How Does the GDPR Affect Company Employees?

in Business

Whoever you work for, you’ve probably heard about the General Data Protection Regulation (GDPR), especially if you have some responsibility for protecting client data.

However, as an employee, you are also classed as a data subject under the GDPR, and this means you have access and control over your employee data should you need it.

How GDPR Affects Employee Data

Many of the obligations that have been placed on employers by the GDPR follow the stipulations already laid down in the 1998 Data Protection Act. The rules under GDPR are as follows:

  1. Transparency: employees need to be informed as to how their data will be used
  2. Purpose limitation; employers can only process the data for the reasons stated above
  3. The data collected should be adequate and not excessive
  4. It should be kept accurate and up to date
  5. Employee data should be kept only as long as necessary
  6. It should be kept secure
  7. The employer is ultimately accountable for processing employee data

GDPR and the Employer/Employee Relationship

The key difference between the GDPR and its predecessor concerns the question of consent, and that has proved to be a bit of a sticking point. Under GDPR, any data subject has to give their explicit permission for their data to be used. For employers, there is a basic necessity to hold certain types of information; for instance, if they don’t hold an employee’s bank details, they can’t pay them.

Contract law never supersedes statutory law, so any clause in an employment contract that attempts to override GDPR would be null and void.

However, the regulations offer certain exceptions that address the relationship between employee and employer. Under chapter 6 of the GDPR, freely given consent is not required to hold employee information that:

  1. Is in the employer’s legitimate interests
  2. Is necessary to perform a contract
  3. Is necessary to fulfil a legal obligation
  4. Is there to protect the vital interests of the employee or other natural person
  5. Is necessary to perform any task carried out in the public interest

It’s clear that there’s a balance that protects both the employee and the employer; the employer can hold as much information as is necessary to run their business and employ staff, but the employee is protected from any abuse of their data.

Dismissal and GDPR: Reasons for Dismissal

So, where might this leave an employee being made redundant? First, we have to explore the reasons an employee might be forced to leave their work.

One reason might be redundancy, and the other might be dismissal, and it’s essential to understand the difference.

Dismissal will be for reason of the employee’s unsuitability for continued employment; for instance, continuing poor performance or a lack of capability for their role, or for disciplinary reasons.

In this case, there are certain rules that have to be followed: the dismissal cannot be wrongful, nor can it be unfair.

Wrongful dismissal is where the correct procedure has not been followed, such as breaching the terms of the contract by not giving notice or failing to follow contracted remedial procedures.  Unfair dismissal is where an employee has their contract ended without there being a fair reason.

Certain reasons for dismissal are automatically unfair, such as dismissal on the grounds of gender, race, religion, sexual orientation, trade union membership or pregnancy.

However, employees can also challenge a case at tribunal for other reasons: if the reason for dismissal is wrong; if it has been done out of malice, or if the employee has been singled out as a result of making a complaint.

Any organisation dismissing an employee will need to back up the dismissal with a paper trail demonstrating compliance with the law, and that is subject to the GDPR.

Redundancy is a different matter. Most employers make staff redundant to reduce headcount, restructure the organisation, or because job functions are no longer required.

In the latter case, employers are able to make an entire department redundant without having to follow a selection process.

In the case of reducing headcount, employers can make employees redundant based on a stated process: for instance, last in first out; performance at appraisal; voluntary redundancy, or selection based on disciplinary records.

However, there are a number of reasons for selecting individuals for redundancy that are automatically unlawful. It’s classed as unfair dismissal if an employee is made redundant on the grounds of sex, race, religion, age or marital status.

Employers are also not allowed to discriminate on the grounds of reasons such as union membership, lawful strike action, whistleblowing or working pattern. An exhaustive list can be found at:

Again, company and personnel records will need to show that the employer has acted fairly and within the law.

Taking a Wrongful or Unfair Dismissal Claim to Tribunal

Whether you’ve been dismissed or made redundant, your employer has a duty of care to make sure they follow the correct procedure, and that their reason for ending your contract is lawful. If you feel it isn’t, you may have a case for an employment tribunal.

Before taking it to tribunal, a case needs to be presented to the Advisory, Conciliation and Arbitration Service (ACAS). They will attempt to bring the matter to a satisfactory conclusion without court proceedings, as if your case fails, you may have to pay some of your employer’s court costs. If conciliation is unsuccessful, they will provide a certificate to enable you to progress to tribunal.

You have three months less one day from the date of your dismissal to lodge a case, and you will need to provide as much information as possible to support your case.

Making a Subject Access Request

If you have more than two years of service and you think you have been unfairly selected for redundancy over others, a Subject Access Request (SAR) will enable you to obtain any documentation your employer holds on you, including employment records and any internal emails between HR and your supervisors.

A subject access request redundancy can be made through Rightly to speed up the process; your employers will then have 30 days to provide the information, unless there are exceptional circumstances.

It’s essential that you stand up for your rights if your dismissal or redundancy is unlawful.

However, you need to put your case on the best footing, so make sure you have all the information that can help; many successful cases have been won by using an employer’s records against them, and any evidence of wrongful or unfair actions can be brought to light by using GDPR to your advantage.

Image Credits: Jai79

Like this article? Share with your friends!

We may earn a commission for purchases made through our links. Learn more.

Notify of

Inline Feedbacks
View all comments