GDPR: how to work with the personal data of your employees, freelancers and European employees of contractors

The article is a brief squeeze and my interpretation of the provisions of the GDPR Regulations (“Regulations”) in conjunction with Opinion 2/2017 on data processing in labor relations (on data processing at work) of 06/08/2017. It is addressed to companies that have full-fledged offices or remote workers and / or freelancers in EU countries, as well as counterparties (partners) with European employees, whose data you can receive in the process of working on joint projects.

We analyze the processing of personal data when hiring (recruiting) employees, concluding contracts with freelancers or business partners; monitoring employees in the workplace and remotely, including through automatic data acquisition systems.

The opinion was adopted earlier than the date of entry into force of the Regulation and is based on Directive 95/46 / EC of October 24, 2005. However, it takes into account the provisions of the GDPR.

For convenience, and where it does not contradict the context, employees, freelancers and employees of contractors will be collectively referred to as “Employee”.

Make sure you have a reason to process employee data.

Processing of personal data of employees is usually carried out on at least one of the following reasons:

• personal consent;
• the need to comply with the requirements of the law (as a rule, labor laws or AML / CFT when making payments);
• the need to fulfill an already concluded contract or the need to conclude a contract, at the request of the owner of personal data;
• the presence of legitimate interest in your company in such processing.

Processing on the basis of the prescriptions of the law leave the scope of the article. Also we will not concern personal consent. As already noted in the previous article, Consent to the processing of data on the GDPR: detailed analysis , processing of personal data of employees based on their personal consent is a difficult option. There is always a risk that the consent will be drawn up somewhere incorrectly and it will be recognized as not free, and your company will violate the rules of GDPR.

In relations with employees, the processing of personal data is more reliable to base on the concluded contracts. If all processing questions are technically difficult or impractical to be fixed in contracts, then you will need to take a responsible approach to justifying your company's legitimate interest in such processing.

Consider what conditions and how to formulate in employment or commercial contracts, so that they allow you to process personal data in accordance with the GDPR. (Considering that processing on the basis of legitimate interest, like processing on the basis of a contract, also needs to be documented and coincides with the latter in many ways, we will not consider it separately).

We give the full wording of Article 6 (1) (b) of the Regulations (translated from English): “ processing is necessary to execute a contract to which the data owner is a party, or to take action at the request of the owner of personal data before entering into a contract ”.

From this formulation follows a number of mandatory elements.

The need for data under the contract

According to clause 44 of the Preamble of the Regulations, the processing is legal if necessary in the context of the contract or the intention to conclude it. So, we look at the context of the contract itself. Conclusion 2/2017 recommends that in such cases a proportionality test be used to assess whether treatment is necessary to achieve a legitimate goal (in particular, for execution or contract conclusion), as well as what measures need to be taken to reduce interference with privacy. to a minimum.

The regulation does not decipher what the “proportionality test” includes. Conclusion 2/2017 contains only a reservation that such a test can be part of the DPIA procedure. In the DPIA procedure itself, the proportionality of processing is described through a variety of criteria that the controller company must follow. In my opinion, the most important ones are:

• the adequacy of the processed data to processing purposes;
• the processing goals themselves must be specific and explicit.

Consequently, the proportionality test implies not only the need to prescribe in the contract itself the obligation to provide some personal data for processing, or to inform the data owner about such a duty before concluding the contract. The contractual obligations of the employee, on the basis of which the data are collected, must directly flow from the nature of his future work or the specifics of the project in which he will be involved. Contractual obligations should provide for the processing of only the minimum necessary personal data with reference to the specific purpose of the processing, which is formulated very clearly and clearly.

Example A : It is reasonable to require a PR specialist or customer service manager to provide your photo for posting on your company's website. This can be justified by the peculiarities of the work of these employees, when appearance plays a psychological role in promoting the interests of the company, sales growth. On the contrary, it is hardly necessary to demand and transmit to clients (or post in public access) photos of developers who participate in voice meetings, without even including a webcam, and more is never required from them.

I think it would be disproportionate to formulate in the contract a condition on contact data as follows:

Example B : “Employee Contact Details: ... email to send a job offer, employment contract or informational materials / COMPANY /”. The direction of "information materials" is clearly an extra purpose for the execution of an employment contract, and implies the distribution of advertising. However, if you write a little differently: “notifications about changes in working hours, information about days off, etc.”, this will be a clear, specific goal, and the use of email will be adequate to it.

(Obviously, simply specifying email and then using it to send marketing materials is also unacceptable).

Example C : Your company works as an agent and promotes the services of the same developers in international markets. Since the placement of the photo is due to the peculiarities of working with customers, the need to evaluate the image / psychological portrait of the developer before making a decision on hiring, the placement of the photo can be justified .

(Just do not forget to warn the developer about using the photo before entering into a contract with him. It is also recommended that for those developers who do not agree to indicate their profile photo, you will still be given the opportunity to use the services of your company, even if the hiring efficiency has decreased due to the lack of a photo).

Example D : Your employee (for example, a system administrator) works with servers serving large-scale and high-loaded applications. It must be available 24 hours a day (unless, of course, you also comply with the labor law requirements for appropriate pay for such employees). You can stipulate in the contract a condition on calls to his personal phone number in case of emergency. On the contrary, if an employee is not needed during off-hours, it is better not to use your personal phone number (even if you know it).

And an example from Conclusion 2/201 7: The delivery company does not have the right to send photos of couriers to buyers (to verify that the courier really is), since there is no need to send photos to the delivery of parcels.

IMPORTANT! The proportionality test is recommended to apply not only when drawing up contracts, but also processing for any other reason ; for example, when obtaining consent (article 6 (1) (a)) or to achieve the legitimate interests of your company (article 6 (1) (f) of the Regulations).

Whatever the need for collecting personal data does not arise in your company, always ask yourself the question: do you really need this data? Even if your employee doesn’t seem to object to you. Remember that your employee is initially viewed from the point of view of the GDPR by the vulnerable side of the employment relationship, and his consent is a priori not free. Therefore, the task of ensuring minimal interference with private life (including under contracts with employees) lies with your company, and not with the employee.

Additionally, I recommend to study the requirements of the regulatory authority for the protection of personal data in the state of your business. For example, in Cyprus, a recently popular relocation site of IT and Fintech businesses from Russia and other CIS countries, it is imperative to use the DPIA procedure if employees are systematically monitored for their activity, including monitoring workplaces, Internet activity or using GPS on employees' vehicles. .

The data owner must be a party to the agreement.

It would seem that everything is obvious. However, there is one subtle point that few people pay attention to. This is the processing of personal data of your partners' employees (customers, performers, intermediaries, etc.), at which a legal gap arises.

Your company has no contract with your partners. And even the consent to data processing is most often not possible to request. Yes, such people are employees of your partner (although they may be freelancers and even staff provided by third parties). And it is logical to assume that once they work for him, then within the framework of the contract with your partner, you have already agreed to transfer your data to you. But it is not.

You do not know how well your partner has prepared all the documents within the framework of the GDPR. Whether the consent of the employee was obtained and given freely, or whether the processing of personal data was agreed upon in the agreement with such employee. I very much doubt that you can fully rely on your partner in this matter. Meanwhile, after receiving the data of its employees, your company at least becomes a processor (processor), i.e. processing personal data for and on behalf of the controller (controller). And in order to avoid liability for violation of the GDPR, your handler should at least act on the basis of your partner’s legal instructions.

Your company will be a processor only if it, on the basis of a contract with your partner, receives clearly specified personal data of its employees (for example, name and contacts) and uses it only for clearly specified purposes; for example, communication by phone, e-mail or instant messengers during the work on the project. If suddenly you decide to send such employees some kind of marketing newsletter or job offer, then the automatic ones will fall into the “controller” category, with increased responsibility. Since you yourself will begin to determine the goals and ways of processing personal data.

In such situations, I would recommend including in any contract with your partners a separate clause stating that the counterparty guarantees that he complies with all the rules for handling personal data of his employees or related persons that may be applicable to him at the place of business, including release your company from any claims, lawsuits that may be associated with any violations of the applicable law in transmitting data to you, and guarantees self-reparation for such claims and claims. The classic clause on exemption and damages (indemnity), but only in relation to personal data.

In practice, as soon as you include a clause in the contract to release you from liability, your partner’s lawyers will most likely want to delete it. How to be?

Make out the transfer of personal data in accordance with the provisions of the Regulations, and it will be difficult for your partner to disagree with this.

For processing companies that receive data from their partners (controllers), the Regulations (article 28 (3)) contain mandatory requirements for the content of the contract in terms of the data transferred. In particular, you need to specify which data (categories), for what purposes and for how long are transferred to your company, and much more. If personal data is transferred by your company to the new processor, it is necessary to agree on identical obligations with it.

If joint project work involves the transfer of personal data outside the European Union, to third countries without an adequate level of personal data protection , it is necessary to draw up and sign Standard contractual clauses for the protection of personal data (Article 46 (1) (2)). ) (c) of the Regulation). Even if the partner does not require such a document, when transferring the data of European employees, it is better to have a previously developed template and insist on signing it yourself. This will significantly reduce the risk of liability for the processing of personal data in violation of the GDPR.

Standard conditions developed and approved by the European Commission under Directive 95/46 / EC for processors can be found here . You can also find standard conditions for controllers (controllers).

Adoption of measures required before the conclusion of the contract, at the request of the owner of personal data

There must be a clear correlation here: events are held in relation to the data owner himself, and he himself gives permission for their execution in the request.

Example : Checking a candidate's criminal history if his position involves working with data of heightened secrecy and without checking it is impossible to receive an invitation to work. At the same time, the employer informs the candidate in advance in the job description about the need to undergo verification of some criminal facts in his biography. And the candidate, by sending his resume or otherwise, confirms that he agrees with such a check .

In order to properly form a legitimate request from a candidate for the processing of his data, it is necessary before the processing begins to provide the candidate with the maximum necessary information about future processing, including methods for making decisions on its results. (For details, see. Observe the procedure: informing first, then processing below.

Freelancers: are they workers too?

In the Conclusion 2/2017, under the employees it is recommended to consider not only those who work under an employment contract, but also freelancers, if the relationship with them is labor-related. There is complexity.

What does "labor relations" with freelancers mean, moreover, precisely in terms of GDPR? Conclusion 2/2017 does not answer this question. I think that we need to look at the context in which any workers are mentioned in the Regulations. This is their a priori disadvantage to the employer when they cannot refuse to provide their data without the risk of not getting or losing their jobs or other negative consequences. If you follow this logic, the freelancer can be equated to an employee in situations where your company will be his only source of orders. If the share of orders (and payments) from your company is small and the freelancer can choose whether to cooperate with you and under what conditions, then he has more freedom to make decisions about his personal data. And in this case it can be considered as an independent entrepreneur, and not an employee.

In any case, one should wait for the development of the practice of applying the GDPR or the disclosure of this issue in the so-called. “Soft laws” (soft laws) of the European Union: conclusions and recommendations, as well as in national legislation.

We follow the procedure: first - informing, then - processing

The owner of the data must be informed before processing. This is a general requirement of Article 13 of the Regulations. In each case (processing within the framework of the contract or prior to its conclusion), and also without a contract, but if there is a legitimate interest in your company, the data owner should receive the necessary minimum information.

In the case of employees, such informing is better done simultaneously with the posting of requirements for a candidate for a vacancy. If a commercial contract is concluded with a freelancer, you need to inform before concluding the contract, or, as a last resort, simultaneously with its signing. Together with the other information listed in article 13 of the Regulations, it is imperative to indicate whether the provision of personal data is the responsibility of the future employee and what the consequences may be if he refuses to provide it.

Do not forget that the form of information should be as simple and accessible as possible. Do not include this information in the text of the main contract, where it can be lost. Better make out as a separate document. It is desirable that such a document be dated to the date of signing the main contract.


These were the general requirements for the processing of personal data on the basis of the concluded agreement, due to the need to conclude an agreement at the request of the data owner or in the presence of legitimate interest. Next, we briefly review the processing of personal data in recruiting employees, monitoring employees at the workplace and remotely, as well as monitoring the time of presence at the workplace and / or elapsed time.

Data processing for recruiting (hiring) employees

Recruiters like to view candidate profiles in social networks. Some even ask for references in questionnaires or resumes. When collecting data from social networks, your company needs to find out if these profiles are intended for personal or business use. The key here is use. Be aware that even profiles that are open to public viewing cannot be used for recruiting, or evaluating a candidate for employment unless it is directly related to the future function of a candidate in your company or on a project.

Example : A candidate is accepted as a public relations manager or as the first person of a company who assumes the formation of a public image of a company. In this case, it may be justified to study any political preferences of the candidate, his lack of connection with radical movements, or ambiguous public statements that may cause damage to the company. Or the candidate is accepted as a business development manager. Therefore, it may be justified for an employer to conclude that a candidate has an established network of business contacts before entering into an employment contract.

Data processing during work and after termination of the contract

Social networks

General monitoring of data from former social network profiles is usually not acceptable. (Such monitoring can be conducted to find out whether the former employee has violated the ban condition for some time to switch to work for competitors). However, if the employer proves that this information cannot be obtained otherwise than through viewing profiles, the collection of data from social networks can be considered valid. Here also the condition must be met about the need to inform the employee in advance about the monitoring being conducted.

It is obvious that it is better to inform about monitoring before the contract is terminated (and, ideally, before its conclusion). Otherwise, it is highly probable that the employee, having received the notification, will simply delete all the information and contacts that compromise him.

It is not allowed to force employees to use only the profile associated with the employer in social networks. Even if such a duty is stipulated by the peculiarities of their work (for example, a representative of the PR-service, a spokesman, a client relations manager, etc.). In any case, such employees should be able to use a personal, non-public profile.

Installation of tools (systems, applications) of electronic data processing on network work computers

We are talking about any systems and applications that in one form or another collect personal data and transmit them to the employer or to third parties. Installation requires the informed consent of the worker. Even independent actions of an employee on activating an application on his working machine or providing access for remote installation of a system with default settings will not be considered as an expression of consent for installation. Since consent must be given by the user's own active actions, only the installation with a change in the default settings can be equated with the informed and free expression of the employee's will for the installation.

When monitoring employees or their device data (including personal, connected to a corporate network or WiFi), the employer should have a Workplace Monitoring Policy developed, easily and constantly accessible and understandable to each employee. So that everyone clearly understands what is going to be used and for what purposes.

IMPORTANT! One cannot adhere to the approach that many Russian “personnel officers” love: when applying for a job, let them read a stack of instructions for a hundred or two hundred pages, and then ask them to remember everything and forget to remove them forever. Type familiarized. The policy should be easily accessible for review at any time.

The monitoring policy, like any other personal data processing (confidentiality) policy, should be regularly reviewed. A reassessment is needed as far as monitoring is necessary to satisfy the legitimate interests of the company. Therefore, I would recommend to those who would like to remove possible claims in the event of a conflict or inspections, but are not ready to allocate a lot of resources for this:

• at least once a year make protocols / orders with instructions to conduct an inventory of your entire system for collecting and processing personal data;
• based on the results of the inventory, make at least minimal changes to the Policy (for example, reduce the shelf life of certain data categories);

Instead of constantly monitoring employees, try to prevent unwanted behavior. If blocking any resources / sites allows you to reach your goal, it is better to block employee access to them rather than constantly monitoring. This is a general principle of interaction between the employer and the employee, which is recommended by the Conclusion 2/2017.

Example A from Conclusion 2/2017 : Blocking in a row all emails that could potentially pose a threat of data leakage to the employer company requires that the employee be informed about this (each time before sending a letter), with the option to refuse to send. Otherwise, there is a risk of exceeding the necessary interference with privacy and random access to the employee's personal correspondence.

Example B from Conclusion 2/2017 : When using cloud services to download or edit work information, an employee needs to allocate private space. For example, calendars can be used to record work and private events (meetings, for example).

Example C of Conclusion 2/2017 : If, in order to prevent the risks associated with remote access to the employer's database, it is impossible to abandon the continuous monitoring of the remote employee's work computer, it is recommended to completely ban the use of the work computer for private purposes.

Monitoring of employees in the "home-office" mode and remote employees

Using technologies to track clicks and mouse movements, other similar actions of employees, as well as taking screenshots (both selectively and at periodic intervals), obtaining information about downloaded applications and the time they were downloaded, receiving data from webcams or taking readings about the path, traveled by an employee (hello to the monastery of evil, Amazon and others !), is considered disproportionate. Such monitoring is likely to be beyond the legitimate interests of the employer (paragraph 5.4.1. Conclusions 2/2017).

What can we recommend here?

First of all, (no matter how familiar this may sound), understand whether you need such monitoring or not. Во-вторых, четко обозначить (с документированием), в чем состоит ваш законный интерес, и если возможно, зафиксировать такой мониторинг в действующих договорах.

К примеру, работа программиста по проекту не может быть заранее оценена с точки зрения необходимого времени. Оплата формируется по количеству отработанных часов. Ваш заказчик настаивает на мониторинге активности вашего работника через снятие скриншотов или отслеживает его действия на облачном сервере. Условие заказчика о скриншотах или о контроле на сервере следует зафиксировать в договоре с заказчиком (если рабочее время оценивается через любые иные системы учета — аналогично). Сотрудник, работающий по проекту данного заказчика, также должен быть заранее уведомлен о мониторинге, а в договоре с ним должна быть прописана возможность такого мониторинга.

Мониторинг рабочего времени/присутствия на рабочем месте через систему доступов

Это любимая “фишка” многих отечественных компаний, от «мала до велика»: поставить электронную проходную и взимать штрафы за минутные опоздания, либо заносить эти сведения в личное дело. Так вот, с вашими европейскими сотрудниками такое почти всегда недопустимо.

Пример из Заключения 02/2017 : Можно использовать систему учета доступа (дата, время, владелец ключа доступа) для того, чтобы контролировать доступ в особо режимные места. Например, в серверную, где хранится важная информация. Но нельзя использовать полученные данные в целях оценки производительности сотрудников (время присутствия/отсутствия на рабочем месте).

Мониторинг «атмосферы счастья» в компании

Не допускается наблюдение за выражением лиц сотрудников с использованием автоматических средств, для выявления отклонений от заранее определённых двигательных паттернов. Дополнительно к мониторингу, данные такого наблюдения могут лечь в основу профилирования сотрудника и принятия в отношении него автоматических решений. Это является непропорциональным по отношению к правам и свободам сотрудников. По общему правилу, работодатель должен воздерживаться от использования таких технологий распознавания лиц. Хотя определенные изъятия из общего правила могут допускаться.

(Предполагаю, изъятия допустимы там, где имеют место вредные производства (они еще остались в Европе?) или для контроля усталости водителей и операторов, как описано в статье про Амазон, по ссылке выше).

Краткие выводы и рекомендации:

1. Разработать в качестве отдельного документа (или как часть общей Политики по обработке персональных данных) политику по обработке персональных данных сотрудников, если в вашей компании имеет место мониторинг их данных в любой форме. Ознакомить с ней сотрудников и разместить в легком и свободном доступе (для сотрудников, конечно)
2. Оформлять документы, подтверждающие, что вы регулярно (не реже одного раза в год) пересматриваете вашу политику. Рекомендуется вносить хотя бы минимальные изменения.
3. Любые случаи обработки персональных данных документировать в договорах, заключаемых с сотрудниками. Если происходят какие-то изменения (начинают собираться дополнительные данные, изменяются условия обработки ранее полученных данных), не забывайте составлять с сотрудниками дополнительные соглашения.
4. Разработать в качестве шаблона Стандартные договорные условия защиты персональных данных (Standard contractual clauses), которые нужно будет подписывать при получении персональных данных европейских сотрудников, если такие данные передаются в третью страну без адекватного уровня защиты.