Answer ... The General Data Protection Regulation (GDPR) regulates the processing of personal data, including an employer’s processing of employee personal data. Employees have the same rights as other data subjects according to the GDPR, including the right to access personal data processed by the employer, the right to deletion, the right to restriction of processing and the right to data portability.
Employees also have the same right as other data subjects to be informed about the employer’s processing of personal data according to Articles 13 and 14 of the GDPR.
The Danish Data Protection Act supplements the GDPR and – in certain areas – provides for even greater protection of personal data, including in relation to the processing of social security numbers, which generally requires consent unless the processing is required by law.
It is a general principle in both the GDPR and the Danish Data Protection Act that the employer – as the controller of employees’ personal data – must have a legal basis for processing employees’ personal data, and that the employer must process such data in accordance with the general data processing principles according to Article 5 of the GDPR.
As a main rule, it is lawful for an employer to process employees’ personal data where the processing is necessary for the employer to fulfil its obligations according to the employment contract and its duties according to applicable legislation.
According to the GDPR and the Danish Data Protection Act, an employer can therefore also process special categories of personal data (‘sensitive’ personal data) without the employee’s consent where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of, for example, employment law and social protection law, or according to an applicable collective bargaining agreement.
In some areas, the nature of the employment relationship has an impact on how the employer must adhere to the data protection rules. For example, the employer must take special care when obtaining consent from employees (where relevant). It must be made clear to the employees that their consent is voluntary, and that refusal to provide consent will have no negative impact on the employment relationship. Employees must be able to withdraw their consent under Article 7 of the GDPR.
The Danish Data Protection Agency published guidelines on the processing of personal data in employment relationships in November 2018 (in Danish only). These guidelines have streamlined the Data Protection Agency’s practice in certain areas. For instance, the guidelines state that an employer must obtain consent from employees if it wishes to publish pictures of them – for example, on its website, on social media or in marketing materials. According to the guidelines, this requirement applies to both profile pictures and ‘situational pictures’. As a main rule, internal publication of employees’ personal data, including pictures, on the employer’s intranet does not require consent.
It is standard for employers to have access that allows them to monitor emails, telephone calls and use of computer systems where such monitoring is for operational reasons and to ensure correct use of the equipment.
If (limited) private use of email, telephones and other communication systems is permitted, the employer must not use its access to read or monitor employees’ private emails, telephone calls and so on (except in case of suspicion of fraud or similar criminal activities).
After termination of an employee, it may be lawful for the employer to keep his or her email account active for a limited period, but this can never exceed 12 months. The employer can keep an email account active only to ensure that significant information is not lost and only to receive emails – not to send emails from the former employee’s account. The former employee must be informed that the email account is being kept active and for how long.
It is recommended that the employer inform all employees about its use of control measures and processing of personal data relating to use of email, internet, telephone and other systems in its HR policy and/or privacy policy.