What information must employers supply to employees about the processing of their personal data under the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (2016/679 EU) (GDPR) requires employers to provide employees (and other data subjects, such as job applicants) with an information notice, also known as a privacy notice or fair processing notice, setting out specified information about the processing of their personal data. The employer must provide this notice when it collects personal data from the employee or uses the personal data for a new purpose. The information that the employer must provide under the GDPR is significantly more detailed than that currently required under the Data Protection Act 1998.

Under the GDPR, the employer's privacy notice must include:

  • the identity and contact details of the employer as the data controller;
  • the data protection officer's (DPO) contact details (if the organisation has a DPO);
  • the purposes for which the data will be processed and the legal bases for processing;
  • where the legal basis for processing is the legitimate interests of the employer or a third party, the legitimate interests relied on;
  • the recipients, or categories of recipients, of the data, if any;
  • details of any transfer of the data outside the European Economic Area and the relevant safeguards in place;
  • the period for which the data will be stored, or if it is not possible to specify the retention period, the criteria used to determine the period;
  • the data subject's rights to request access to, rectification or erasure of data; to request restriction of processing; or to object to processing;
  • the right to data portability;
  • where the legal basis for processing is consent, the right to withdraw consent at any time;
  • the right to lodge a complaint with the supervisory authority;
  • whether or not the provision of personal data is a statutory or contractual requirement, and the possible consequences of failure to provide the data; and
  • the existence of any automated decision-making and profiling, and the consequences for the data subject.

Where the data was not obtained directly from the employee, the employer must also state the source from which it was obtained and the categories of personal data to be processed.

The GDPR will come into effect on 25 May 2018.