– Revised guidance on data protection in employment relationships.
On December 1, 2020, the Danish Data Protection Agency published a revised version of its Guidelines on Data Protection in Employment Relationships, which were first published in 2018.
The guide contains a review of the data protection rules that are particularly relevant in connection with employment relationships, including processing activities in connection with the recruitment process, during the employment relationship, and to a certain extent after the employment relationship has ended.
The revision of the guidelines is based on discussions with representatives of the labor market and the outcome of specific cases and changes in practice within data protection law.
The update covers the following points:
- Union representatives' use of the employer's IT equipment,
- Consequential amendments resulting from the new understanding of Articles 6 and 9 of the General Data Protection Regulation (dual legal basis requirement), and
- Adjustments to the rights of job applicants and employees, including employee monitoring.
It is particularly important to note that the Danish Data Protection Agency is introducing a new agreement, which the Danish Data Protection Agency recommends employers and union representatives enter into in relation to union representatives' processing of personal data on the employer's IT equipment.
Use of employer's IT equipment by union representatives
The previous guidance only covered the general conditions and data protection rules applicable to union representatives and trade unions, which left a number of questions unanswered regarding data protection issues that arise, for example, when union representatives use their employer's IT equipment to process personal data.
It follows from the revised guidelines that the union representative, together with the trade union, is the data controller for the processing of personal data that takes place in the course of performing the union representative's duties.
The reason for this is that it is the union representative and/or the trade union that determines the purposes of their processing. The employer thus only determines the technical aids necessary for the practical implementation of the processing. However, the Danish Data Protection Agency states that, as a starting point, it is not possible for the union representative to instruct the employer, which means that the employer is neither a data processor nor a joint data controller with the union representative and/or the trade union.
On this basis, the Danish Data Protection Agency concludes that the employer must be considered an independent data controller in relation to the storage of the information processed by the union representative in the employer's IT systems. This means that the union representative's use of the employer's IT equipment constitutes the disclosure of personal data, which is authorized by Article 6 of the General Data Protection Regulation and Section 12 of the Data Protection Act.
In this connection, the Danish Data Protection Agency recommends that the parties enter into an agreement regulating the framework for this disclosure and the IT security aspects of the employer's access to personal data. The agreement should also specify how the employer is to assist in connection with data breaches and requests from data subjects. The Danish Data Protection Agency also encourages the union representative or professional association to carry out a risk assessment in accordance with Article 32 of the General Data Protection Regulation, taking the aforementioned agreement into account.
Double home requirement
In November last year, the Danish Data Protection Agency announced a change in practice regarding how data controllers may process sensitive information covered by Article 9(1) of the General Data Protection Regulation. You can read the Danish Data Protection Agency's announcement of the change in practice here.
This change has now been implemented in the guidance on data protection in employment relationships.
This change in practice means that data controllers who process sensitive information, such as health information about employees covered by the processing prohibition in Article 9(1) of the General Data Protection Regulation, must be able to identify:
- An exception to the prohibition either in Article 9(2) of the Regulation or in provisions implementing Article 9 of the Regulation and
- a legal basis for the processing in Article 6 of the Regulation.
Prior to the Danish Data Protection Agency's change in practice, it was sufficient for the data controller to identify an exception to the prohibition in Article 9(2)(1) of the Regulation.
The Danish Data Protection Agency also emphasizes that Article 5 of the General Data Protection Regulation, which lays down basic principles for fair and transparent processing of personal data, must always be complied with.
Rights of job applicants and employees
The revised guidelines state that there are certain situations in which the employer is not obliged to comply with an employee's request for access. This applies, for example, in connection with salary negotiations, where consideration of the employer's negotiating position and general conditions at the workplace may, based on a specific assessment, justify limiting access.
The Danish Data Protection Agency has also included the employer's duty to provide information to employees in accordance with Articles 13 and 14 of the General Data Protection Regulation in connection with the use of control measures.
The guidelines stipulate that employees must be clearly informed of any control measures at least six weeks before they are implemented.
The Danish Data Protection Agency also proposes that employers should establish fixed procedures for ensuring compliance with the duty to provide information.
Comments from CLEMENS Law Firm
The new revised edition of the Danish Data Protection Agency's guidelines provides an obvious opportunity to review your company's procedures and policies in order to assess whether there is a need for any updates.
In addition, it is recommended that the necessary guidelines and agreements be drawn up between the company and any union representatives regarding the use of the company's IT equipment by union representatives.
In this connection, it is also important to note whether the storage of personal data recorded by the union representative in the company's IT systems is covered by the company's Article 30 records.
If you have any questions about the guidelines or need help drafting an agreement with union representatives, drafting a privacy policy, or procedures for complying with the duty of disclosure, our team of data protection specialists is always ready to help.
