Retention of Employee Data
As employers are only too aware, the General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and, this month, Simply-Docs has continued the process of reviewing and updating its documents to ensure that they are GDPR-compliant.
One of the key features of the
Under GDPR, the requirements relating to the retention of personal data are very similar to those which applied under the Data Protection Act. As before, it is a key requirement that personal data should only be retained for as long as there is a clear business need for it and it should be securely destroyed (for instance, by shredding) after that period has passed. In addition, employers must provide employees – new and current – with a Privacy Notice, which explains when they collect personal data from them and providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the storage period.
Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the GDPR would be that it is necessary for compliance with a legal obligation.
Former employees can ask an employer to delete any personal data it holds about them and, in certain circumstances, the employer must comply with requests to delete such personal data (e.g. if the data is no longer necessary in relation to the purposes for which it was collected or processed).
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.