On October 5, 2020, the Swedish Data Protection Authority, Datainspektionen, published its updated guidance on handling employee data under the GDPR.
Specifically, Datainspektionen’s guidelines focus on how employers, both public and private, should process personal information they collect from employees in accordance with the EU’s General Data Protection Regulation requirements.
What is Personal Data?
Under the GDPR, personal data is any information that can be linked to an identified or identifiable living person.
Different types of data that can be collected and facilitate the identification of a specific individual are also considered personal data under the EU’s General Data Protection Regulation.
- Home address
- Email address
- ID card number
- Location data (e.g the location data function of a smartphone)
- IP address
- A cookie ID
- The advertising identifier of your phone
- Information held by a hospital or doctor that can be used to uniquely identify an individual
- Biometric information
- Sexual preference
What is a Data Protection Authority (DPA)?
A DPA is an independent public body that oversees, through investigative and corrective authority, compliance with data protection laws such as the GDPR.
Each EU member state has a DPA whose responsibility is to give expert guidance on issues related to data protection and address complaints filed against violations of both the GDPR and relevant national regulations.
What is Data Processing under the GDPR?
Under the GDPR, whether by manual or automated means, data processing involves a variety of actions performed on personal information such as;
- Disclosure by transfers
As such, examples of personal data processing in the workplace include;
- Staff and payroll management
- Shredding documents holding personal information
- Using surveillance cameras (CCTV)
- Access to a contacts’ database with personal data
What is the Importance of the Swedish DPA’s Employee Data Processing Guidelines?
According to the Swedish DPA’s press release, the regulator notes that personal data is essential for various employment contexts such as managing salary registers and eligibility systems.
However, the Datainspektionen also acknowledges that the processing of specific categories of personal information such as biometric or health data raises privacy concerns among employees.
For this reason, it is important to find a reasonable agreement between an employer’s need to process personal data and employees’ right to privacy.
Additionally, consent to the processing of specific kinds of personal information in the context of employees is unique because an employee is in a dependent relationship with the employer.
This means that consent to the processing of their data is given under a different set of circumstances compared to other contexts.
What Laws and Regulations Apply the Processing of Employee Data in Sweden?
According to the Swedish DPA, employee personal data is subject to GDPR compliance requirements when it is collected and processed fully, partially, in an automated way, or manually.
Other regulations that may be applicable to the processing of employee data include;
- The Swedish labor law.
- The Swedish Work Environment Authority’s guidelines and general advice
- Court decisions.
- Collective agreements.
Who is Responsible for Processing of Employee Data?
The employer is responsible for and must be able to demonstrate that the processing of employees’ personal data is executed in a legal and GDPR compliant way.
What this means is that the Swedish DPA considers the employer the data controller of employee personal information because he/she determines what type of personal information is collected and how it is used.
In case you decide to use a third-party, such as a service provider, to process the data you collect in your company, you remain the party independently responsible for this processing.
It is important to be aware that you do not need a permit from the Dataispektionen, the Swedish DPA, to process employee data, although there are exceptions when it comes to;
- Personal data collected through camera surveillance in specific cases
- Criminal information
Do I Need a Data Protection Officer (DPO) to Process Employee Data in the Workplace?
According to the new employee data processing guidelines by the Swedish DPA, you can appoint a DPO, and in specific circumstances, having a DPO is an obligation in accordance with GDPR data processing requirements.
The role of the DPO in your organization is to;
- Assist the employer in complying with the GDPR and Swedish Data Protection Ordinance by offering counsel and carrying out Data Protection Impact Assessments (DPIAs)
- Receive and address queries from employees regarding the processing of their personal information by the employer.
- Inform employees regarding their rights during the processing of their personal data.
It is important to know that according to the Datainspektionen’s guidelines, you need to inform your employees if you appoint a DPO in the workplace.
What are the Swedish DPA’s Employee Data Processing Requirements?
If you process personal data, the Swedish DPA requires you to comply with the GDPR. The legal bases recognized by the Datainspektionen as sufficient to legitimately process employee data are;
Consent; you must receive consent from the data subject to process their data. However, the Swedish DPA acknowledges that some cases may either be inappropriate or impossible to base the processing of employee data on their consent. The guidelines state that you need to always consider you can base your processing on one of the other legal grounds before relying on consent.
Contract; you can process employee data if the data subject has a contract or is about to agree a contract with the employer, who is recognized as the data controller.
Weighing of interests; In this case, you can process personal data without the data subject’s consent if your interests outweigh those of the data subject, and if the processing is necessary for the stated purpose.
Legal obligation; your processing of employee data is legitimate if you do so to comply with laws and regulations that require your to process personal information in the execution of specific business functions.
Exercise of official authority or task in the public interest; If you need to process personal data to perform specified duties as an authority, or to execute a task in the interest of the public, this legal base ensures that your processing is GDPR compliant.
Fundamental Interest; This legal base allows you process employee data so long as the processing is informed by a need to to protect the data subject who is not in a position to give consent e.g if they are unconsious.
It is important to note that the Swedish DPA’s employee data processing guidelines are consistent with the GDPR’s 6 legal bases for handling personal data.
What Legal Bases Can Private Companies Apply to Comply with the Swedish DPA’s Employee Data Processing Guidelines?
The Datainspektionen makes it clear that the main legal bases for companies or enterprises operating in the private sector to process the personal information of their staff are;
- Legal obligation
- Weighing of interests
What Legal Bases Can Public Companies use to Comply with Swedish DPA’s Employee Data Processing Guidelines?
For authorities and other entities in the public sector, the main legal grounds for processing employee personal information are;
- Legal obligation
- Exercise of official authority or task in the public interest
It is important to note that authorities are not permitted to use the weighing of interests legal ground to perform their duties.
How do I Comply with the Swedish DPA’s Employee Data Processing Guidelines;
You need to;
- Identify the legal grounds before processing employee data
- Document your choices and keep your data subjects informed
- Ensure that the purposes for which you process employee data is linked with a legal basis for that particular processing
- Ensure you process personal data only when it is necessary
- Always ensure compliance with GDPR data processing requirements.
What about Processing Sensitive Personal Information?
According to the Swedish DPA, some categories of employee data are deemed too sensitive such that it is prohibited to process them as a general rule.
In cases where this type of personal information is involved, it is not adequate to apply any of the aforementioned legal bases as the grounds for processing it.
Secure Privacy and Compliance with the Swedish DPA Employee Data Processing Guidelines
Check if your website meets the GDPR requirements with a free audit.
We plan to send you the free GDPR audit report within 24-48 hours. We will examine your cookie banners, privacy policies and what technologies you have on your site.
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
You may also be interested in;