Compliance of HR practices regarding personal data

The EU general data protection regulation (“GDPR”) came into force on May 25, 2018. The French statute on privacy protection (“Informatique et Liberté”) of 1978 was also amended to incorporate the new GDPR principles on data protection.

Employees and candidates are now entitled to more extensive rights of access and portability of their personal data. They can for example request a comprehensive transmission of their personal data.

In practice, this is the most challenging right as dismissed employees could ask for their personal data to build a case. The employer cannot oppose this request and, on the contrary, has to answer this request within 30 days, failing which there is an administrative penalty of up to 2% of the worldwide turnover.

The new regulations reinforce the obligation to obtain the explicit consent of the individuals concerned before proceeding with the processing of their personal data. In any case, such processing must be strictly necessary for the purpose for which it is used, for example, the management of human resources. Employees and candidates can oppose the processing of their data.

As data controller, the employer must ensure that employees and candidates are fully aware of their rights and the procedures to exercise those rights.

The employer must also guarantee the safety of the stored and processed personal data. Therefore, the employer will have to audit the current practices in order to be able to adapt them to the requirements resulting from the new regulations.

It is therefore necessary to ensure that human resources’ practices comply with the new regulations and that employees are fully aware of their rights in this respect.