Employee Data Processing Agreement
1. The customer shall have the right, after consultation with the supplier, to carry out inspections or to have them carried out by an auditor on a case-by-case basis. The customer has the right to ensure compliance with this agreement by the supplier in its activities through random checks that must be announced in due time. With regard to processing, this term is also broad and includes the collection, storage, recording, collection, organization, modification, consultation, use, disclosure or other making available of personal data of staff. In principle, if you collect personal data from an employee, you are a subcontractor. There is a number of GDPR compliance data regarding HR data, unlike compliance obligations for customer or supplier data, i.e. Business-to-Customer (B2C) or business-to-business (B2B) that make GDPR/HR compliance extremely difficult for employers. There are a few. Consent v. Legitimate interest One of the fundamental principles of the GDPR is that a data subject, i.e. a member of staff, must consent to the processing of personal data. Consent requires that the data subject be fully informed of the nature and extent of the processing, including a full understanding of how the information is processed, used and transferred to other bodies. While many guidelines have been published on how companies can get the agreement of customers and suppliers, guidelines have also been issued, pointing out that it is in principle impossible for workers to give voluntary consent to their employer so that the employer can collect, process and/or transfer their HR data due to the unequal bargaining power between employers and workers.
In the absence of consent, there are only a number of other ways to process data by an employer, which are identified in the GDPR as a “legitimate basis”, some of which are relevant: (1) for the performance of an employment contract; (2) the performance of legal obligations; and (3) to promote a legitimate interest of the employer. One of the problems with the employment contract allowance is that very few employees have “employment contracts”, given that most employees are “atwill” and most guidelines, including eligibility for medical and other benefits, are a matter of policy. However, this allowance would apply to contracts, including collective agreements, which contain conditions of payment, leave, discipline and all the conditions expressly defined in the contract. The “legal obligation” is also quite narrow, as the legal obligation must be based on an EU law and not on a US law. 6.1. The processor will ensure that all members of the processor`s staff who are necessary to access the personal data are required to comply with the obligation of confidentiality provided for in the agreement or to be subject to a legal obligation of confidentiality. 7.2 The processor shall provide the data controller with appropriate cooperation so that the data controller can carry out any data protection impact assessment that it is required to carry out under current data protection legislation. (ii) where the transmission is a sensitive category of data, see section 3.3, the data subject has been or will be informed, before the transmission or as soon as possible, that his or her data could be transmitted to a third country which does not offer adequate protection within the meaning of data protection legislation. Employees, contractors, representatives, customers and other data subjects, on behalf of the customer, who have access to and should use TimeTac systems, collectively referred to as “users”.. . .