GDPR: how to work with the personal data of your employees, freelancers and European employees of contractors

Published on February 14, 2019

GDPR: how to work with the personal data of your employees, freelancers and European employees of contractors



    The article is a brief squeeze and my interpretation of the provisions of the GDPR Regulations (“Regulations”) in conjunction with Opinion 2/2017 on data processing in labor relations (on data processing at work) of 06/08/2017. It is addressed to companies that have full-fledged offices or remote workers and / or freelancers in EU countries, as well as counterparties (partners) with European employees, whose data you can receive in the process of working on joint projects.

    We analyze the processing of personal data when hiring (recruiting) employees, concluding contracts with freelancers or business partners; monitoring employees in the workplace and remotely, including through automatic data acquisition systems.

    The opinion was adopted earlier than the date of entry into force of the Regulation and is based on Directive 95/46 / EC of October 24, 2005. However, it takes into account the provisions of the GDPR.

    For convenience, and where it does not contradict the context, employees, freelancers and employees of contractors will be collectively referred to as “Employee”.

    Make sure you have a reason to process employee data.


    Processing of personal data of employees is usually carried out on at least one of the following reasons:

    • personal consent;
    • the need to comply with the requirements of the law (as a rule, labor laws or AML / CFT when making payments);
    • the need to fulfill an already concluded contract or the need to conclude a contract, at the request of the owner of personal data;
    • the presence of legitimate interest in your company in such processing.

    Processing on the basis of the prescriptions of the law leave the scope of the article. Also we will not concern personal consent. As already noted in the previous article, Consent to the processing of data on the GDPR: detailed analysis , processing of personal data of employees based on their personal consent is a difficult option. There is always a risk that the consent will be drawn up somewhere incorrectly and it will be recognized as not free, and your company will violate the rules of GDPR.

    In relations with employees, the processing of personal data is more reliable to base on the concluded contracts. If all processing questions are technically difficult or impractical to be fixed in contracts, then you will need to take a responsible approach to justifying your company's legitimate interest in such processing.

    Consider what conditions and how to formulate in employment or commercial contracts, so that they allow you to process personal data in accordance with the GDPR. (Considering that processing on the basis of legitimate interest, like processing on the basis of a contract, also needs to be documented and coincides with the latter in many ways, we will not consider it separately).

    We give the full wording of Article 6 (1) (b) of the Regulations (translated from English): “ processing is necessary to execute a contract to which the data owner is a party, or to take action at the request of the owner of personal data before entering into a contract ”.

    From this formulation follows a number of mandatory elements.

    The need for data under the contract


    According to clause 44 of the Preamble of the Regulations, the processing is legal if necessary in the context of the contract or the intention to conclude it. So, we look at the context of the contract itself. Conclusion 2/2017 recommends in such cases apply the proportionality test ( proportionality test ) to assess whether or not for a legitimate purpose processing needs (for example, to perform or contract), as well as what measures should be taken to reduce the interference in the private life to a minimum.

    The regulation does not decipher what the “proportionality test” includes. Conclusion 2/2017 contains only a reservation that such a test can be part of the DPIA procedure .. In the DPIA procedure itself, the proportionality of processing is described through a variety of criteria that the controller company must follow. In my opinion, the most important ones are:

    • the adequacy of the processed data to processing purposes;
    • the processing goals themselves must be specific and explicit.

    Consequently, the proportionality test implies not only the need to prescribe in the contract itself the obligation to provide some personal data for processing, or to inform the data owner about such a duty before concluding the contract. The contractual obligations of the employee, on the basis of which the data are collected, must directly flow from the nature of his future work or the specifics of the project in which he will be involved. Contractual obligations should provide for the processing of only the minimum necessary personal data with reference to the specific purpose of the processing, which is formulated very clearly and clearly.

    Example A: It is reasonable to require a PR specialist or customer service manager to provide your photo for posting on your company's website. This can be justified by the peculiarities of the work of these employees, when appearance plays a psychological role in promoting the interests of the company, sales growth. On the contrary, it is hardly necessary to demand and transmit to clients (or post in public access) photos of developers who participate in voice meetings, without even including a webcam, and more is never required from them.

    I think it would be disproportionate to formulate in the contract a condition on contact data as follows:

    Example B: “Employee contact details: ... email to send a job offer, employment contract or informational materials / COMPANY /”. The direction of "information materials" is clearly an extra purpose for the execution of an employment contract, and implies the distribution of advertising. However, if you write a little differently: “notifications about changes in working hours, information about days off, etc.”, this will be a clear, specific goal, and the use of email will be adequate to it.

    (Obviously, simply specifying email and then using it to send marketing materials is also unacceptable).

    Example C: Your company works as an agent and promotes the services of the same developers in international markets. Since the placement of the photo is due to the peculiarities of working with customers, the need to evaluate the image / psychological portrait of the developer before making a decision on hiring, the placement of the photo can be justified .

    (Just do not forget to warn the developer about using the photo before entering into a contract with him. It is also recommended that for those developers who do not agree to indicate their profile photo, you still have the opportunity to use the services of your company, even if the hiring efficiency has decreased due to the lack of a photo).

    Example DA: Your employee (for example, a system administrator) works with servers serving large-scale and high-loaded applications. It must be available 24 hours a day (if, of course, you also comply with the labor legislation requirements on appropriate pay for such employees). You can stipulate in the contract a condition on calls to his personal phone number in case of emergency. On the contrary, if an employee is not needed during off-hours, it is better not to use your personal phone number (even if you know it).

    And an example from Conclusion 2/201 7: The delivery company does not have the right to send photos of couriers to buyers (to verify that the courier really is), since there is no need to send photos to the delivery of parcels.
    IMPORTANT! The proportionality test is recommended to apply not only when drawing up contracts, but also processing for any other reason ; for example, when obtaining consent (article 6 (1) (a)) or to achieve the legitimate interests of your company (article 6 (1) (f) of the Regulations).

    Whatever the need for collecting personal data does not arise in your company, always ask yourself the question: do you really need this data? Even if your employee doesn’t seem to object to you. Remember that your employee is initially viewed from the point of view of the GDPR by the vulnerable side of the employment relationship, and his consent is a priori not free. Therefore, the task of ensuring minimal interference with private life (including under contracts with employees) lies with your company, and not with the employee.

    Additionally, I recommend to study the requirements of the regulatory authority for the protection of personal data in the state of your business. For example, in Cyprus, a recently popular relocation site of IT and Fintech businesses from Russia and other CIS countries, the application of the DPIA procedure is mandatory.if systematic monitoring of employee activity is conducted, including monitoring of workplaces, Internet activity or using GPS on employees' vehicles.

    The data owner must be a party to the agreement.


    It would seem that everything is obvious. However, there is one subtle point that few people pay attention to. This is the processing of personal data of your partners' employees (customers, performers, intermediaries, etc.), at which a legal gap arises.

    Your company has no contract with your partners. And even the consent to data processing is most often not possible to request. Yes, such people are employees of your partner (although they may be freelancers and even staff provided by third parties). And it is logical to assume that once they work for him, then within the framework of the contract with your partner, you have already agreed to transfer your data to you. But it is not.

    You do not know how well your partner has prepared all the documents within the framework of the GDPR. Whether the consent of the employee was obtained and given freely, or whether the processing of personal data was agreed upon in the agreement with such employee. I very much doubt that you can fully rely on your partner in this matter. Meanwhile, after receiving the data of its employees, your company at least becomes a processor (processor), i.e. processing personal data for and on behalf of the controller (controller). And in order to avoid liability for violation of the GDPR, your handler should at least act on the basis of your partner’s legal instructions.
    Your company will be a processor only if it, on the basis of a contract with your partner, receives clearly specified personal data of its employees (for example, name and contacts) and uses it only for clearly specified purposes; for example, communication by phone, e-mail or instant messengers during the work on the project. If suddenly you decide to send such employees some kind of marketing newsletter or job offer, then the automatic ones will fall into the “controller” category, with increased responsibility. Since you yourself will begin to determine the goals and ways of processing personal data.

    In such situations, I would recommend including in any contract with your partners a separate clause stating that the counterparty guarantees that he complies with all the rules for handling personal data of his employees or related persons that may be applicable to him at the place of business, including release your company from any claims, lawsuits that may be associated with any violations of the applicable law in transmitting data to you, and guarantees self-reparation for such claims and claims. The classic clause on exemption and damages (indemnity), but only in relation to personal data.

    In practice, as soon as you include a clause in the contract to release you from liability, your partner’s lawyers will most likely want to delete it. How to be?

    Make out the transfer of personal data in accordance with the provisions of the Regulations, and it will be difficult for your partner to disagree with this.

    For processing companies that receive data from their partners (controllers), the Regulations (article 28 (3)) contain mandatory requirements for the content of the contract in terms of the data transferred. In particular, you need to specify which data (categories), for what purposes and for how long are transferred to your company, and much more. If personal data is transferred by your company to the new processor, it is necessary to agree on identical obligations with it.

    If joint work on a project involves the transfer of personal data outside the European Union, to third countries without an adequate level of personal data protection, together with the contract being concluded, it is necessary to draw up and sign Standard Contractual Conditions for the Protection of Personal Data (Article 46 (1) (2) (c) of the Regulation). Even if the partner does not require such a document, when transferring the data of European employees, it is better to have a previously developed template and insist on signing it yourself. This will significantly reduce the risk of liability for the processing of personal data in violation of the GDPR.
    Standard conditions developed and approved by the European Commission under Directive 95/46 / EC for processors can be found here . You can also find standard conditions for controllers (controllers).

    Adoption of measures required before the conclusion of the contract, at the request of the owner of personal data


    There must be a clear correlation here: events are held in relation to the data owner himself, and he himself gives permission for their execution in the request.

    Example : Checking a candidate's criminal history if his position involves working with data of heightened secrecy and without checking it is impossible to receive an invitation to work. At the same time, the employer informs the candidate in advance in the job description about the need to undergo verification of some criminal facts in his biography. And the candidate, by sending his resume or otherwise, confirms that he agrees with such a check .

    In order to properly form a legitimate request from a candidate for the processing of his data, it is necessary before the processing begins to provide the candidate with the maximum necessary information about future processing, including methods for making decisions on its results. (For details, see. Observe the procedure: informing first, then processing below.

    Freelancers: are they workers too?



    In the Conclusion 2/2017, under the employees it is recommended to consider not only those who work under an employment contract, but also freelancers, if the relationship with them is labor-related. There is complexity.

    What does "labor relations" with freelancers mean, moreover, precisely in terms of GDPR? Conclusion 2/2017 does not answer this question. I think that we need to look at the context in which any workers are mentioned in the Regulations. This is their a priori disadvantage to the employer when they cannot refuse to provide their data without the risk of not getting or losing their jobs or other negative consequences. If you follow this logic, the freelancer can be equated to an employee in situations where your company will be his only source of orders. If the share of orders (and payments) from your company is small and the freelancer can choose whether to cooperate with you and under what conditions, then he has more freedom to make decisions about his personal data.
    In any case, one should wait for the development of the practice of applying the GDPR or the disclosure of this issue in the so-called. “Soft laws” (soft laws) of the European Union: conclusions and recommendations, as well as in national legislation.

    We follow the procedure: first - informing, then - processing


    The owner of the data must be informed before processing. This is a general requirement of Article 13 of the Regulations. In each case (processing within the framework of the contract or prior to its conclusion), and also without a contract, but if there is a legitimate interest in your company, the data owner should receive the necessary minimum information.

    In the case of employees, such informing is better done simultaneously with the posting of requirements for a candidate for a vacancy. If a commercial contract is concluded with a freelancer, you need to inform before concluding the contract, or, as a last resort, simultaneously with its signing. Together with the other information listed in article 13 of the Regulations, it is imperative to indicate whether the provision of personal data is the responsibility of the future employee and what the consequences may be if he refuses to provide it.

    Do not forget that the form of information should be as simple and accessible as possible. Do not include this information in the text of the main contract, where it can be lost. Better make out as a separate document. It is desirable that such a document be dated todates of signing the main contract.

    Lyrical digression about hh.ru
    Случайно обратил внимание на российский hh.ru, который часто размещает часто европейские вакансии. И, как я понимаю, на них могут откликаться, в том числе, кандидаты, уже находящиеся на территории ЕС. На сайте hh.ru я не нашел, каким способом можно отозвать резюме, ранее направленное в адрес конкретной компании. (Может, где-то еще есть?). Как я понимаю, здесь возможен только общий способ: в настройках видимости ограничить доступ к резюме. Но такая реализация, во-первых, противоречит принципам GDPR: отзыв согласия должен быть также прост, как и отправка, т.е. кликом на одну кнопку. А во-вторых, это никак не обязывает компанию, уже получившую и сохранившую данные (к примеру, в виде распечатки), их уничтожить. Думаю, сервису бы доработать соглашение с работодателями об уничтожении данных по автоматическому запросу кандидатов через сайт hh, а еще лучше – сделать отдельные процедуры обработки персональных данных для кандидатов из Евросоюза.

    These were the general requirements for the processing of personal data on the basis of the concluded agreement, due to the need to conclude an agreement at the request of the data owner or in the presence of legitimate interest. Next, we briefly review the processing of personal data in recruiting employees, monitoring employees at the workplace and remotely, as well as monitoring the time of presence at the workplace and / or elapsed time.

    Data processing for recruiting (hiring) employees


    Recruiters like to view candidate profiles in social networks. Some even ask for references in questionnaires or resumes. When collecting data from social networks, your company needs to find out if these profiles are intended for personal or business use. The key here is use. Be aware that even profiles that are open to public viewing cannot be used for recruiting, or evaluating a candidate for employment unless it is directly related to the future function of a candidate in your company or on a project.

    Example: The candidate is accepted as a public relations manager or as the first person of a company, which assumes the formation of a public image of the company. In this case, it may be justified to study any political preferences of the candidate, his lack of connection with radical movements, or ambiguous public statements that may cause damage to the company. Or the candidate is accepted as a business development manager. Therefore, it may be justified for an employer to conclude that a candidate has an established network of business contacts before entering into an employment contract.

    Data processing during work and after termination of the contract


    Social networks


    General monitoring of data from former social network profiles is usually not acceptable. (Such monitoring can be conducted to find out whether the former employee has violated the ban condition for some time to switch to work for competitors). However, if the employer proves that this information cannot be obtained otherwise than through viewing profiles, the collection of data from social networks can be considered valid. Here also the condition must be met about the need to inform the employee in advance about the monitoring being conducted.
    It is obvious that it is better to inform about monitoring before the contract is terminated (and, ideally, before its conclusion). Otherwise, it is highly probable that the employee, having received the notification, will simply delete all the information and contacts that compromise him.

    It is not allowed to force employees to use only the profile associated with the employer in social networks . Even if such a duty is stipulated by the peculiarities of their work (for example, a representative of the PR-service, a spokesman, a client relations manager, etc.). In any case, such employees should be able to use a personal, non-public profile.

    Installation of tools (systems, applications) of electronic data processing on network work computers


    We are talking about any systems and applications that in one form or another collect personal data and transmit them to the employer or to third parties. Installation requires the informed consent of the worker. Even independent actions of an employee on activating an application on his working machine or providing access for remote installation of a system with default settings will not be considered as an expression of consent for installation. Since consent must be given by the user's own active actions, only the installation with a change in the default settings can be equated with the informed and free expression of the employee's will for the installation.

    When monitoring employees or their device data (including personal, connected to a corporate network or WiFi), the employer should have a Workplace Monitoring Policy developed, easily and constantly accessible and understandable to each employee . So that everyone clearly understands what is going to be used and for what purposes.
    IMPORTANT! One cannot adhere to the approach that many Russian “personnel officers” love: when applying for a job, let them read a stack of instructions for a hundred or two hundred pages, and then ask them to remember everything and forget to remove them forever. Type familiarized. The policy should be easily accessible for review at any time.

    The monitoring policy, like any other personal data processing (confidentiality) policy, should be regularly reviewed. A reassessment is needed, as far as monitoring is necessary to meet the legitimate interests of the company. Therefore, I would recommend to those who would like to remove possible claims in the event of a conflict or inspections, but are not ready to allocate a lot of resources for this:

    • at least once a year make protocols / orders with instructions to conduct an inventory of your entire system for collecting and processing personal data;
    • based on the results of the inventory, make at least minimal changes to the Policy (for example, reduce the shelf life of certain data categories);

    Instead of constantly monitoring employees, try to prevent unwanted behavior. If blocking any resources / sites allows you to reach your goal, it is better to block employee access to them rather than constantly monitoring. This is a general principle of interaction between the employer and the employee, which is recommended by the Conclusion 2/2017.

    Example A from Conclusion 2/2017 : Blocking in a row all emails that could potentially pose a threat of data leakage to the employer company requires that the employee be informed about this (each time before sending a letter), with the option to refuse to send. Otherwise, there is a risk of exceeding the necessary interference with privacy and random access to the employee's personal correspondence.

    Example B from Conclusion 2/2017: When using cloud services to download or edit work information, an employee needs to allocate private space. For example, calendars can be used to record work and private events (meetings, for example).

    Example C of Conclusion 2/2017 : If, in order to prevent the risks associated with remote access to the employer's database, it is impossible to abandon the continuous monitoring of the remote employee's work computer, it is recommended to completely ban the use of the work computer for private purposes.


    Monitoring of employees in the "home-office" mode and remote employees


    Using technologies to track clicks and mouse movements, other similar actions of employees, as well as taking screenshots (both selectively and at periodic intervals), obtaining information about downloaded applications and the time they were downloaded, receiving data from webcams or taking readings about the path, traveled by an employee (hello to the monastery of evil, Amazon and others !) is considered disproportionate. Such monitoring is likely to be beyond the legitimate interests of the employer (paragraph 5.4.1. Conclusions 2/2017).

    What can we recommend here?

    First of all, (no matter how familiar this may sound), understand whether you need such monitoring or not. Secondly, clearly indicate (with documentation) what your legitimate interest is, and, if possible, fix such monitoring in existing contracts.

    For example, the work of a programmer on a project cannot be pre-estimated in terms of the time needed. Payment is formed by the number of hours worked. Your customer insists on monitoring the activity of your employee through screenshots or monitors his actions on the cloud server. The condition of the customer about the screenshots or about the control on the server should be recorded in the contract with the customer (if the working time is estimated through any other accounting systems, it is similar). The employee working on the project of this customer should also be notified in advance about the monitoring, and the possibility of such monitoring should be specified in the contract with him.

    Monitoring of working time / presence at the workplace through the access system


    This is a favorite “trick” of many domestic companies, from “small to large”: put an electronic checkpoint and charge fines for one minute late, or enter this information into a personal matter. So, with your European employees this is almost always unacceptable.

    Example from Conclusion 02/2017 : You can use the access accounting system (date, time, owner of the access key) in order to control access to especially sensitive locations. For example, in the server, where important information is stored. But you can not use the data in order to assess employee performance (time of presence / absence in the workplace).

    Monitoring the "atmosphere of happiness" in the company


    It is not allowed to observe the facial expressions of employees using automatic tools to detect deviations from pre-determined motor patterns. In addition to monitoring, such monitoring data can form the basis for employee profiling and automatic decision making regarding him. This is disproportionate to the rights and freedoms of employees. As a general rule, an employer should refrain from using such facial recognition technologies. Although certain exceptions to the general rule may be tolerated.

    (I assume that exemptions are permissible where harmful production takes place (are they still in Europe?) Or to control driver and operator fatigue, as described in the article on Amazon, using the link above).

    Brief conclusions and recommendations:


    1. Develop, as a separate document (or as part of a general Policy on the processing of personal data), a policy on the processing of personal data of employees, if your company has monitoring of their data in any form. To acquaint employees with it and place in easy and free access (for employees, of course)
    2. Issue documents confirming that you regularly (at least once a year) review your policy. It is recommended to make at least minimal changes.
    3. Any cases of personal data processing should be documented in contracts with employees. If any changes occur (additional data begin to be collected, conditions for processing previously obtained data change), do not forget to draw up additional agreements with employees.
    4. Develop as a template Standard contractual conditions for the protection of personal data (Standard contractual clauses), which will need to be signed when receiving personal data of European employees, if such data is transmitted to a third country without an adequate level of protection.