Everyone manages personal data

The General Data Protection Regulation (GDPR) of the European Union was adopted last year, but companies have time until 25 May 2018 to change their data management procedures in accordance with the new rules. If we read the GDPR rules in detail, we can see that the document states: each employer is a data manager and all employees are affected from a data management perspective, so the GDPR rules apply to employment. Although there are various laws that regulate data management related to employment, the GDPR contains special criteria. This means that the internal processes and rules of companies must be modified in accordance with the GDPR, to make sure that employees are familiar with the new rules.

_{Dr. László Szűcs}

_lawyer

_{Réti, Antall és Társai Ügyvédi Iroda}

The GDPR’s central element is that each individual has the right for informational self-determination. This right can only be limited in special cases, and even then only to the extent that it is necessary. What is more, if such limitation occurs, the person affected must know about the circumstances. The definition of personal data is rather wide, but in an employment situation the employer manages about 100 different pieces of personal data. According to the new rules, in the future employers will have to be able to answer questions about how they manage the data, e.g. What was the purpose of data management? Why did they have to preserve the data for years? Already these questions show that the only type of personal data that can be managed is the kind that the employer has the right to collect and manage. In the past many companies used employment contracts that included a section on how the company would manage data on the employee. This solution won’t work in the future: this type of general data management permission from the employee doesn’t qualify as a voluntary agreement – states the GDPR.

As the first step of examining compliance with the GDPR, the employer has to check what kind of personal data they manage and for what reasons. The next step is filtering out data management for which the employer has no right; this task is practically impossible for many companies, as they don’t have the necessary knowledge or number of people to do it in the case of data that has been collected in the course of decades. Until May 2018 companies must lay the foundations of the future by doing the necessary ‘paper work’ and by performing process analysis and the related data security development. As part of the so-called paper work, internal rules must be prepared for the management of all types of data. It must also be specified in detail what kind of legal remedy employees can seek.

Another complex task will be modifying data management processes in a fashion that only those employees have access to personal data who have a good reason for that. HR systems have been operated in a rather closed fashion so far, but access to employee data will be even more restricted in the future. This also means that changes will have to be made in the IT systems of companies. These days many companies outsource wage-related tasks. The GDPR allows this practice to continue, but according to the new rules, employees must be informed about this type of data management in a much more detailed way. One thing is for sure: the GDPR will make data management rules stricter and will create a great organisational transparency. //