The General Data Protection Regulations (GDPR) are set to be transposed into UK law by 25 May 2018. As part of these new changes, employees will gain a number of new/additional rights. The key ones are set out below:
Right to Access –
Employees can already request access to their personal information (commonly known as a “data subject access request”). This enables them to receive a copy of any personal information held by their employer and check it is being lawfully processed.
Right to Correction –
Employees will be able to require an employer to rectify inaccurate personal data they hold about them. The information must be amended without undue delay; it is currently envisaged an employer will have a month to comply with this request.
Right to be Forgotten –
Employees will now, in certain circumstances, have the right to request to be forgotten. Following a request to be forgotten an employer must erase the requested information, without delay, unless they are able to show the information is specifically exempt from being processed. If, for example, it is necessary for an employer to hold this information to ensure they comply with a legal obligation under EU or member state law then they would not be required to delete this information.
Object to Processing –
Employees can object to processing of their personal information where the employer is relying on a legitimate interest (or those of a third party) and there is something about their situation which makes them want to object to processing on this ground. They also have the right to object where the employer is processing personal information for direct marketing purposes.
Request the restriction of Processing –
Employees will be entitled to restrict the processing of their data under certain circumstances e.g. if the processing by an employer is unlawful. An employer can still continue to store the data but they will be unable to process it unless they:
- have the employee’s consent;
- are exercising or defending any legal claims;
- are protecting the rights of another or a legal entity; or
- have an important public interest reason for doing so.
Data Transfer –
This will allow employees to obtain a copy of personal data from an employer and transmit their personal data to another data controller (e.g. another employer) or have their personal data transmitted directly by the employer to another third party or employer.
It is important to note that the Data Protection Bill is still going through Parliament and therefore while it is expected the principals above will remain in substance, the detail of these rights may be altered.
For advice and assistance on how an employer should comply with their GDPR obligations contact James Monk on 0121 227 3366 or email firstname.lastname@example.org