WHAT ARE PRIVACY NOTICES IN RELATION TO GDPR?
The General Data Protection Regulation (GDPR) requires employers to be transparent about the personal data that they hold on employees and how it is used. Currently , the majority of employers will rely on a generic consent clause within their contracts of employment. Normally something such as this:
In relation to the Data Protection Act 1998, you agree to the processing of personal data by the Employer for the purposes of calculating your remuneration and maintaining records on attendance, health, discipline and grievances such as are necessary for the performance of your contract.
However, under GDPR, employers are required to provide their employees with much more detail on the data they are processing on their employees.
The GDPR requires employers to provide their employees with confirmation of the following, in an individually drafted privacy notice document: (Source Xpert HR)
- the identity and contact details of the organisation;
- the purposes for which the personal data will be processed, as well as the legal basis for the processing;
- if the employer is relying on its legitimate interests as the lawful condition for processing, what those legitimate interests are;
- the recipients or categories of recipients of the personal data;
- any transfer of the data outside the European Economic Area and the basis for such transfer;
- the period for which data will be stored, or the criteria used to determine how long data will be retained;
- the individual’s rights to subject access, rectification or erasure of personal data, and the right to restrict processing or object to processing;
- the right to withdraw consent to processing at any time, if the data controller is relying on consent as a ground for processing;
- the right to lodge a complaint with the Information Commissioner;
- whether or not providing the data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether or not the data subject is obliged to provide the personal data, and the consequences of failing to provide the data;
- the existence of any automated decision-making and meaningful information about the logic involved and the consequences of any such processing for the individual; and
- where data is obtained from a third party, the source of the data, including if it came from publicly accessible sources.
Employers are required to provide the information in a concise, transparent, intelligible and easily accessible form. It must be in writing, and written in clear and plain language.
Don’t have the time to do this?
You can outsource the whole project to our team here at South Coast HR to complete for you, or purchase the documents to allow you to do it yourself. Get in touch for a no obligation quote.