As you will be aware, the General Data Protection Regulations (GDPR) came into force on 25 May 2018. If you employ staff, you will have to give them detailed information on the data that you hold on them and how you process it.
Some of the things that you should inform your staff of are:
- the name and contact details of the person, within your business, who is the Data Controller
- the name and contact details of your appointed representative (if you have one)
- the name and contact details of your Data Protection Officer
- what data you hold on your employees and how you process it
- the legal basis or bases for that processing
- the name of any third-party that you share their data with
- how many years you will hold this data
Your employees have a legal right to access this data, rectification, erasure, restriction of processing, objection and data portability. They also have the right to lodge a complaint about your data processing with the Information Commissioner’s Office (ICO).
The above information should be provided to staff in a privacy notice. This should be made available either at the point you collect their personal data or before you do so, not afterwards.