employee privacy / data protection in the...

Employee Privacy / Data Protection in the Benelux

2

Introduction

Many activities routinely performed by employers in the employment context entail the processing of personal data of employees. This is for example the case when processing payroll or employee records, but also when monitoring workers’ email or internet access. Generally, such processing will fall within the scope of the data protection legislation which means that employers have to comply with strict rules and regulations. This brochure provides an overview of the most important data protection rules that apply in Belgium, Luxembourg and the Netherlands with a focus on HR issues and employee privacy in relation to transactions. Although the legislation in all three countries is an implementation of EU Directive 95/46, there are differences in the concrete translation of the directive and the application by the data protection authority in each country.

3

Table of contents

1 The EU Data Protection Directive 52 Employee privacy in Belgium 72.1 General principals 72.2 HR Issues/Sharing Employee Data 82.3 Employee Privacy and Transactions 93 Employee privacy in Luxembourg 103.1 General principles 103.2 HR Issues/Sharing Employee Data 123.3 Employee Privacy and Transactions 154 Employee privacy in the Netherlands 164.1 General principles 164.2 HR Issues/Sharing Employee Data 184.3 Employee Privacy and Transactions 205 Safe Harbour regime 21

5

1. The EU Data Protection Directive

At the European Community level, there are no Directives relating specifically to data protection in the employment context. The matter is governed more generally by the EU Data Protection Directive (also known as Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and the free movement of such data (“the Directive”).

Key conceptsFor the purposes of the Directive ‘personal data’ means any information relating to an identified oridentifiable natural person (‘data subject’).

‘Processing of personal data’ (‘processing’) is a broad concept. It means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,blocking, erasure or destruction.

The Directive applies to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

Data protection principles The data controller must ensure that personal data are processed fairly and lawfully (the legality principle) and collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (the finality principle).

Personal data must further be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (the proportionality and relevance principles).

Personal data must be accurate and, where necessary, kept up to date (the data quality principle). Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

6

Legitimacy of the processingUnder the Directive personal employment data may be processed only if: • the data subject has unambiguously given his consent; or • processing is necessary for the performance of a the employment contract; or • processing is necessary for compliance with a legal obligation to which the controller is subject; or • processing is necessary in order to protect the vital interests of the data subject; or• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official

authority vested in the controller or in a third party to whom the data are disclosed, or• processing fulfils the so-called “interest balance test”, i.e. the processing is necessary for the purposes of the legitimate

interests pursued by the controller, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

Transparency - Data subject participation and controlThe Directive allows an active involvement of the data subject, who has the right:• to get from the controller information on the identity of the controller, the purposes of the processing and who receives

the data; • to know if his personal data is processed and the logic behind this processing, as well as access to the data;• to object certain processing of personal data or to demand the rectification, erasure or blocking; • not to be subject of decisions based on automated decision making.

7

2. Employee privacy in Belgium

2.1 General principals

What privacy rules apply in Belgium to protect employee data?

The Belgian Data Protection Act of 8 December 1992 contains very few specific provisions on employment data. A Royal Decree of 13 February 2001 provides some exception to the obligation of notification to the Belgian Privacy Commission for payroll and employee administration processes. Both exceptions are interpreted restrictively by the Privacy Commission.

As regards sensitive data (below) an exception to the prohibition to process applies if the processing is necessary to carry out the obligations and specific rights of the controller in the field of employment or social security law. Again this exception is interpreted restrictively.

What is considered private (or sensitive personal) data in Belgium?

• Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership as well as the processing of data concerning sex life;

• Health-related personal data; and• Personal data relating to litigation that has been submitted to courts and

tribunals as well as to administrative judicial bodies, relating to suspicions, prosecutions or convictions in matters of crime, administrative sanctions or security measures.

What is the penalty for breaching these rules?

• Fines up to EUR 600,000.00.• Entire or partial publication of the judgment in one or more newspapers. • Seizure of the media containing the personal data to which the offence

relates.• A prohibition to manage any processing of personal data, directly or through

an intermediary, for a maximum of two years.

Are there any restrictions on keeping employee records?

There are no explicit restrictions, so the general rules of adequacy, relevance and proportionality apply. Generally speaking, claims resulting from the employment relationship become statute barred five years after the termination of the employment contract, which makes it difficult to defend keeping records beyond this time. Yet claims relating to the work-place pension for example may in some cases still be introduced within a year after retirement, which may justify extended retention of this type of records.

8

2.2 HR Issues/Sharing Employee Data

Are there any restrictions on monitoring employees in Belgium? (For example in the context of investigating alleged misconduct)

Yes. National Collective Bargaining Agreement No. 81 (CBA No. 81) allows employers to monitor the use of e-mail and the Internet during working hours, provided that a number of conditions are met, as follows:

• The monitoring should serve one of the purposes defined by the agreement. These purposes are limited by CBA No. 81 to the following:(1) the prevention of wrongful or defamatory acts;(2) the protection of the company’s economic and financial interests;(3) the security and proper functioning of the company’s IT network; or(4) ensuring employee compliance with the company’s IT policy.

• The monitoring should be proportional to its purposes.• Prior to implementing the monitoring, all employees concerned should be

informed collectively (through their representative bodies) and individually of the fact that monitoring may occur and for what purposes.

Yet even if some of these conditions are not complied with, evidence obtained through unlawful monitoring is in certain cases still accepted by the courts.

Do employees have access to the data held about them, what rules apply?

In execution of article 10 of the Privacy Act, any data subject has the right to obtain from the controller:

• information on whether or not data relating to him is being processed, as well as information regarding the purposes of the processing, the categories of data the processing relates to, and the categories of recipients the data is disclosed to; and

• communication of the data being processed in an intelligible form, as well as of any available source information.

To obtain the information the data subject must submit a signed and dated request to the controller who shall communicate the information without delay, at the very latest forty-five days after receipt of the request.

In employment situations, the right to access is almost never used, mostly because it is not well known among employment law practisioners.

Are there any restrictions on sharing employee data with third party service providers (for example payroll providers or pension administrators)?

The general principles and restrictions of Directive 95/46 EC apply.

9

Are there any restrictions on transferring data overseas?

The general principles and restrictions of Directive 95/46 EC apply.If the transfer relies on a contract based on the European Commission’s standard contractual clauses, a copy of the contract should be sent to the Privacy Commission in order for the latter to check whether it is identical to the European Commission’s standard contractual clauses. Moreover, the processing needs to be notified in the Privacy Commission’s public register, except if it relates to an exception established in the rules on notification.

2.3 Employee Privacy and Transactions

What employee data can be shared with a potential buyer before a transaction is signed?

The question is not explicitly addressed in the Belgian Privacy Act, but it is generally considered that this type of processing should be allowed on the grounds of article 5, f of the Act (“promotion of the legitimate interests of the controller”).

The general rules of adequacy, relevance and proportionality apply. Information should only be disclosed on a need-to-know basis and redacted in such a way that the employees may not be identified. Working in phases where more sensitive information is only disclosed to the potential buyer after a preliminary selection (e.g. in a bidding process) is also recommended to insure proportionality.

What is the usual practice in Belgium for disclosing employee data in a data room?

Awareness to this issue is still fairly limited in Belgium with sellers disclosing large amounts of information which is not anonymized or in such a way that the individual is still identifiable.

An exception is the information regarding senior management, which is often only disclosed in the later stages of the transaction.

Do any special rules apply to sharing employee data in the context of a transaction?

No (see above).

To our knowledge, the Belgian Privacy Commission has not taken position on the matter either.

Are there any restrictions on transferring employee data when a sale is complete?

No, once the sale is complete, buyer has a legitimate interest to receive all relevant employment data.

Particular attention should be paid to the transferring of data to the parent company overseas (see above).

10

3. Employee privacy in Luxembourg

3.1 General principles

What privacy rules apply in Luxembourg to protect employee data?

The Data Protection Act of 2002 (Loi modifiée du 2 août 2002 relative à la protection des personnes à l’égard du traitement des données à caractère personnel; “2002 Law”) implements the European Data Protection Directive (95/46 EC). There are only a few provisions which specifically apply to employee data.

The processing of employee data for monitoring reasons is also regulated in Articles L. 261-1 and L. 261-2 of the Labour Code.

The 2002 Law does not clarify the matter of employee consent and simply states that the data subject’s consent is one of the legitimate grounds for processing of personal data.

There is discussion in Luxembourg as to whether an employee’s consent may be considered as a valid ground for processing personal data. Due to inequality of position of employers and employees, it is possible that the employee’s consent may be considered as not having been freely given.

If the processing is done for the purpose of monitoring employees it must be based on one of the justification grounds that are enumerated in the Labour Code (e.g. the protection of the employees) and employee consent is not sufficient to permit such monitoring.

Employers must also respect the secrecy of private correspondence (which applies to email) as provided by the Law of 11 August 1982.

What is considered private (or sensitive personal) data in Luxembourg?

Sensitive personal data is defined as personal data concerning religious or philosophical beliefs, racial or ethnic origin, political opinion, health including genetic data, sex life, trade unions membership. In principle, it is prohibited to process this data, unless an exemption applies, for example where processing is necessary for the purposes of carrying out the obligations and specific rights of the data controller in the field of employment law in so far as it is authorised by law.

11


• The processing of data in breach of the 2002 Law is a criminal offence which can be punished by 8 days to 1 year of imprisonment and/or 251 to 125,000 EUR fine.

• Failing to respect confidentiality and security measures provided by the 2002 Law is also a criminal offence and punishable by 8 days to 6 months imprisonment and/or a 251 to 125,000 EUR fine.

• The Luxembourg National Commission of the Data Protection (the “National Commission”) may also take certain administrative sanctions:

• The National Commission can admonish the data controller, if s/he does not respect the security requirements.

• The National Commission can also lock, delete or destroy the data that is processed without respect of legal requirements. The National Commission can prohibit (temporarily or definitively) the processing of the data that is processed without respect of legal requirements and impose publication of this decision.

• The National Commission has the power to conduct investigations regarding compliance with the 2002 Law on its own initiative and on the requests of the data subjects, if their access to their personal data is limited by the statutory provisions.


In principle, personal data should be kept only as long as it is necessary for the purpose for which it was collected and processed.

With regard to personal data gathered in the context of monitoring of employees, restrictions are imposed by the National Commission in the decision in which it authorises this processing.

General statutory retention obligations also apply. For example, personal data that was gathered and processed for the purpose of establishing salaries shall be retained for a period of 3 years.

12


Are there any restrictions on monitoring employees in Luxembourg? (For example in the context of investigating alleged misconduct)

Employee monitoring is strictly regulated in Luxembourg and an employer can only carry out such monitoring, if it is necessary for one of the reasons provided for by the Labour Code, i.e. the protection of the workers’ health and safety; the protection of the business property; the monitoring of the production process carried out by machines; temporary monitoring of production or of employee performance if it constitutes the only means to determine the precise salary of the employee and in the context of work organisation of flexible working hours.

Prior to the processing, the processing has to be authorised by the National Commission. The implementation of monitoring measures also requires approval of the joint works council prior to the request to National Commission, if the reason for the monitoring is the protection of the employees’ health and safety, the temporary control of production/services made by employees when such measure is the only way to determine their precise remuneration or in the context of the work organisation, in the case of flexible working hours.

If the authorisation is granted, the employer has to inform the employees that they are being or might be monitored. The employer also has to inform the joint works council and if it does not exist the staff delegation and if it does not exist the Labour and Mines Inspectorate.

The monitoring can only be used for the purposes for which it was authorised, the use of the data thus obtained for other purposes is illegal (for example, if the employer uses the images from the monitoring, that was authorised to protect access to the building, in order to verify the presence of the employees at work).


A data subject notably has the right to obtain freely, at reasonable intervals and without excessive waiting periods to the following information:

• access to data concerning him/her; • confirmation as to whether or not data relating to him/her is being processed and

information at least as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data is disclosed;

• disclosure to him/her in an intelligible form of the data undergoing processing and of any available information as to its source.

He/she has also right to request that this data is corrected, deleted or blocked in the event that it is inaccurate, incomplete or processed contrary to the law.

http://www.guichet.public.lu/entreprises/en/sante-securite/postes-risques/personnel-delegation/assurer-securite-sante-salaries/index.html

http://www.guichet.public.lu/entreprises/en/ressources-humaines/temps-travail/gestion/organisation/index.html

http://www.guichet.public.lu/entreprises/en/ressources-humaines/temps-travail/gestion/organisation/index.html

13


Sharing of personal data with third party service providers is possible but the controller remains responsible for the use of the data by the third party.

The controller has to choose a third party that can guarantee the security of the obtained data.

Furthermore, processing by a third party has to be performed in the context of a contract which clearly states that the third party only acts according to the instructions given by the data controller.


Personal data can only be transferred to a third country if that third country ensures an ‘adequate level of protection’ of personal data.

The controller has to examine the level of protection of persona data in the relevant third country before transferring the data. There is no exception for a transfer of personal data between entities within the same group.

In case of doubt, whether the level of protection is adequate, the controller has to inform the National Commission, which then investigates the matter.

It should be noted that personal data may in principle be transferred to recipient entities in countries which do not provide an adequate protection if the entity concerned has adhered to the Safe Harbour scheme or has signed model contractual clauses based on the clauses provided by the European Commission. However, following the recent decision of the European Court of Justice the Safe Harbour scheme is currently being re-evaluated.

A transfer of personal data to a country that does not provide for an adequate level of protection is also allowed in certain specified examples, for example consent of the data subject (please see above points on employee consent). Where an exception is not available, it is possible to request a prior authorisation for such data transfer from the National Commission.

14



Only personal data that is necessary for the legitimate purpose of the potential buyer can be transferred.

In principle sensitive personal data cannot be shared with a potential buyer.

What is the usual practice in Luxembourg for disclosing employee data in a data room?

In Luxembourg the personal data of the employees is often anonymised when data is disclosed in a data room e.g. redacted employment contracts and anonymised staff lists.


No specific rules apply to sharing employee data in the context of a transaction. The general data protection rules set out in the 2002 Law apply.


The transfer of personnel files to the new employer should be communicated to the employees by the transferring employer. Furthermore, the transferring employer must ensure that no more employee data are transferred than necessary.

If the potential buyer is located outside the EU, the data can only be transferred if the requirements for transferring data overseas are met (see above).

16

4. Employee privacy in the Netherlands

4.1 General principles

What privacy rules apply in the Netherlands to protect employee data?

The Dutch Data Protection Act of 2001 (Wet bescherming persoonsgegevens; “WBP”) is an implementation of the European Data Protection Directive (95/46 EC). There are only a few provisions which specifically apply to employee data. Furthermore, the Exemption Decree of 2001 provides that the processing of personnel files and payroll records are exempted from the notification requirement to the supervising authority, the Dutch DPA, provided that the processing meets the specific requirements as set forth in the Exemption Decree.

In the Netherlands, an employee’s consent is (generally) not considered a valid ground for processing personal data as it is not considered freely given, in light of the unequal balance of power between employers and employees. Therefore, the processing of employee data must usually be based on one of the other grounds for justification provided for by the WBP (e.g. the legitimate interest of the employer).

What is considered private (or sensitive personal) data in the Netherlands?

Sensitive personal data is data about religious or philosophical beliefs, racial origin, political opinion, health, sex life and trade unions membership. It is also data about criminal behaviour and personal data on unlawful or objectionable behaviour in relation to an injunction imposed with regard to such behaviour.

It is prohibited to process sensitive personal data, unless a specific or general exemption applies. It is, for example, allowed to process personal data about health if (i) it is necessary for the reintegration of sick or incapacitated employees; or (ii) if a collective labour agreement or a statutory regulation requires this. In general, however, the exemptions will not likely apply to processing of personal data in an employment context.

17


Currently, the Dutch DPA can impose a fine of EUR 4,500 in case the data controller has violated his obligation to notify the processing of personal data. None of the other obligations under the DDPA are sanctioned with regulatory fines.

However, as per 1 January 2016 the Dutch DPA may impose an administrative fine amounting to EUR 810,000 or 10% of the worldwide annual turnover in the event the requirements provided in the WBP are violated. Furthermore, as per 1 January 2016, data controllers will be required to notify immediately the Dutch DPA of any data security breaches that have or are likely to have serious adverse consequences for the protection of personal data. In addition, data controllers will be required to notify affected individuals if the personal data breach is likely to adversely affect them, unless the compromised data is encrypted or otherwise unintelligible to third parties.

The Dutch DPA also has the power to conduct investigations regarding compliance with the WBP on its own initiative and on the requests of interested parties such as data subjects. In the event the Dutch DPA is of the opinion that the WBP is violated, it can force compliance by means of an order for periodic penalty payments or by forcing an administrative order. Also, certain obligations of the WBP can be sanctioned with penal fines up to a maximum of EUR 8.100 or EUR € 20.250 or a prison sentence of up to a maximum of six months (if the violation was deliberate).

Employees can seek compensation for (financial) damages if the company violates the WBP.


Standard types of employee records (e.g. payroll records and employees administration) should, in principle be kept no longer than 2 years after termination of the employment, provided that all requirements as set forth in the Exemption Decree are met. The data may need to be kept longer in cases where this would be necessary to fulfil other legal retention duties such as on the basis of the Dutch Civil Code and the Dutch State Tax Act or for defending legal claims. However, if the personal data are kept longer than indicated in the Exemption Decree the processing must be notified to the Dutch Data Protection Authority.

18


Are there any restrictions on monitoring employees in the Netherlands? (For example in the context of investigating alleged misconduct)

Employers can monitor the use of email and internet or use camera surveillance as long as this is in accordance with the WBP: i.e. the employer must have a justified interest that makes the procedure essential and outweighs the privacy of the employees involved; the same goal cannot be reached with a less infringing system/measurements; the processing should be notified to the Dutch DPA prior to the processing (certain types of monitoring are however exempt from the notification obligation); the employer has informed employees that they are being or might being monitored, etc.

Covert monitoring is subject to stricter rules: there has to be a serious suspicion that employees are doing something that is illegal or prohibited and prior approval from the Dutch DPA is required. The prior investigation of the Dutch DPA can take up to 24 weeks.

Furthermore, implementing or amending regulations relating to the supervision and monitoring of employees require the prior approval of the Works Council.


A data subject has the right to, freely and at reasonable intervals, request the data controller to inform him/her as to whether personal data relating to him/her are being processed (i.e. right of access) and to have the said data corrected, supplemented, deleted or blocked in the event that they are inaccurate, incomplete or irrelevant to the purpose or purposes of the processing, or processed contrary to the law


A transfer of personal data is considered as a ‘processing of personal data’, which means that the transfer must meet the general requirements as set forth in the WBP (e.g., a transfer of personal data must be based on a legitimate ground for processing provided for by the WBP, the employee concerned should be adequately informed about the fact that their personal data are transferred, etc.).

19


Personal data can only be transferred to a third country if that third country ensures an ‘adequate level of protection’ for the personal data. There is no exception for a transfer of personal data between entities within the same group. For instance, the US is currently not considered to be a country that provides such level of protection and, hence, it is in principle not allowed to transfer personal data to the US (unless the receiving organisation is ‘Safe Harbour certified’). However, the WBP provides for certain exemptions to this prohibition.

A transfer of personal data to a country that does not provide for an adequate level of protection (such as the US and India) is allowed if (among others): (i) the data subjects have given their unambiguous consent thereto (please refer to the comments above on employees’ consent); (ii) the transfer of personal data is necessary for the execution of an agreement between the data controller and the data subject; or (iii) the party that discloses the information enters into a data transfer agreement with the non-EU party that receives the personal data (based upon the unmodified standard contractual clauses approved by the European Commission).

20



It is generally considered that this type of processing can be based on the legitimate interest of the employer and is therefore permissible. However, the employer must still comply with the rules of the WBP.

The Dutch DPA’s position is that personal data must be anonymised as, generally, personal data is not necessary for the due diligence investigation. Sharing non-anonymised data will only be necessary in limited cases and is only allowed under the following conditions:• the potential buyer must show that it is necessary to disclose the identity of a particular

employee;• the employer should provide the potential buyer with no more personal data than

necessary for the legitimate purpose of the potential buyer; and• the group of persons that have access to the employee data should be restricted as

much as possible. In principle, only the legal advisors of the potential buyer conducting the actual due diligence investigation should have access to the employee data. The management of the potential buyer should only be provided with the end result of the due diligence investigation (for example, that an employee is under investigation for serious fraud or that three employees filed a claim for damages due to a workplace accident). Only in exceptional cases personal data can be provided to the potential buyer (for example, in the event a contract with a certain star performer expires).

Furthermore, the basic assumption is that sensitive personal data (e.g. sickness absence) cannot be shared at all with a potential buyer.

What is the usual practice in the Netherlands for disclosing employee data in a data room?

In the Netherlands, awareness to this issue is still fairly limited. Sellers usually disclose information without anonymising the personal data.


No, see reply above.


The transfer of personnel files to the new employer should be clearly communicated to the employees by the transferring employer. Furthermore, the transferring employer must ensure that no more employee data are transferred than necessary. That means that the transferring employer must clean up the personnel files, especially with respect to sensitive employee data.

If the potential buyer is located outside the EU, the data can only be transferred if the requirements for transferring data overseas are met (see above).

21

5. Safe Harbour regime

Thousands of European and US companies rely on Safe Harbour certification in order to legally transfer personal data from the EEA to the US. At this moment, over 4,500 US companies are Safe Harbour certified. Many other EU-based companies, use Safe Harbour certified service providers. In its judgment of 6 October 2015, the EU Court of Justice • declared the decision of the European Commission establishing the ‘adequacy’ of the Safe Harbour certification system

for EEA-US data transfers, invalid; and• expressly confirmed that national data protection authorities may still investigate a complaint alleging that a third country

does not ensure an adequate level of personal data protection and, where appropriate, suspend/prohibit the transfer of that data, notwithstanding any adequacy finding by the European Commission.

This judgment has far-reaching consequences for anyone in the EEA transferring personal data to the US based on Safe Harbour. Not only will a US entity’s Safe Harbour certification cease to be a valid legal basis for data exports to the US, data exports to other non-EEA countries (considered by the European Commission to have an adequate level of protection) will also be susceptible to scrutiny by the national data protection authorities.

The adoption of Binding Corporate Rules (intra-group only) and/or the conclusion of standard data transfer agreements with data receivers, are alternatives worth considering.

It still remains to be seen how the political actors will respond to the judgment of the CJEU, and whether or not a transitional regime or grace period will be adopted. It is, in any case, expected that a new ‘adequacy’ regime will be part of the ongoing data protection negotiations between the EU institutions and the US government, which has now become more necessary than ever.

22

For more information about this publication, please contact:

Belgium

Filip Saelens

T +32 2 773 23 29

E [email protected]

Marga Caproni

T +32 2 743 43 51

E [email protected]

Luxembourg

Annie Elfassi

T +352 466 230 480

E [email protected]

Emilia Fronczak

T +352 466 230 308

E [email protected]

23

The Netherlands

Hermine Voûte

T +31 20 578 59 75

E [email protected]

Klaas Wiersma

T +31 20 578 59 60

E [email protected]

Disclaimer

Although this publication has been compiled with great care, Loyens & Loeff CVBA/SCRL and all other entities, partnerships, persons and practices trading under the name ‘Loyens & Loeff’, cannot accept any liability for the consequences of making use of this issue without their cooperation. The information provided is intended as general information and cannot be regarded as advice.

www.loyensloeff.com

Amsterdam

Arnhem

Brussels

Dubai

Hong Kong

London

Luxembourg

New York

Paris

Rotterdam

Singapore

Tokyo

Zurich

15-10-EN

-EP

DP

employee privacy / data protection in the...

Documents