The term “personnel master data” describes all data recorded in a company about the personnel employed there. As each data record is unique for an employee, it serves to identify each employee. The main feature of this master data is its low frequency of change.
What changes does the GDPR entail for the HR department?
Was sind die Änderungen bei der DSGVO (Datenschutz-Grundverordnung) im Hinblick auf die Erhebung und Verwendung von Personalstammdaten? Was müssen z. B. auch die Abteilung HR und der Betriebsrat wissen und beachten? Hier erläutern wir die relevanten Punkte, verdeutlichen, wo und in welcher Form die DSGVO Neues mit sich bringt und geben Anregungen bzgl. des Umgangs mit den neuen Anforderungen.
Keyword company agreements
The GDPR will apply to large parts of German employment law from May 2018 and therefore generally also to the conclusion of new works agreements and the amendment of existing ones. What do parties now have to consider when concluding new works agreements and is there a need to adapt all existing works agreements?
The handling in the BDSG
Section 4(1) of the BDSG permits the use of personal data in cases where another legal provision outside of the BDSG permits this – e.g. a works agreement that becomes part of the individual employee’s employment contract. Section 75 of the Works Constitution Act in particular provides information on the possible data protection framework of a works agreement by referring to the principles of law and equity. According to the Federal Labor Court, it would be theoretically possible (albeit controversially discussed and hardly ever applied in practice) to lower the data protection standard below the level stipulated in the BDSG with the help of a corresponding works agreement. This no longer applies with the introduction of the GDPR.
Innovations due to the GDPR
As is well known, the GDPR provides for opening clauses that allow member states to adopt national data protection regulations. This also applies to company agreements: Article 88(1) GDPR allows Member States to lay down more specific rules on employee data protection by means of “legislation or collective agreements”. What is new is that the GDPR defines a clear framework within which company agreements may operate. The GDPR provides a list of criteria for this at the above point. Article 88(2) GDPR also sets a standard that the legislator should follow when revising the Works Constitution Act and the parties to the works agreement when concluding corresponding agreements.
What does this mean for HR master data?
First of all: European law takes precedence. And: The GDPR applies directly, which means that no conflicting national law may be applied from the effective date. The regulation is therefore the standard from now on, also and especially for the handling of personnel master data. This also means that the Works Constitution Act must be interpreted in accordance with the GDPR when it comes to works agreements with data protection implications.
Company agreement – the key points:
When drafting or adapting company agreements, the following must be taken into account with regard to HR master data:
- Duty to provide information when collecting personnel master data
- The data subjects’ rights to information in this regard
- Right to rectification, erasure and blocking of data
- the associated reporting obligations of the company
- Right to data portability (e.g. when changing employer)
- the right of the data subject to object
- and rights in profiling measures.
The reversal of the burden of proof: GDPR brings important changes
A fundamental change compared to the BDSG is the reversal of the burden of proof. Specifically, this means that companies must now prove that they have not committed a breach involving personal data. This is a decisive difference to the previous handling, according to which the data subject had to prove the breach and the “presumption of innocence” applied to companies.
Accountability for companies
In addition, companies are accountable and their implementation must be documented. A viable security concept must be defined; the respective processes must be described and test concepts for control routines must be documented. It is also recommended that activity records be kept and automatically logged.
Procedure in the event of a data breach
Companies must prepare themselves for a possible emergency: reporting processes for possible data breaches must be established – including the immediate notification of the affected employees, the responsible departments within the company and the data protection authorities. In light of the draconian penalties that the introduction of the GDPR entails, this is crucial.
All of these points show how important effective preparation is with regard to the GDPR: the company’s own processes and documents must be transparent and set up in such a way that proof of innocence can be provided at short notice at any time.
APplus is a valuable aid here, because as an ERP system that is always up to date, it offers the optimal basis for permanent compliance with all GDPR requirements.
Legal notice:
The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, timeliness or completeness of the journalistic guides and information provided on this website.
The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.
Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.
