GDPR and Data Processing
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It is a complex and wide-ranging piece of legislation but the key points are that the GDPR will give people greater control over how their personal data is used and provide them with the much-publicised ‘right to be forgotten’ (erasure).
This month, Simply-Docs has updated its contracts for employees with a GDPR-compliant data processing clause. After 25 May 2018, you should use contracts including this clause, as you will not be able to rely on the existing generic consent clauses. However, the good news is that you do not have to re-issue contracts simply to ensure GDPR-compliance. Instead, current staff should be issued with a Privacy Notice to Staff document when GDPR comes into effect on 25th May 2018. The Privacy Notice to Staff, along with a similar document for job applicants, will be added to the Simply-Docs GDPR suite of documents very shortly.
Under the GDPR, the ‘right to be forgotten’ provides individuals with the right to request the erasure of personal data concerning them. Individuals can require data to be erased when there is a problem with the underlying legality of the processing or where they withdraw consent. An individual can also require information to be erased if the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
If the employer has made the personal data public, it also has a duty to take reasonable steps to inform other data controllers that are processing the data that the individual has requested the erasure of the data and any links to or copies of it.
The GDPR states certain circumstances in which data controllers do not have to comply with a request for erasure of information. This might be, for instance, where processing of information is necessary for compliance with a legal obligation or defence of a legal claim, such as a potential tribunal claim. However, in these circumstances, the employer must stop processing the data for other purposes not covered by the particular justification.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.