The Simply-Docs suite of TUPE documents has been updated in line with the
requirements of the General Data Protection Regulation (GDPR).
The GDPR requires employers to respect the rights of individuals when
processing their personal information by complying with the 6 data
protection principles, that:
1. Data should be processed fairly, lawfully and in a transparent manner.
2. Data should be obtained for specified and lawful purposes and not
further processed in a manner incompatible with those purposes.
3. Data should be adequate, relevant and not excessive.
4. Data should be accurate and kept up to date.
5. Data should not be kept for longer than necessary.
6. Data should be kept secure.
One of the biggest GDPR issues facing employers in a situation where the
Transfer of Undertakings (Protection of Employment) Regulations (TUPE)
applies is in respect of the disclosure of Employee Liability Information
Under TUPE, the transferor (e.g. the seller or current service provider) is
required to provide the transferee (e.g. the buyer or new service provider)
with certain Employee Liability Information prior to completion of the
transfer, including personal data about the age and dates of birth of the
employees, their terms and conditions of employment and information about
any disciplinary and grievance procedures in the previous two years. As
there is a legal obligation to provide this information, data protection
rules will not prevent the employer passing it on without anonymisation.
However, wherever practicable, the transferor should ensure that
information about employees is anonymised before it is passed to the
transferee. This is because, whilst employee liability information is
useful to the transferee, it is unlikely to comprise all information that
will be required in relation to the transferring employees. Further
information may also be requested as part of a due diligence exercise,
including details of, for example, sickness absence or maternity leave and
it can be difficult to keep track of what is protected as employee
liability information and what is not. Provided that individual employees
cannot be identified, GDPR will not apply and so it is sensible to avoid
potential data protection breach issues by anonymising all employee data
from the outset. The simplest way to anonymise employee data is to refer to
each employee by a number and use that number code throughout the whole due
In the event that an employer decides not to anonymise personal data
provided as part of the disclosure of employee liability information, the
employer should provide the affected employees with a privacy notice
informing them that it is transferring their personal data to the
Under the GDPR, employers should be aware that they could be subject to
significant fines for data breach and failure to follow the data protection
principles above. They may also be subject to direct claims for
compensation by individuals who have suffered damage as a result of a GDPR
breach and so great care is needed in respect of the transfer of employee
liability information. All of the Simply-Docs documents relating to the
transfer of employee liability information under TUPE reinforce the
requirement to comply with current data protection regulations.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific