Storing and processing personal data are part of the daily work of HR teams and organizational supervisors. Just as a company takes care of the privacy of customer data, it also stores personal data of its own employees, which fall under data protection legislation. In this article, we will go through 10 questions and answers that HR teams should pay attention to when handling personal data.

The General Data Protection Regulation (GDPR) is an important law that regulates the processing of personal data. It has been applicable in all EU countries since 2018. The GDPR provides protection for employees’ personal data and provides them with more means to manage how their data is processed. According to the regulation, a company or organization is by definition the data controller and data custodian.

1. What kind of personal data about employees needs to be stored and processed?

From an HR perspective, storing personal data includes basic information about employees, such as name, address, date of birth, contact information, and social security number. Additionally, information about work history, salary, other employment-related data, and, if necessary, health data can be stored if needed.

2. On what basis does the company have the right to collect and process this personal data?

The processing of an employee’s personal data is often based on the fulfillment of an employment contract or a legal obligation, such as the company’s requirement to provide the employee’s salary information to national authorities. A separate consent from the employee for processing data may be required in some cases, such as when processing sensitive information or health data.

3. How to ensure that the collected personal data is accurate and up-to-date?

The accuracy and currency of data are of paramount importance. The employee is responsible for providing accurate information, and the company must offer the opportunity to update the data whenever needed. Regular checks, updates, and systematic data management help ensure the accuracy of the information.

4. What factors should be considered in protecting personal data and preventing misuse?

By default, personal data should only be accessible and processed by individuals within the organization who have the necessary rights and legitimate reasons for accessing the data. In addition to restricting access rights, it is important to use technical and organizational measures, such as centralized user account management, and provide training on secure handling of personal data to prevent misuse.

5. How long should personal data be retained?

Retention periods may vary for different types of personal data. The basic principle is that data should be retained only for as long as it is absolutely necessary to do so. Typically, employees’ personal data is retained during the employment period and necessary information is retained even after its termination to fulfill various legal obligations. It is important to check the current retention periods for different types of data based on legislation or professional recommendations on a case-by-case basis.

6. What rights do people have regarding the correction and deletion of personal data?

Data subjects have the right to access their personal data stored by the organization, correct inaccurate information, request the deletion of data, or restrict its processing. The company should establish processes to fulfill these rights and respond to data subjects’ requests in a timely manner.

7. Who oversees the control of personal data when a company has employees in multiple EU countries?

The lead supervisory authority oversees the control of personal data processing when a company has employees in multiple EU countries. This follows the principle of one-stop-shop, meaning that the company only needs to interact with one supervisory authority, which in turn cooperates with other supervisory authorities. For example, if the company’s main establishment is in Finland, the Finnish Data Protection Ombudsman serves as the lead supervisory authority.

8. How should potential security breaches or data breaches be handled?

It is advisable for a company to create a preparedness plan in advance for security breaches. If a company or its employee detects or suspects a data breach or security incident, immediate action should be taken to prevent the security breach, investigate the incident, make appropriate notifications to relevant parties, and, if necessary, report to the supervisory authority.

9. Is consent required for processing personal data such as an employee’s health information or other sensitive data?

Consent from the individual is required for processing health information and other sensitive data. Additionally, the processing of such data can be justified for employee healthcare, monitoring work capacity, or legal obligations.

10. What should be done with personal data when an employment relationship or agreement ends?

When an employment relationship ends, responsible individuals within the company ensure the proper deletion or archiving of personal data. This includes, for example, destroying or anonymizing unnecessary information and taking into account the rights of individuals regarding the retention of data. Many companies have defined clear task lists and procedures for handling an individual’s departure from the company.

While applicable legislation forms the foundation for storing and processing personal data in a company, it is important to establish clear operational processes and task lists to ensure that the processing of personal data is done correctly and to enable prompt response to potential issues.

How can HR teams leverage Zefort to meet the requirements of data protection legislation?

Zefort is widely used in various organizational departments, including company management, procurement teams, legal departments, and human resources. As a service solution, Zefort complies with GDPR requirements by storing data and documents within the EU. Zefort also holds an ISO 27001 certification, meeting strict requirements for maintaining information security.

Zefort is well-suited for HR needs in recruitment, onboarding of new employees, and offboarding. With Zefort Forms, HR teams can collect and maintain personal data and store employment contracts with attachments directly in Zefort throughout the different stages of employment.

With Zefort, there’s no need to collect information separately through emails, paper documents, or text messages, as data seamlessly stores in Zefort’s secure system. Moreover, the signing of employment contracts can conveniently be handled as part of the process.

Regarding data privacy, Zefort allows for limiting access and reading rights only to those individuals within the organization who need to process the specific personal data. Zefort’s Audit Log tool provides verifiable visibility into who has accessed or modified employee data.

With Zefort, HR teams and supervisors maintain control over employee data and its secure handling throughout the entire employment relationship.

Learn more about how Zefort can be used for HR teams’ needs.