Employee data protection plays a major role in companies. At the latest since the General Data Protection Regulation (GDPR), but also already through the Federal Data Protection Act (BDSG), employee data must be protected under certain regulations. This article explains what rights employees have and how to comply with them.
The rights of employees in data protection
In addition to the BDSG, the GDPR also stipulates how data is to be handled. Employee data protection is largely regulated in the BDSG. However, the provisions of the GDPR supplement these. Data protection for employee data is subject to the same right to protection as for any other person. In a company, it is impossible to prevent data from being collected and processed. This basically starts with the application documents. Basically, data protection for employee data is all about transparent information about how the data is processed and used. In addition, this data should of course be stored in such a way that not everyone has access to it. It is important to note that only the data that is really necessary for the employment relationship should be collected. The cards should be played with an open hand. Employers can place employees directly:
- which data is collected
- the purpose for which this data is collected
- under which circumstances this data will be deleted
Written consent must always be obtained from employees for the collection of data.
This data is processed by employers
Employers may collect and process the following data without running into problems with employee data protection:
- General personal data (name, address, date of birth)
- Account details
- Social security and health insurance number
- Tax ID
- Religion
The purposes for which this data is used are clear: registration for insurance, salary payment, payroll accounting and church tax. The following data may not be collected as it does not serve any purpose related to the employment relationship or may even have a discriminatory background:
- racial or ethnic origin
- Political attitude
- Health data
- sexual orientation
- genetic or biometric data
However, biometric data may be requested for access control purposes, for example. For example, if areas in companies can only be accessed using a fingerprint. However, the employee’s consent must be obtained for this. Health data is permitted in some sectors. However, there must be a justification for this. If you are allergic to animal hair, a job in a veterinary practice simply doesn’t make much sense. Furthermore, the collection of personal data such as chat histories or e-mail traffic is not legal. The same applies to monitoring internet usage. The principle of only collecting data that is necessary for the purpose applies here. This does not include the sites on which the employee surfs or the conversations in chats. In general, you can simply remember: private data has no place here.
What happens in the event of a data breach?
A data breach is not the end of the world. It depends on how serious the data breach is and how it occurred. In principle, serious data breaches must be reported to the supervisory authority within 72 hours. The relevant employee should also be informed. It is important that proof can be provided that the data breach occurred even though the data protection regulations were adhered to. If it is a willful data protection breach, a fine may be imposed. If the employee suffers damage, for example in the form of damage to reputation, discrimination or psychological stress, a claim for damages may also be the result.
Conclusion
Employee data protection is a serious issue and can be expensive if breached. Fortunately, it is not very difficult to comply with the regulations. Careful handling of personal data and limiting it to the necessary information ensures order and low risk.