EU General Data Protection Regulation from May 25, 2018
The new EU General Data Protection Regulation (GDPR) has been in force since May 25, 2018. Every company that collects and stores data must adapt its entire data management system accordingly. This is less about the content of data protection requirements and more about increasing awareness of how data is handled. The focus is on personal data.
What is personal data in the employment relationship?
The GDPR defines personal data as any information relating to an identified or identifiable natural person. Employers are not required to obtain separate consent from their employees for the data they need to establish the employment relationship in the first place and to fulfill their legal obligations. The personal data that a company may collect, use and store includes the data that companies need to fulfill their obligations as an employer towards employees. For example, account numbers, health insurance, marital status, etc. are required for the recruitment of an employee and the payment of wages, including the payment of ancillary wage costs. The recorded working hours are particularly important for payroll accounting. Therefore, although working hours also belong to the category of personal data, the recording of working hours is also one of the employer’s obligations.
The two-page overview of the BayLDA can be downloaded as a PDF.
Data protection when recording working hours: what employers need to consider
Data is collected during working time recording and access control. Employers must therefore also comply with the provisions of the Federal Data Protection Act (BDSG) and the state data protection laws as well as the telecommunications laws.
Section 32 BDSG is particularly important
According to this, employers may only collect, process and use employee data if this is necessary for the recruitment decision, implementation or termination of the employment relationship. In conjunction with the principle of data minimization, this means that only absolutely necessary data may be collected and stored. Data that is no longer required must be deleted immediately.