Currently, the CCPA has limited enforcement with respect to employee data, with the exception of certain termination obligations. In California, there is a proposed voting initiative to extend the exemption beyond January 1, 2021 until 2023. Therefore, it is important to keep in mind that if the employee is no longer a California resident, their personal information will no longer be protected by the CCPA. However, the application of the CCPA depends on the type of move. If the move is considered „temporary“ (e.g., less than 546 days under a contract of employment), that person will continue to report to the CCPA. In addition, the GDPR protection would apply as long as the employee is in the EU. Since the majority of employee data is stored and processed by Human Resources (HR), it will be crucial for HR employees to gain in-depth knowledge of the GDPR and its application to their functions. Seemingly simple and standard administrative tasks may now require additional steps, such as obtaining permission to process an employee`s personal data, especially data that is not directly relevant to their job. The introduction of the General Data Protection Regulation (GDPR) is fast approaching and many organizations are wondering if the GDPR also applies to employee data as well as customer or customer data. Since the GDPR does not provide for an exception or split for small businesses, companies with fewer than 250 employees still have to meet most of the requirements of the law. You must find a legal basis for the processing; obtain informed consent from users where no other legal basis is available; Provide users with visibility into the collection, use, and sharing of their data (often through multi-level privacy notices with just-in-time notification; and respond to data subject access requests. For many GDPR articles that have identified differences in the obligations of large and small businesses, SMBs still need to improve their privacy and data protection efforts.
There is no single answer, and even then, the answers vary depending on the nature and sophistication of the business. Overall, your business needs to be made GDPR compliant. We usually start this process with an audit that identifies any compliance gaps and suggestions on how to address those gaps in the future. From there, we review the relevant policies and update the necessary forms. For example, the GDPR requires privacy notices. In the employment context, these disclosures are similar to the disclosures that employers are required to provide to employees under the Fair Credit Assessment Act. Once the required guidelines and forms are updated, they will be implemented in conjunction with training and information activities, like any other new policy or practice. Again, the changes a company needs to make depend on the nature and sophistication of the business. The GDPR aims to protect the personal data of EU citizens through various privacy and security requirements. It applies to any employer who processes and stores the personal data of employees residing in the EU. Even if a company is not based in Europe, it is subject to the requirements of the GDPR if it has employees or freelancers residing in the European Economic Area (they do not necessarily have to be citizens). In addition, all third-party service providers responsible for processing employees` personal data must also comply with the regulations.
This means that the employer can process employee data for: Article 35 of the GDPR obliges controllers to carry out data protection impact assessments if the data processing is likely to result in a high risk for data subjects. In the context of employment, the employer must carry out a DPIA before using new technologies or if the data processing is likely to result in a high risk to the fundamental rights and freedoms of workers. Despite the breadth of the EU`s General Data Protection Regulation (GDPR), there are no exceptions for small businesses. Companies still have to comply with most of the GDPR, even if they have fewer than 250 employees. If you have fewer than 250 employees, the GDPR means that you must keep internal records of your processing activities, whether the data processed could endanger the rights and freedoms of an individual, whether such data relates to criminal convictions and special categories of data referred to in Article 9, and whether the organisation is processed regularly and not occasionally. Employers process employees` personal data. There is no way around it. However, employers have their hands tied when processing their data through the GDPR and other laws protecting personal data. While many US companies think the GDPR doesn`t apply to them because they don`t have a location in the EU, the GDPR does apply to US or multinational companies that have employees in the EU.