Data protection in employment relations
Personal data processing is any kind of activity with personal data. Personal data processing is not only the collection of personal data but also the recording, retention, transmission, disclosure and destruction thereof. Personal data are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist.
The processing of personal data in employment relations is characterised by conflicting interests and fundamental rights, highly abstract legislation, and the mixture of private and public law.
Mutual trust provides a sound basis for a good employment relationship. That is why the following principle of personal data processing – processing with the knowledge of the employee – has a central role in the employment relationship.
The following provisions of the Employment Contracts Act in particular refer to personal data processing:
- section 11 of the Employment Contracts Act – data processing of persons applying for employment;
- clause 28 (2) 11) of the Employment Contracts Act – obligation to respect employees’ privacy;
section 41 of the Employment Contracts Act – processing of personal data of employees.
Employer as a processor and rules for personal data processing
The employer is always the processor of personal data as the name and personal identification code of the employee alone are considered personal data.
The employer is already a processor by the recruitment phase, during the employment relationship, and also after the termination of the employment contract. Pursuant to subsection 41 (2) of the Employment Contracts Act, an employer must process the personal data of an employee in accordance with the Personal Data Protection Act.
Internal rules for the processing of personal data should be determined in a separate document or as part of the rules of organisation of work.
Pursuant to section 14 of the Personal Data Protection Act, the following principles have to be complied with upon processing of personal data:
- legality and fairness – personal data are processed legally and fairly;
- purposefulness – personal data are collected for specified, explicit and legitimate purposes and they shall not be processed in any manner which is incompatible with these purposes;
- quality – personal data must be adequate and appropriate and must not be excessive given the purposes of the data processing;
- accuracy – personal data must be accurate and, if necessary, kept up to date; reasonable measures are taken to ensure that any personal data which are inaccurate with respect to the purpose of data processing shall be erased or rectified without delay;
- retention – personal data are retained in a format which enables the possibility to identify the data subject only until this is necessary for achievement of the purpose for which the personal data are processed;
- security – personal data are processed in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of implementing appropriate technical or organisational measures.
Informing the employee of the processing of personal data
The employee must be aware of who is processing their data, for what purpose and which data are processed. The employer has the obligation of notification even if they do not receive information about the employee on their own initiative, e.g. they accidentally open a private letter of the employee, or if someone (such as a bailiff) sends an inquiry about the employee to the employer.
The employee always has the right to ask which of their personal data the employer processes, for what purpose and to whom the data has been transmitted. An employee also has the right of access to data.
Employee records must be accurate and up-to-date. An employee has the right to demand that inaccurate data be rectified and obsolete and unnecessary personal data be erased.
During the employment relationship, the personal data of the employee may only be processed with their consent and only if the employee has an actual opportunity to decide whether they give their consent or not. For example, a photo of the employee may be used on the website of the company with their consent. An employee may withdraw their consent at any time and its withdrawal does not have any retroactive consequences. If an employee withdraws their consent, the employer must stop the processing of personal data.
If processing is unavoidable by law or contract, then asking for consent is misleading. For example, consent is not required if the employer asks for the personal data of the employee’s child for the provision of childcare leave or additional child leave. An employee can only give their consent for the further processing of their personal data or the personal data of their minor children, e.g. when Christmas gifts at work are distributed according to the age of children.
Use of cameras at work
The employer does not have the right to carry out covert surveillance of employees and process the corresponding data.
Employees must be notified of the use of surveillance devices for the protection of people and property. This must also be done if the surveillance devices are aimed at customers or third parties but employees are also included in the surveillance area. The notification must be clear, unambiguous and include the information specified in section 23 of the Personal Data Protection Act. The use of surveillance devices is not permitted for the purpose of checking the quality and quantity of the work performed by employee. Data obtained from surveillance devices intended for the protection of people or property may not be used, for example, to prove a breach of work duty. The employer may not monitor the employee outside working hours. An employee has the right to access the data collected via surveillance devices which concerns them, including recordings.
- A more detailed explanation of the use of cameras at work is available on the Data Protection Inspectorate website.
- Instructions for the manager of video surveillance are available here.
- Data Protection Inspectorate leaflet ‘Video surveillance and privacy (PDF)
- Data Protection Inspectorate leaflet ‘Do you need a sign for your video surveillance? (PDF)
Contacting the Data Protection Inspectorate
You can call the Data Protection Inspectorate helpline 5620 2341 on working days 13.00–15.00. In the case of more specific questions that require a detailed reply, you can send an e-mail to [email protected].
Frequently asked questions about data protection can be found here.
All guides of the Data Protection Inspectorate are available here.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Guidance material of the Data Protection Inspectorate ‘The processing of personal data in employment relations’
Data Protection Inspectorate’s guide for human resource managers ‘Personal data in employment relations’
Data Protection Inspectorate’s guide for employers and employees ‘Use of personal mobile device in working environment’
Data protection leaflet for employers