness operations, etc.

IV. Employees’ rights

Right to access personal data

Information on the processing, collections’ process and use of personal data is provided individually to employees as well as collectively to the employee representative bodies. Employees have the right to access their own personal data, as well as to request, in some cases, to erase them.

It is mandatory to inform, in writing, any employees of their rights of access and deletion of their personal data detained internally.

Acknowledgement of the right for an employee about their personal data creates new rights, such as the right of portability of personal data or the right to be forgotten. Any employees may contact their HR department to exercise their rights they hold over their personal data. Their requests must be answered within one (1) month.

All the team of French Business Advice is at your disposal, so do not hesitate to contact us!

Why not sign up for our newsletter!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.