RGPD

GDPR compliance at work: how to inform employees of the data processing in place?

In an increasingly digitalised world, the protection of personal data has become a major concern for companies and employees alike. The application of the General Data Protection Regulation (GDPR) imposes on employers, and more particularly on Directors

Contents
Schedule a discussion

Reading time:

7 min

In an increasingly digitalised world, the protection of personal data has become a major concern for companies and employees alike. The application of the General Data Protection Regulation (GDPR) imposes on employers, and more particularly on Human Resources Directors (HRDs), the crucial obligation to provide fair information to employees about the data processing that concerns them. This obligation is not only a matter of legal compliance, but also a question of trust towards employees. Indeed, as the Cour de Cassation emphasised in a landmark ruling in 2018, clear and transparent information is essential to ensure that employees' rights are respected. This article will explore the specific requirements arising from this, while describing the information obligations imposed on HRDs and the key interpretations provided by case law. With a thorough understanding of these information obligations, HRDs will be able to ensure effective compliance and sound management of personal data in the workplace.

If you would like to engage a lawyer specialising in personal data law, contact me!

What are HRDs' information obligations under the GDPR?

HRDs face critical challenges regarding the provision of information to employees about the processing of personal data. Indeed, achieving compliance with the General Data Protection Regulation (GDPR) and Law No. 78-17 of 6 January 1978, as amended, imposes specific obligations that companies must observe in order to ensure the protection of their staff's data.

The main information obligations of HRDs include:

  • Transparency: Informing employees of the purposes of the data processing, the categories of data collected, the retention period and the recipients of the data.
  • Right of access: Employees must be informed of their rights, in particular the right to access their data and to request corrections.
  • Key features: This includes the purpose of the processing, the security measures put in place, and any data transfers outside the European Union.
  • Prior information: In accordance with Article L.1222-4 of the French Labour Code, employees must be informed in advance of any collection of personal information concerning them.

This obligation of fair information does not stop at a mere enumeration of obligations, but also entails the need for clear and accessible communication. It is crucial that HRDs ensure that the information provided is comprehensible and conveyed to employees on an ongoing basis, in order to avoid any defect of consent. A CNIL lawyer can assist companies in implementing these obligations.

These requirements of clarity and transparency take on their full meaning at the heart of the European provisions, which aim to strengthen employees' trust. Recognising employees' rights is therefore a fundamental pillar of the GDPR.

Finally, it is essential to point out that compliance is not measured solely through legal obligations, but also shapes the culture of a company that is attentive to respecting its staff's data. HRDs therefore have a strategic role to play in this regard, contributing to the creation of an environment of trust. This dynamic not only reinforces the legal framework, but also fosters a calm and respectful working climate.

Let us now consider how the Cour de Cassation has interpreted the notion of fairness in informing employees, and what implications this has for HRD practices.

Let's discuss your needs for 15 minutes!

How does the Cour de Cassation interpret the notion of fairness in informing employees?

The notion of fairness in informing employees is a fundamental concept that has been clarified by the Cour de Cassation through several judicial decisions. This notion entails an obligation to provide information that is not only accurate, but also clear and accessible, enabling employees to make informed decisions regarding their personal data.

According to a major ruling of the Cour de Cassation in 2018, it was emphasised that the information provided to employees must be proportionate to the risk associated with the processing of their data. This approach translates into the following elements:

  • Clarity of information: HRDs must ensure that information about data processing is explicit, thereby avoiding ambiguities that could undermine employees' consent.
  • Ease of access: Case law insists on the need for easy access to information concerning the processing carried out, which includes making available an HR charter or a dedicated document explaining the processing principles.
  • Risk assessment: HRDs are encouraged to assess and anticipate the potential risks associated with data collection, ensuring that each employee is informed of the implications of how their data will be used.

These elements reinforce the idea that fairly informing employees is not limited to providing minimal information, but entails an active commitment on the part of HRDs to ensure transparency. To this end, the appointment of a Data Protection Officer (DPO) can serve as a point of contact for employees, allowing them to ask questions and obtain clarifications regarding their data.

Case law also insists that HRDs must be proactive in updating the information provided, particularly in the event of changes to processing practices or to the purposes pursued. This dynamic not only ensures compliance with legal obligations, but also helps to establish a climate of trust between the employer and its employees.

Thus, the Cour de Cassation's interpretation with regard to fairness highlights the importance of effective and lasting communication. With this in mind, it is crucial to examine the concrete actions that HRDs can take in order to comply with these regulatory requirements.

I want reliable legal documents!

What concrete actions must HRDs take to comply with the regulations?

To ensure effective compliance with the requirements established by the GDPR and the French Data Protection Act, Human Resources Departments (HRDs) must commit to a series of key actions. These actions are aimed not only at meeting information obligations, but also at establishing a climate of trust between the employer and the employees.

Here are the main actions to consider:

GDPR at work
The concrete actions for HRDs to comply with the regulations
ActionDescription
Comprehensive mapping of processing activitiesIdentify all ongoing data processing activities and ensure regular monitoring.
Record of processing activitiesInclude the essential details (purpose, security measures) and make it accessible to employees.
HR charterSet out the features of the processing, post it on the intranet and incorporate it into the onboarding of new staff.
Staff trainingRaise employees' awareness of their rights (access, rectification) so that they can exercise them.
Strengthening the employment contractIncorporate amendments relating to data processing in order to ensure transparency.
Provided for informational purposes only; does not constitute legal advice.

These actions should not be regarded as administrative formalities, but as an essential approach to fostering respectful management of employees' personal data. By establishing clear and transparent practices, HRDs can not only avoid sanctions in the event of non-compliance, but also strengthen loyalty and trust within the company.

In short, achieving compliance should not be perceived as a constraint, but rather as an opportunity to improve relationships within the organisation. It is through this dynamic that a genuine data protection culture can truly take shape, thereby ensuring greater respect for employees' rights regarding personal data.

To learn more

Must the employer inform employees of data processing?

Yes. The GDPR requires the employer, and in particular HRDs, to fairly inform employees of the processing of personal data that concerns them. This obligation is both a legal compliance requirement and a question of trust towards employees.

What information should be given to employees about their data?

The employer must provide clear and transparent information about the purposes of the processing, the data collected, its retention period and employees' rights. This transparency, required by the GDPR, ensures respect for employees' rights over their personal data.

What does case law say about informing employees?

The Cour de cassation emphasised, in a 2018 ruling, that clear and transparent information is essential to ensure respect for employees' rights. This case law clarifies the requirements weighing on the employer regarding information about data processing.

Why is informing employees a question of trust?

Beyond legal compliance, fairly informing employees about the use of their data strengthens trust within the company. A lack of transparency may, on the contrary, fuel distrust and expose the employer to challenges regarding the lawfulness of its processing.

Which data processing activities concern employees?

Numerous processing activities concern employees: payroll management, working time tracking, monitoring tools, video surveillance, HR data. Each must be the subject of appropriate information, as these processing activities directly affect employees' rights over their personal data.

What does an employer who fails to inform its employees risk?

A failure to fairly inform employees about data processing exposes the employer to a breach of the GDPR, liable to be sanctioned by the CNIL, and undermines the admissibility of certain monitoring measures. Transparency is therefore both an obligation and a protection.

How can an HRD ensure GDPR compliance?

The HRD must map the processing activities concerning employees, draft clear and accessible information, identify the appropriate legal bases and document compliance. A detailed understanding of information obligations makes it possible to secure the management of personal data in the workplace.

Is a lawyer useful for GDPR at work?

A lawyer specialising in personal data law helps HRDs structure the information provided to employees, secure HR processing activities and comply with case law. This support ensures effective compliance and limits the risks associated with data management within the company.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

EAA: Key Requirements and Implications for Compliance
Directive (EU) 2019/882, commonly known as the European Accessibility Act, represents a significant step forward in harmonising accessibility requirements within the European Union. This legislation aims to ensure that various products and services, whether automated teller

10 min

CNIL Audit: How to Prepare and Why You Should Engage a Lawyer
The CNIL is stepping up its audits: understanding how a CNIL audit works and preparing for it with the help of a lawyer is essential.

2 min

Cybersecurity & NIS 2: Legal Obligations?
The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.

6 min

Digital Services Act: the regulator of the digital world for a safer Europe.
Welcome to the era of the Digital Services Act, the new regulation reshaping the digital landscape in Europe. This article details the key issues raised by this major piece of legislation, from the obligations of online platforms to consumer protection. Discover how Europe is equipping itself

12 min

IT subcontracting and the digital supply chain: the essential contractual clauses
IT subcontracting has become an essential component of corporate strategies, offering flexibility and cost optimisation.

6 min

New return and refund rules: how to stay compliant?
The rules governing product returns and refunds represent a crucial issue for e-merchants, given their impact on customer relations and the need for compliance with applicable legislation.
Prendre rendez-vous
Book an appointment