GDPR data protection privacy notices in employment
GDPR data protection privacy notices in employment

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • GDPR data protection privacy notices in employment
  • GDPR requirements
  • First steps—data mapping
  • Consider a data protection impact assessment (DPIA)
  • What to include in a privacy notice, and when
  • Consent?
  • Language
  • Where and how to deliver the information
  • When to provide privacy information
  • Test, review and update
  • more

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) was directly applicable in all EU Member States (including the UK) from 25 May 2018. The main provisions of the Data Protection Act 2018 (DPA 2018) came into force on the same date.

For further information, see Practice Notes: The GDPR and DPA 2018: key data protection issues for employment lawyers and The GDPR and DPA 2018: lawful processing of personal data in employment.

The first data processing principle under Regulation (EU) 2016/679, GDPR requires employers and other controllers to process personal data ‘lawfully, fairly and in a transparent manner’. While ‘transparency’ was an implicit requirement under the now-repealed DPA 1998, the GDPR places a greater emphasis on transparency, and requires controllers to:

  1. provide data subjects with specified information about the processing of personal data, including the purposes for which it is processed, the legal basis for the processing, with whom it will be shared and how long it will be kept, and

  2. do so in a concise, transparent, intelligible and easily accessible form, using clear and plain language

This is known as ‘the right to be informed’ (see Practice Note: The GDPR and DPA 2018: key data protection issues for employment lawyers—The right to be informed and ‘transparency’ (privacy notices)).

Regulation (EU) 2016/679, GDPR permits Member States to introduce derogations from the GDPR provisions in certain