TUPE and GDPR
The Simply-Docs suite of TUPE documents has been updated in line with the requirements of the General Data Protection Regulation (GDPR).
The GDPR requires employers to respect the rights of individuals when processing their personal information by complying with the 6 data protection principles, that:
1. Data should be processed fairly, lawfully and in a transparent manner.
2. Data should be obtained for specified and lawful purposes and not further processed in a manner incompatible with those purposes.
3. Data should be adequate, relevant and not excessive.
4. Data should be accurate and kept up to date.
5. Data should not be kept for longer than necessary.
6. Data should be kept secure.
One of the biggest GDPR issues facing employers in a situation where the Transfer of Undertakings (Protection of Employment) Regulations (TUPE) applies is in respect of the disclosure of Employee Liability Information (ELI).
Under TUPE, the transferor (e.g. the seller or current service provider) is required to provide the transferee (e.g. the buyer or new service provider) with certain Employee Liability Information prior to completion of the transfer, including personal data about the age and dates of birth of the employees, their terms and conditions of employment and information about any disciplinary and grievance procedures in the previous two years. As there is a legal obligation to provide this information, data protection rules will not prevent the employer passing it on without anonymisation.
However, wherever practicable, the transferor should ensure that information about employees is anonymised before it is passed to the transferee. This is because, whilst employee liability information is useful to the transferee, it is unlikely to comprise all information that will be required in relation to the transferring employees. Further information may also be requested as part of a due diligence exercise, including details of, for example, sickness absence or maternity leave and it can be difficult to keep track of what is protected as employee liability information and what is not. Provided that individual employees cannot be identified, GDPR will not apply and so it is sensible to avoid potential data protection breach issues by anonymising all employee data from the outset. The simplest way to anonymise employee data is to refer to each employee by a number and use that number code throughout the whole due diligence process.
In the event that an employer decides not to anonymise personal data provided as part of the disclosure of employee liability information, the employer should provide the affected employees with a privacy notice informing them that it is transferring their personal data to the transferee.
Under the GDPR, employers should be aware that they could be subject to significant fines for data breach and failure to follow the data protection principles above. They may also be subject to direct claims for compensation by individuals who have suffered damage as a result of a GDPR breach and so great care is needed in respect of the transfer of employee liability information. All of the Simply-Docs documents relating to the transfer of employee liability information under TUPE reinforce the requirement to comply with current data protection regulations.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.