Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
HR Data
retention
GDPR Webinar
Gert Beeckmans
(SD Worx),
Laurent De Surgeloose
(DLA Piper)
2
Welcome to our
2nd GDPR WebinarThursday 25th January
Implementing an appropriate
retention of employee data
DLA Piper is a global law firm with lawyers
located in more than 40 countries throughout
Europe, the Americas, the Middle East,
Africa and Asia Pacific, positioning us to help
clients with their legal needs around the
world.
SD Worx are a leading European HR provider
assisting clients with payroll, HR and tax &
legal solutions on a global scale.
3
This webinar will be available for replay on our
website at
www.sdworx.com/gdpr/downloads
#GDPRcountdown
SD Worx @SDWorx SD Worx SD Worx
350
COMPANIES
700
DELEGATES
EXHIBITION &
NETWORKING
You will have to be explicit on data retentionSection 1
Storage Limitation Principle Remains
Not materially different from existing
privacy laws: you can only retain
personal data for a period that is not
longer than the one necessary for
the purposes of the data processing
But GDPR makes the application of this principle more strict
8
– Directive Art 6 (1)c: not excessive in relation to the purposes for which
those data are collected
– GDPR Art 5 (1)c - data minimization principle: limit the data to what is
necessary for the purposes
• Limit the period for which the personal data are stored to a strict
minimum
• Establish time limits for erasure or periodic review
Storage Limitation Principle Remains
9
And requires you to be explicit and transparent
You must specify data retention times in the privacy notice and the data
register
The right on erasure (right to be forgotten)
While data subjects can challenge you
How will you be able to protect
yourself against claims from
individuals and sanctions if you
have to justify a data breach for
personal data that was already
meant to be deleted?
Defining an HR data retention policy
Section 2
Every country has its own rules and
practices that can differ greatly
11
No uniform retention periods on
international level
1
2
3
Mostly centered around minimal
retention guidelines based on
company, social and fiscal laws
Often related to specific type of
documents or information
12
A few examples…
France:
• payroll data 5 years
(including paper payslip)
• but electronic payslips
50 years, or until
employee turns 75
• litigation up to 20 years
Germany:
• data on minimum wage
compliance 2 years
• litigation up to 3 years
• payroll accounts for tax at
least 6 years
Belgium:
• employee records and
social documents 5 years
UK:
• payroll and wage records
6 years from the financial
year end in which
payments were made
Poland:
• employee records 50
years
13
Challenges
– Strict minimum is subjective and
open to interpretation
– Limited or no case law
– Very limited guidance and no
clear cut best practices
14
Check and balance
VS
– Legal requirements for document
retention defined by social and tax
regulations
– Information needed for potential future
legal proceedings (depending on how
long potential litigation period goes)
– Company needs to keep certain
information
– Limiting the storage period to a
strict minimum under GDPR
15
Recommendations
Ensure you know the minimal legal requirements for document retention within every
country that you are active in
Assign information owners
Determine overall HR retention times based on a limited number of overall categories
of HR data and your HR systems (e.g. recruitment, contract & benefits, payroll) and
only then add any additional requirements for specific documents.
Organize a periodical review of documents and information and delete anything you
no longer need
1
2
3
4
16
Example
– C: Completion or Closure – events whose end date is unknown at the time the record
is created
– S: Superseded – date when records have been replaced, revised or made obsolete
Practical HR cases
Section 3
Mr. X applied for a job. He was not selected
because of a mismatch with company values.
Afterwards, it was discovered that the
applicant already tried to apply for a job
multiple times. The company would therefore
like to keep recruitment records so that they
could first check if an applicant already
applied previously. How long can they keep
recruitment information of applicants?
18
Example 1:
Erasing data of applicant that
was not selected
- The employer should not keep recruitment records for
unsuccessful applicants beyond the statutory period in
which a claim arising from the recruitment process may
be brought.
- Generally speaking, data protection authorities have
advised for very short retention periods (from 4 weeks
up to maximum 6 months) for recruitment related data
such as interview notes, assessment reports, CVs, etc.
- The employer could keep a limited record for a longer
period of time if he has a valid purpose (e.g. talent
pool) and if the applicant consents to this
- Advise to clearly communicate privacy notice on
applicants data as part of the recruitment process
19
Example 1:
Erasing data of applicant that
was not selected
Mr Z is dismissed by his employer. The
employer justifies the dismissal based on
performance reasons. After his dismissal
he request the employer to erase all his
personal data as he claims they are no
longer necessary in relation to the purpose
for which it was originally collected or
processed (i.e. the execution of the
employment contract between the parties).
20
Example 2:
Data retention vs request for
erasure after dismissal ("right to be
forgotten")
- Mr Z has a right to be forgotten and to submit such a request
- However, the employer can refuse to erase all the personal
data if:
▪ those information will be necessary for the exercise or
defence of the legal claims;
▪ some data cannot be erased as they were collected to
comply with legal obligations or for the performance of a
public interest task or exercise of official authority
- Employee was dismissed based on performance reasons.
There is a risk that the employee will challenge the reasons
invoked of his dimissal (in certain countries employees
challenge the reason to obtain an additional indemnity).
Certain data regarding the employee should therefore be
retained in the framework of a defence of legal claim.
21
Example 2:
Data retention vs request for
erasure after dismissal ("right to be
forgotten")
22
Mr X was employed by employer A. During his
employment he benefitted from a
complementary pension scheme funded by the
employer. When he was dismissed the
employee decided to leave his pension
reserves in the pension plan of employer. The
employing entity was dissolved and its
pension obligations were transferred to
another sponsoring company of the pension
fund. The ex-employee starts a judicial
proceeding against the sponsoring entity
regarding the pension benefit. The pension
plan/regulations has been lost.
Example 3:
Retention of pension documents
23
- How long should the employer keep pension
documents?
- The employer (or the successor) should keep the
records in relation to the pension scheme as long as
this pension plan is valid and in force.
- After, those records could be kept for a sufficient period
in order to keep evidence in case of litigation.
- Liability issue for the employer (or the successor).
Example 3:
Retention of pension documents
24
Company T hires employees under a
temporary employment contract.
How long should/can the company keep the
employment contracts of the former
employees?
Example 4:
Erasing temporary employment
contract of former employees
25
- The employer should keep the temporary
employment contracts for the minimum duration
foreseen in the applicable legislation (legal
requirement).
- The employer could obviously keep those
documents for a longer period of time in case of
litigation.
- Advise to keep the contracts as long as the
statutory limitation periods applicable in criminal law
are running.
- Advise to clearly draft privacy notice for personal
documents of employees.
Example 4:
Erasing temporary employment
contract of former employees
13:15 – Session:
Gert Beeckmans
Frank Rudolf
@SDWorx | @SDWorxUKI | #InspireEurope18
Thank you
For more information visit: sdworx.com/gdpr
Or email us: [email protected]
SD Worx
@SDWorx
SD Worx
SD Worx
#GDPRcountdown