Employee Data Protection Policy Template

Employee Data Protection Policy (GDPR Compatible)


From 25th May 2018 the General Data Protection Regulation (GDPR) will be in force and data protection is at the top of everyone’s agenda. The GDPR expands on the current regime established by the Data Protection Act 1998, setting out a number of important principles governing how personal data is collected, held, and processed by organisations. 

This Employee Data Protection Policy has been reviewed and comprehensively updated in relation to the GDPR.

Our Data Protection Policy sets out the rights of data subjects and the obligations of an employer in its capacity as a data controller under the GDPR, setting out a number of organisational and procedural measures to help ensure compliance.

The provisions of this policy are highly detailed, aiming to reproduce key parts of the GDPR in order to assist in the GDPR learning process throughout your business. Nevertheless, please note that training remains essential and that all personnel handling personal data within your business should be fully aware of the GDPR and its principles, as well as the procedures in place within your business.

The language used in this Employee Data Protection Policy limits its context and applicability to personal data relating to employees. For a more general data protection policy (for customer data, for example), please refer to our GDPR Data Protection Policy, available in the Business document folder. 

This document is designed for business use only, and certain provisions of the GDPR relating to public authorities and other official bodies have not been fully incorporated. Please also note that this is a “living document” and will be reviewed as more best practice and official guidance on the GDPR becomes established.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Employee Data Protection Policy contains the following provisions:

1. Introduction

2. The Data Protection Principles

3. The Rights of Data Subjects

4. Lawful, Fair, and Transparent Data Processing

5. Specified, Explicit, and Legitimate Purposes

6. Adequate, Relevant, and Limited Data Processing

7. Accuracy of Data and Keeping Data Up-to-Date

8. Data Retention

9. Secure Processing

10. Accountability and Record-Keeping

11. Data Protection Impact Assessments

12. Keeping Data Subjects Informed

13. Data Subject Access

14. Rectification of Personal Data

15. Erasure of Personal Data

16. Restriction of Personal Data Processing

17. [Data Portability]

18. Objections to Data Processing

19. [Automated Decision-Making]

20. [Profiling]

21. Personal Data

22. Health Records

23. Benefits

24. [Trade Unions]

25. Employee Monitoring

26. Data Security - Transferring Personal Data and Communications

27. Data Security - Storage

28. Data Security - Disposal

29. Data Security - Use of Personal Data

30. Data Security - IT Security

31. Organisational Measures

32. Transferring Personal Data to a Country Outside the EEA

33. Data Breach Notification

34. Implementation of Policy

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.