Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Marcus Hoy
EU employers should adopt policies on how long they will keep information on former employees to ensure compliance with the bloc’s new privacy regime, privacy attorneys told Bloomberg Law.
Companies will need to take into account both limitations on retaining personal data set out in the EU General Data Protection Regulation, which takes effect May 25, 2018, and legitimate legal needs to hold on to information on former employees long after they leave the company.
The GDPR doesn’t set specific time limits on how long companies may retain data on individuals no longer in their employ. But the Article 29 Working Party of privacy officials from the 28 EU member countries issued an opinion with guidance on new obligations under the GDPR that stated former employee data should only be stored for the “minimum amount of time needed.” Companies should specify a fixed retention period and delete information on former employees “whenever it is no longer needed,” the group said.
Given the absence of specific data retention rules in the GDPR or from the guidance, companies should look to data retention laws in the EU countries where they operate, and to laws that govern employment issues such as discrimination, taxes, or payroll, to determine whether limits on how long a matter can be challenged with a lawsuit may provide benchmarks for justifying data retention, privacy attorneys said.
“It is appropriate to retain former employees’ personal data up to the expiry of the statute of limitation period provided by local laws,” Giulio Coraggio, head of DLA Piper’s technology sector practice in Italy, told Bloomberg Law.
The relevant statutory limitation periods vary across the 28 EU member countries, making the need to tailor specific data retention policies an even more complex undertaking.
The GDPR requires companies that control the collection and use of personal data to whenever possible set limits on data retention.
“Employers, as data controllers, must be clear about the length of time for which employment records are retained and also why that information is being retained,” Michelle Ryan, an employment attorney at the Ronan Daly Jermyn in Cork, Ireland, told Bloomberg Law.
Companies should avoid a blanket data retention period policy, but shouldn’t shy away from coming up with written policies that cover specific situations, as the GDPR includes new requirements that companies document their privacy and data security compliance efforts.
Company policies should allow retention for periods tailored to specific kinds of data retained for specific needs, such as defending a particular type of claim, according to Stephanie Creed, an employment attorney at Taylor Wessing LLP in London, told Bloomberg Law.
Employers will need to be able to justify their data retention decisions, Creed said. Employers should identify the data they collect and store, the purpose for which it was collected and retained, and the period for which they intend to retain it, she said.
If the data of former employees may need to be retained for a long time, there are security protocols companies can employ.
“The level of access within the company should be considerably restricted to avoid misuse,” Coraggio said. Encrypting such data and giving the key to unlock the data to an independent third party, “such as a public notary who is instructed to decrypt data only upon request from a competent court,” can safeguard against misuse, Coraggio said
It is unlikely that EU-level officials will provide any more detailed data retention guidance given the differences in statutes of limitations across the bloc, Ryan said. Companies may get only general country-level guidance on data retention periods under the forthcoming GDPR.
The Confederation of Danish Industry recently told its business members that under the GDPR, Danish companies would likely be justified in retaining personal information for up to five years. But “if there is a legitimate purpose for retaining the data, then it can be retained,” the group said.
The Danish privacy office intends to release new guidance in handling personal information in the workplace in February 2018, Astrid Mavrogenis, head of department at the Danish data protection office, told Bloomberg Law.
But neighboring country privacy regulators don’t have specific plans for new guidance on storing workplace data.
“We’ve had only a few cases referring to the length of time employee data is retained, and do not think we will see more after the GDPR takes effect,” Bjorn Erik Thon, director of the Norwegian privacy office, told Bloomberg Law. The office has no plans to release new guidance on workplace data retention, he said. “Storage for a given period, up to several years, is okay as long as the data is relevant.”
Finland is examining whether any changes to its special workplace data privacy law are needed because of the GDPR, Finland Data Protection Ombudsman Reijo Aarnio told Bloomberg Law.
Sweden hasn’t taken any specific position on retention of employee data under the GDPR, a spokesperson with the Swedish Data Protection Authority, told Bloomberg Law.
To contact the reporter on this story: Marcus Hoy in Copenhagen at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)