As an employer, it is important to store your employees’ data properly. In doing so, you are obliged to keep personnel records of employees’ personal data. When storing such data, the Privacy Act General Data Protection Regulation (AVG) and the Implementation Act General Data Protection Regulation (UAVG) must be taken into account. The AVG imposes obligations on the employer in connection with the processing of personal data. Through this checklist, you will know whether your personnel files comply with the requirements.
- What data may be processed in a personnel file?
The main rule that is followed is that only data necessary for the purpose of the personnel file may be included: the proper performance of the employment contract with the employee.
In any case, ‘ordinary’ personal data will be kept such as:
- Name;
- Address;
- Date of birth;
- Copy of passport/identity card;
- BSN number
- Signed employment contract including terms and conditions of employment and annexes;
- Employee performance and development data, such as appraisal reports.
Employers may choose to expand the personnel file to include other data such as personal notes of the employer, a record of absenteeism, complaints, warnings, records of interviews et cetera.
As an employer, it is important to update this data regularly to pursue correctness and accuracy in relation to legal retention periods.
- When may ‘ordinary’ personal data be processed in a personnel file?
An employer must consider when and what ‘ordinary’ personal data may be stored in the personnel file. Under Article 6 AVG, employers can store ‘ordinary’ personal data in the personnel file through 6 reasons. These reasons include:
- The employee has given consent to the processing;
- Processing is necessary for execution of employee (employment) agreement;
- The processing is necessary because of a legal obligation incumbent on the employer (such as paying taxes and contributions);
- Processing is necessary to protect the vital interests of the employee or another natural person (an example plays when acute danger is imminent but the employee is mentally incapable of giving consent);
- Processing is necessary for public interest/public order;
- Processing is necessary to satisfy the legitimate interests of the employer or third party (except where the interests of the employee outweigh the legitimate interests of the employer).
- What data should not be processed in a personnel file?
Besides the ‘normal’ data that are included in the file, there are also data that (normally) should not be included because they are particularly sensitive in nature. These are the ‘special’ data and include:
- Beliefs;
- Sexual orientation;
- Race or ethnicity;
- Medical data (including when provided voluntarily by employee).
‘Special’ data may only be stored under the AVG in 10 exceptions. The main 3 exceptions are as follows:
- The employee has given explicit consent to the processing;
- You process personal data that the employee himself has purposefully disclosed;
- The processing is necessary for an overriding public interest (a Dutch legal basis is required to invoke this).
- Personnel file security measures
Who is allowed to see the personnel file?
The personnel file may only be viewed by persons for whom access is necessary to perform work. These persons include, for example, the employer and employees of the HR department. The employee himself/herself also has the right to see his/her personnel file and amend incorrect information.
Security requirements for the file
Besides this, it is important to take into account that the AVG imposes requirements on the digital or paper storage of personnel files. As an employer, you are obliged to take measures to protect employee privacy. The file must therefore be protected against cybercrime, unauthorised access, modification or deletion.
- Staff file retention period
The AVG states that personal data may be kept for a limited period. Some data is subject to a statutory retention period. For other data, the employer is required to set time limits for erasure or periodic review of the accuracy of the data. The AVG states that reasonable measures must be taken to ensure that inaccurate data is kept on file.
Want to know more about staff file retention periods? Then read our blog employee file retention periods.
Does your personnel file meet the requirements listed above? Then chances are it is AVG compliant.
If, after reading this blog, you still have questions about a personnel file or about the AVG, please contact us. Our employment lawyers will be happy to help you!