Pursuant to the General Data Protection Regulation (GDPR), each employer has the obligation to proactively inform employees about the processing of their personal data. An employer who collects, stores or uses personal data, must inform the employees from whom such data are processed about the existence and the purpose of the processing. The employer can comply with this obligation by providing information in a privacy statement.
Would you like to receive a model privacy statement free of charge and without obligation? Please contact us via the following link.
The reason behind the obligation to provide information
The obligation to provide information is an important means to enable employees to call the employer to account for the processing. In addition, the obligation to provide information helps the employee to exercise his or her rights. These rights include the right to access, rectification, erasure, limitation of the processing, object, data portability, withdraw his or her permission and the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Privacy statement checklist
The employer can comply with the GDPR obligation to provide information by providing information in a privacy statement. The privacy statement must contain information about:
- The identity and contact details of the employer;
- The purpose and the legal basis of the processing of personal data. In the event that the legal basis is derived from the ‘legitimate interest’ of the employer, this interest must be described;
- Other organisations that process personal data in the context of the employment relationship (for instance the occupational health and safety service (arbodienst) and the salary administration);
- The retention periods;
- The rights of employees and how they can be exercised;
- The indication whether the provision of personal data is a statutory or contractual obligation, or a requirement necessary to enter into an employment contract, as well as whether the employee is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- The contact details of the Data Protection Officer (if the employer has such an officer);
- The possible transfer of personal data outside Europe and the appropriate safeguards for the transfer taken by the employer;
- The existence of any automated decision-making, the underlying logic, the importance and the expected consequences of that processing for the employee;
- In the event that the employer has not obtained the personal data from the employee himself: which personal data it concerns and how they have been obtained.
In the event that the personal data have been obtained from others than the employee, these data must be provided to the employee within one month after obtaining them. That period is shorter if the data are used to contact the employee or if the data are transferred to another person. In that event, the information must be provided at the moment of contacting.
Would you like to receive a model privacy statement free of charge and without obligation or would you like to know more about the GDPR obligation to provide information? Please contact us via the following link or call us on +31 (0)20 344 61 00.