What are my Rights as an Employee under GDPR?
Under GDPR, employees (as data subjects) have greater rights. These rights include but are not limited to the right to be forgotten; right to access; right to object to processing; right to be informed; and right to rectification.
Right to be forgotten:
GDPR introduces a new right for employees to require their employer to delete their personal data when:
- the data is no longer necessary for the purposes for which it was collected;
- the employee withdraws their consent to processing and the employer has no other legal grounds for processing it; or
- the employee objects to processing and the employer does not have a legitimate business reason for processing.
There is also an obligation on employers to take reasonable steps to inform third parties that the individual has exercised their right to be forgotten, and to request that they erase any links to, or copies of, personal data belonging to the employee.
This new right does not override everything and employers do not have to erase employee data that they require to comply with legal obligations or which is necessary to pursue or defend legal claims.
Right to access
GDPR allows employees the right to access information that an employer holds on them.
If the employer is unable or unwilling to agree to the request, an employee could make a Subject Access Request. A subject access request should be in writing and include
- full name, address and contact details;
- any information used by the organisation to identify the worker (account numbers, unique ID’s etc.); and
- details of the specific information required and any relevant dates.
The time limit for employers dealing with subject access requests is one month. Fees may only be required under GDPR if the requests are “manifestly unfounded or excessive”.
If an employer refuses a request they must inform the individual within one month of why they have refused the request and that the individual has the right to complain to the supervisory authority and to a judicial remedy.
Right to object to processing:
This right applies in circumstances where an employer is relying on a legitimate business interest as the grounds for processing data.
In this instance, individuals have a right to object to such processing. When an objection is received, the employers must stop processing the personal data immediately, unless they can demonstrate:
- compelling legitimate grounds for the processing, which are sufficient to override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
Right to be informed:
This right encompasses an employer’s obligation to provide fair processing information, typically through the use of a Privacy Notice and emphasises the need for transparency over how the employer uses personal data.
GDPR sets out the information that employers must supply to their employees and when the information must be supplied. The information supplied about how the employer intends to process personal data must be concise, transparent, intelligible and easily accessible and should be written in clear and plain language.
Right to rectification:
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If an employer has disclosed incorrect personal data in question to third parties, they must also inform the third party of the rectification where possible.
The employer must also inform the individual about the third parties to whom the data has been disclosed where appropriate and if an employee submits a request for rectification the employer must respond within one month. This can be extended by 2 months if the request is particularly complex.