European Union: A GDPR Update For Employers, Part II: Aligning HR Practices To Comply With National Legislation Implementing The GDPR

Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the GDPR, while other developments have directly affected employers and created new obligations regarding the collection and processing of human resources (HR) data.

This is the second article in a four-part series examining national legislation, opinions, and guidelines that have been enacted or issued clarifying the GDPR's requirements. The series also covers data protection impact assessments, claims alleging violations of the GDPR, enforcement actions, and fines that have been issued. Part one focused on threshold issues of GDPR coverage. This article addresses requirements enacted by individual EU countries that impose additional obligations related to the processing of HR data.

Although the GDPR was intended to provide a uniform set of data protection requirements across the EU, the GDPR contains several provisions, known as "opening clauses," that expressly permit individual EU countries to implement additional and/or stricter requirements for certain types of data that employers typically process. For example, Article 9 of the GDPR provides that EU Member States may introduce further conditions and limitations on the processing of genetic data, biometric data, and health data. Article 10 of the GDPR provides that data concerning criminal convictions and offenses may be processed only if authorized by EU or EU country law. Finally, Article 88 permits EU countries to provide, either by law or by collective agreements, more specific rules regarding the processing of personal data in the employment context.

Several EU Member States have taken advantage of these opening clauses and have enacted legislation providing stricter or additional requirements for processing HR data:


An employer may process HR data without an employee's or job applicant's consent if the collection and processing of the data is for employment relations; is required by the Labor Code, Health Act, or Social Insurance Code; or where the legitimate interest of the employer prevails over the interests and rights of employees, such as in the case of video surveillance for security purposes.


  • Employers may process employee biometric data to monitor employment performance (e.g., working hours) and for access control on company premises if there is a legal basis for such monitoring or the employee gives express consent and the biometric data processing serves as an alternative to other means for such monitoring.
  • Employers may use closed-circuit television (CCTV) surveillance cameras in the workplace provided that applicable health and safety regulations are followed; employees receive adequate notice of the CCTV use; and the CCTV does not monitor changing rooms, relaxation and resting areas, or bathrooms.


  • Employers will commit a criminal offense if they process the criminal history data of employees or job applicants without having an Article 30 record of processing activities, if they fail to update the record of processing, or if they fail to provide a record of processing to authorities upon request or otherwise provide an inaccurate or incomplete record of processing to the authorities.
  • Employers will commit a criminal offense if they fail to conduct a required data protection impact assessment.


All organizations, including employers, must encrypt emails that contain sensitive personal data. "Sensitive personal data" under the GDPR includes data concerning a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric data ideology, union membership, sexual orientation, beliefs, or health, sex life, or sexual orientation.


  • Private-sector employers are prohibited from processing criminal history data as such data may be processed solely by public entities or in connection with legal proceedings.
  • Employers may process biometric data if such processing is strictly necessary to control access to the workplace and devices and applications used by employees, agents, trainees, or service providers.


  • Employers may process HR data including special categories of personal data on the basis of collective agreements or Works Council agreements, but such agreements must meet the requirements of the GDPR.
  • An employer must appoint a data privacy officer if it employs 10 or more people whose duties include the processing of personal data.
  • An employer may process data based on employee consent where such consent is in writing and the employee receives a "legal or economic benefit" or the interests of the employer and employee are aligned.

Examples of a "legal or economic benefit" to an employee include an employer's implementation of an occupational health management or support program or an employer's permitting private use of company IT systems. Examples of aligned interests include situations in which employers and employees work together to add employees' names and birthdays to a company birthday list or use photographs of employees for a website. When determining whether consent is voluntary, the timing of the consent must be considered. For example, prior to the conclusion of an employment contract, employees are subject to greater pressure to consent and, therefore, such consent may not be voluntary.

  • Employers may process sensitive data without employee consent in order to manage the employment relationship or to exercise rights or fulfill duties under employment law or social services law so long as the employee's privacy rights do not override the company's interest in processing such data.
  • An employer may engage in employee monitoring only when the company can document reasons to believe the employee is engaged in criminal conduct or has or is committing a serious breach of duty.
  • The definition of "employee" includes temporary or agency employees.


Employers may process criminal history data when absolutely necessary for, among other purposes, determining eligibility for employment, processing data in the employment context, and establishing, exercising, or defending legal claims.


  • Employers may process health data for an occupational pension, a retirement annuity contract, or any other pension arrangement.
  • Employers are prohibited from requiring individuals to make data access requests or to supply information from a subject access request in the employment context.


Employers may ask prospective employees to provide an extract of their criminal record in the recruitment process. The data can only be used for recruitment or human resources purposes and cannot be kept for longer than one month.

The Netherlands

Employers may process criminal history data if the individual provides explicit consent or the processing of such data is necessary for litigation purposes.


  • Employers may not engage in "blind recruitment" in which the identity of an employer is not disclosed at the beginning of the recruitment process.
  • Employers may not process the criminal histories of job applicants, even with applicant consent.
  • Employers may not contact the prior employers of job applicants without the applicants' consent.
  • Employers may not confirm the authenticity of job applicants' university degrees.
  • Employers may not retain the data of unsuccessful job applicants for future employment consideration unless the job applicants consent.
  • Employers may not process job applicants' social media data.
  • Employers may not use biometrics for the purpose of recording working time.
  • Employers may not use photographs of employees without their consent.
  • Employers may transfer HR data within an organizational group for internal administrative purposes including the centralization of HR and payroll processes.
  • Employers may use CCTV monitoring for security purposes to protect employee safety, company property, or confidential information. Employers cannot use video monitoring to monitor restrooms, changing rooms, company lunchrooms and smoking areas, or areas made available for trade union activities unless the employees recorded are made unrecognizable. CCTV recordings may be kept no longer than three months unless needed for judicial proceedings. Notice must be provided to employees no later than one day before the launch of the CCTV monitoring and may be done by appropriate signage or sound notices indicating which area or areas will be monitored. If there is a collective agreement, notice of CCTV monitoring may be provided in the collective agreement.
  • Employers may engage in email monitoring and other non-video monitoring of employees for the purposes of tracking working time and ensuring proper use of work tools and equipment.
  • Employers must provide prior notice to employees regarding any type of monitoring.
  • Employers are not required to obtain employee consent to introduce monitoring in the workplace and an employee may be terminated for refusing to be monitored so long as the monitoring complies with applicable data protection laws.
  • Monitoring that was implemented prior to May 25, 2018, must be compliant with the Polish Labor Code.


An employer may process sensitive data when necessary for the purposes of carrying out and exercising the obligations and specific rights of the employer or employee in the areas of labor law, social law insurance, social protection, or public health insurance.


  • Employers may rely on the legal basis of legitimate interest to process employee data.
  • Employers cannot rely on employee consent to process sensitive data. An employer must notify employees of any video surveillance by placing a sign regarding the surveillance in a visible location. Video surveillance data must be deleted within one month unless needed to prove the commission of acts against individuals, property, or facilities.
  • Employers may access corporate electronic devices used by employees pursuant to clear rules drafted with the participation of the workers' representatives. However, employees have the right to disconnect from company networks outside of working hours in accordance with predefined policies.
  • Employers cannot process criminal record data unless specifically permitted by a sector law.
  • Employers may use CCTV or video surveillance to monitor employees as long as the monitoring complies with Spanish labor laws and employees are informed about the video surveillance. Video surveillance footage can be stored for a maximum of one month unless a longer retention period is required for an ongoing investigation.
  • Employers may implement whistleblower reporting systems that permit both anonymous and non-anonymous reporting from employees. Employers must notify employees about the existence of whistleblowing systems and must restrict access to the data contained in the whistleblowing systems to persons who carry out internal control and compliance functions, or persons designated to handle complaints. Employers can maintain logs of employee complaints and whistleblowing, so long as the employees are informed of the logs' existence. Personal data in these systems must be stored only for as long as necessary and no longer than three months, except if the purpose of the storage is to demonstrate compliance with the crime prevention model by the legal entity.


Employers may process social security numbers without employee consent when the processing is necessary for security or authentication purposes.

United Kingdom

  • An employer may process sensitive data such as data concerning ethnic and national origin, religious and philosophical beliefs, health, and sexual orientation where such processing is (1) necessary to enter into or perform an employment contract; (2) necessary for "exercising or performing any right or obligation which is conferred or imposed by an enactment or rule of law" on the employer in connection with employment; or (3) necessary for the purpose of identifying, reviewing, or promoting equal opportunities or treatment in the workplace. Further, an employer must have an appropriate policy in place that explains the employer's procedures for securing compliance with the principles of the GDPR in connection with the processing of HR personal data and that explains the employer's policies regarding the retention and erasure of personal data processed, setting forth how long such personal data is likely to be retained.
  • Employers are not required to provide employees or job applicants access to confidential references provided for employment purposes.
  • Employers may process criminal history data only if one of the following conditions is met: "the data subject has given consent to the processing"; "the processing is necessary to protect the vital interests of an individual"; the processing is performed by a not-for-profit entity; the "personal data is already in the public domain"; "the processing is necessary for the purpose of, or in connection with, any legal proceedings" or is necessary for obtaining legal advice or establishing, exercising, or defending legal rights; "the processing is of personal data about a conviction or caution" for an indecency offense involving children; the processing is "necessary for reasons of substantial public interest"; or the processing is necessary for insurance purposes.

The Article 30 record of processing that requires an appropriate policy document must include the following information: the condition relied upon, the extent to which the processing is lawful under the GDPR, and, where applicable, the reasons for not complying with the policy.

Part three of this series will address the obligation under the GDPR to conduct data protection impact assessments of processing activities that are "likely to result in a high risk to the rights and freedoms" of individuals.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Ogletree, Deakins, Nash, Smoak & Stewart
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Ogletree, Deakins, Nash, Smoak & Stewart
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions