The GDPR came into force on 25 May 2018, entailing new aspects in connection with the processing of employees’ personal data.
The employees’ personal data may be processed by employers if (i) the processing is necessary for the performance of the employment agreement, (ii) the processing is necessary for compliance with a legal obligation of the employer or (iii) the processing is necessary for the purposes of the legitimate interests pursued by the employer, except where such interests are overridden by the interests or fundamental rights and freedoms of the employees.
For specific cases where consent would meet the GDPR conditions, the same could also be used as a legal basis for processing employees’ personal data. Nevertheless, since the GDPR provides that Member State law or collective agreements should provide specific rules on the processing of employees' personal data and such local legal enactments have not yet been issued, it is not recommended that employees’ personal data to be processed on this legal basis at present, as it is difficult to demonstrate that consent was freely given, due to the dependency that results from the employer-employee relationship.
The personal data processing practices and rules still represent an on-going process and are expected to be further clarified in 2019.