As previously intimated on several occasions, the General Data Protection Regulation (GDPR) of the EU shall be mandatory and directly applicable in all Member States, including Hungary, from 25 May 2018. The GDPR is to pose new challenges for companies (employers), who have to review the legal framework to their data management practices in connection with their operations, and align them with the new data protection requirements. One key area of such reviews is HR activities and processes, and it is particularly important that these are legally compliant with GDPR (which primarily, but not exclusively, means avoiding the payment of penalties).
Reviewing HR activities and processes from a data protection perspective affects all stages of work relationships. Below we summarise the issues that constitute a legal risk in terms of data protection, and which typically arise upon examining employer procedures.
HR activities prior to employment
Even before recruitment you need to think about how to manage the data of job applicants. As we previously wrote it is important that data protection requirements are complied with when drafting job adverts too. The following problems tend to arise in connection with recruitment and selection in HR activities:
- employers do not prepare data protection information for the management of applicants’ personal data;
- as a form of preliminary screening HR looks at the social media profiles of applicants during the selection process, but fails to inform the applicants of this,
- employers fail to inform applicants that their applications were unsuccessful,
- after completing the selection process, employers continue to manage the data of the unselected applicants without their consent.
HR activities when starting and during employment
A whole range of data protection requirements have to be adhered to in Hungary both when starting to employ someone and during their employment. Employees have to be given appropriate information about the management of their personal information. In preparing for the GDPR it has to be examined whether the wording of the templates used by HR for employment contracts and employer information comply with GDPR requirements as well as other data protection rules in force.
If the employer uses technical devices – such as cameras or GPS navigation systems – to check on employees, then the employees have to be properly informed about this in line with prevailing legislation and GDPR requirements. The ways of checking use of company telephones, email addresses and laptops given to employees also have to be regulated. In light of the principle of transparency, the GDPR means that employer policies are becoming much more significant, so it is crucial that these documents be worded in line with current legislation and GDPR requirements, and that the texts comply with the GDPR.
HR activities after employment ends / is terminated
Data management is not something that ends upon the termination of employment relationships either, so it is important to know which personal data may, or has to be, managed and for how long, and on what legal grounds (lawfulness) – yet another task for HR.
Mapping the HR activities affecting these areas from a data protection perspective, reviewing and preparing the templates used for employment contracts, employer information documents and policies, and laying down good data management practices are all crucial for ensuring legal compliance with GDPR requirements.
If you are interested in checking whether your company’s HR activities and processes comply with GDPR requirements, please contact us and we will review your current practices in a data protection due diligence.