Gruia Dufaut

GDPR AT WORK – YOUR PERSONAL DATA PROCESSING BY YOUR EMPLOYER

GDPR AT WORK – YOUR PERSONAL DATA PROCESSING BY YOUR EMPLOYER

Last updated: 19 December 2019


The enforcement of the European Regulation on personal Data processing (GDPR) by the employer in the relationship with the employees put emphasis on companies’ liability with respect to collection, processing and storage of personal data.

The main challenges to be managed by companies would be protecting their IT networks against IT fraud and most importantly increasing awareness with respect to the extent personal data processing of employees is performed by limiting it to what is necessary for the purposes for which they are processed. All and any excess would result in infringement of the main principles of the European Regulation.

Before presenting the list of obligations incumbent upon companies with respect to work relationship, allow us to remind you that personal data is any information leading to direct or indirect identification of a natural person in particular by reference to an identifier such as a name, personal identification number (Romanian CNP), mobile phone number, etc.

EMPLOYER’S OBLIGATIONS

Contrarily to what you may think, all companies employing personnel are automatically and compulsorily processing personal data, that is why implementing a series of basic measures, such as the following, becomes necessary:



  • Analysis of internal and external employees’ personal data storage devices (servers, cloud, IT service providers, etc.);

  • Keeping a registry with all personal data collected processing activities performed;

  • Limiting personal data processing to what is necessary for the activity of the company;

  • Implementing identification and authentication means for the employees (establish procedures as to passwords management and restrict aces to sensitive files);

  • Appointing, as the case may be, a personal data protection officer.


Personal data processing in the employment context is a legal obligation resulting either from the execution of the employment contract or from a legal interest of the employer.

Furthermore, personal data processing might also become necessary when defending a right or an interest before a court of law.

The employer is bound to assume a series of obligations towards the employee when it comes to their personal data processing as:

1. INFORM the employee either by means of a note or by specific provisions under Internal Company Policies not only with respect to the type of data collected, the purposes and the duration of the storage but also about the identity of the potential recipients in case of such data transfer. Special attention must be paid up to personal data transfer outside the EU (as for example data transferred from a subsidiary to a mother company headquartered outside the EU);
2. ENSURE accuracy of the data by means of rigorous processing and constantly updating;
3. MINIMISE data processing to what is necessary in relation to the purposes for which they are processed;
4. CONSULT with the employees’ representatives with regards to installation of the monitoring equipment (video cameras for example or email monitoring), an obligation also under the Law 190/2018 on personal data protection.
5. RESPECT employees’ private life. This means for example limiting monitoring of the search history on Internet on the computer provided by the employer as working means as well as by limited monitoring of personal trips made by work car outside working hours by means of GPS.
6. LIMIT DISCLOSURE of personal data of the employee towards third persons. Such disclosure can be entailed by a legal obligation, fulfillment of an obligation under a contract or a legitimate interest of the employer. Furthermore, pursuant to Labor Code, employee’s data processing is allowed only after information of the employee and it is limited to the activities performed and for as long as the employee is employed.
7. TRAINING of the employees who are involved in employees’ personal data processing. Such employees must master internal procedures and legal provisions applicable to personal data processing.
8. ENSURE SECURITY of the employees’ personal data (provide a confidentiality clause in the employment agreement and sanctions, as for example any inobservance of procedures and instructions implemented by the employer shall be a disciplinary offence that may result in a disciplinary sanction, dismissal included).

EMPLOYEES’ MONITORING SYSTEMS

Law no 190/2018 sets forth the conditions to be complied with for use of the monitoring systems (video monitoring, etc.), such as:

  • The reasons accounting for use of such monitoring systems must be in direct connection with the employer’s business (as for example: keeping professional secrecy) which prevails over the employee’s rights;

  • Employees have been informed about the existence of such monitoring systems prior to the setting thereof;

  • The union or the employees’ representatives have been consulted with prior to the setting thereof;

  • The employer has been doing research and produced proof that such monitoring system would be the best choice in terms of effectiveness and the least intrusive for achieving the purpose aimed at;

  • Storage of personal data collected by means of such monitoring systems shall not exceed 30 days; such delay may be extended if under the law or in some well grounded cases.


The main measures here above must be implemented under pain of penalty by the competent authorities in case of an inspection or in case of a security breach impacting upon personal data security.

According to GDPR penalties’ range depend on the offence. Still, it should be noted that such sanction might reach 4 % of the annual turnover.

On the same subject

Subscribe to our newsletter

Please tick the following box to subscribe to our newsletter

Gruia Dufaut & Partners never communicate through gmail or public email services.

Stay vigilant against phishing:

- Verify the sender's email address carefully before responding or sharing any sensitive information.

- If you receive an email claiming to be from Gruia Dufaut & Partners but originating from a different domain, do not engage and contact us directly.

Close