GDPR In The Workplace: Know Your Rights
Chances are you've been given some training on GDPR in the workplace, with a focus on how you handle customer or client information, to ensure your company complies with the law.
As an employee, your data gets the same legal protections as any external 'data subjects'. In fact, usually more so, due to the level of personal information that your employer holds.
The general data protection regulation (GDPR) is a law created in the EU to protect the data of its citizens, it effects businesses worldwide. The UK implements GDPR with the Data Protection Act 2018.
What are the 7 GDPR principles?The 7 key principles of UK GDPR are: | What are the 8 rights of individuals under GDPR?Your rights under GDPR are: |
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability |
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling. |
Essentially, this means that your employer is responsible for informing you of the purpose of collecting and using your personal data, as well as how it will be treated by the organisation. They can use your data in the specified ways with your freely given consent.
You can access your personal data, request for mistakes in it to be rectified and have it destroyed when it is no longer required by law.
There are six reasons your employer can lawfully process your data:
1) Consent
You have given clear consent for a specified purpose*.
2) Contract
It is necessary for a contract they have with you, or because you have asked them to take specific steps before entering into a contract with them.
3) Legal Obligation
It is necessary for your employer to comply with law (not including contractual obligations).
4) Vital interests
It is necessary to protect someone’s life.
5) Public task
It is necessary for your employer to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.
6) Legitimate interests
It is necessary for your employer's legitimate business interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests. (Does not apply if your employer is a public authority processing data to perform its official tasks).
*Consent does not include:
- Silence
- Lack of complaint
- Consent incorporated as a standard term within your employment contract or data protection policies
What is an example of GDPR?
some examples of GDPR which you might not expect:
Celebrating birthdays
Your birthday is your personal information. Not only do some people prefer to keep this information private, it could also be used in conjunction with other personal information to attempt identity fraud.
If your workplace keeps a shared calendar of birthdays (without consent), or your manager surprises you or other employees with a cake on your birthdays, this may amount to a data protection breach.
Sending Christmas cards
Posting greetings cards to your home address may amount to a data breach, if you have not given your consent for your address to be used in this way.
There is stronger legal protection for more sensitive information, concerning: race; ethnic background; political opinions; religious beliefs; trade union membership; genetics; biometrics (where used for identification); health; sex life or orientation.
Disclosing your health information
When you are absent from work you may be expected to give your employer details of your health. All that should be shared with your colleagues is that you are unwell - and even then, only the colleagues directly affected by your absence.
If the details of your health have been disclosed to other colleagues then this likely amounts to a data breach, especially where those details are sensitive.
Disclosing your sexual orientation
Your employer may be aware of your sexual orientation, when you are not yet 'out' among your wider colleagues.
Even in well intentioned circumstances, such as drawing positive attention to you during a company sponsored pride event, outing an employee is always considered a serious breach of GDPR.
Sending your CV to a colleague for a second opinion
Data breaches can occur before you've even begun employment. If the person reviewing your CV isn't sure and shares your CV (including name, contact details, etc.) with another colleague they may be in breach of GDPR in the workplace. This can be avoided if they anonymise the CV first, redacting personal information and using only an ID number to identify the CV.
Data leak
This is the breach of GDPR in the workplace that we are most familiar with due to press coverage. An accidental or malicious leak of employee personnel files can be detrimental as once leaked they are often sold on the dark web.
Names, addresses, birth-date's and bank details can be sold off to the highest bidder and used with malicious intent, primarily identity theft. These breaches are serious and can involve fines against the employer, worth millions.
Have your data protection rights been breached?
If your personal data has been shared without your consent, or your rights have not been honoured, you may have a claim against your employer. Get in touch to see how we can help.
Employment Law Specialist | Competitive Quotes | Straight Talking Legal Support
Frequently Asked Questions
As an employee, you must follow your company's data handling procedures. You should also have received a privacy policy concerning how your employer handles your personal data.
If you have a concern regarding data handling at work, you should raise the issue with your employer, or with the Information Commissioner's Office
If your personal data has been shared without your consent, or your rights have not been honoured, you may have a claim against your employer. Get in touch to see how we can help.
Employment Law Specialist | Competitive Quotes | Straight Talking Legal Support
You have the right to see the information which your employer holds about you. However, there are some legal exceptions.
Schedule 2 of the Data Protection Act contains an exemption which allows your employer to refuse to disclose a confidential reference. However, they can choose to do so anyway.
If your employer decides to share the reference with you, they will still be obligated to protect the data interests of any third parties identified in the reference. For example, your employer will have to redact any data which identifies the individual who made the reference.
Your employer can legally intercept any of your telecommunications (email, IM, calls etc.) as long as:
- You have given consent; or,
- They can show that they took reasonable steps to inform all users that interception may take place.
Employers can intercept telecommunications without either of the above provisions under certain legal exemptions, including:
- Quality control & training
- For regulatory and self regulatory procedures
- For systems maintenance
- To find out if the communication is for a private purpose, rather than business
- To detect unauthorised use
- To prevent or detect crime
- For national security purposes
This content is provided free of charge for information purposes only. It does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by any member of our company. For employment law advice please get in contact and speak to your employment law solicitors.
Find Out More:
- I have to resign because of the information shared without my consent
- My employer has breached my contract by sharing protected information
- I'd like to raise a grievance
Talk to a Professional
If your rights have been breached concerning data protection or GDPR in the workplace, we can help.
Just get in touch today to speak to one of our employment law specialists
Employment Law Friend Privacy Promise
We promise not to share any of the information you provide, with your employer.
What you tell us, stays between us.
We're loyal like that.
