GDPR and employment contracts: pitfalls to avoid

News Back

Most people associate the GDPR with websites and e-mail, maybe with the Internet on the whole. But where it can really come back to bite you is offline, in a place as inconspicuous as employment contracts.

This chunk of legalese is most likely
not part of your standard employment contract:

Employers are legally required by the GDPR’s Article 13 to inform their employees of a number of things relating to the use of personal data. They include:

  • The identity of the person responsible for processing their personal data
  • Their contacts
  • The time period for which their personal data will be kept
  • Their right to have that data erased under certain conditions
  • That they, if relevant, can withdraw their consent to the use of their personal data
  • That they have the right to complain to a state watchdog authority
  • The extent to which they are required to divulge their personal data

Now, some of this obviously seems commonsensical. So commonsensical in fact that you would think, why make such a fuss?

But be warned. The GDPR, in this case, is a thing to be reckoned with. If you fail to include these points in your employment contract, you are opening yourself up to all kinds of attacks—most notably to that good old one, a disgruntled former colleague taking the chance to get back at you.

The EU’s love for paperwork continues on, going well beyond this little list: employees also have to be informed about any and all automatic uses of their data, be it for statistical reasons, profiling, modelling and the like.

Obvious? Doesn’t matter. You need to spell it out—or risk to be fined

Whether or not you see any of this as self-evident or important at all unfortunately doesn’t matter. If the above isn’t part of your employment contracts, or isn’t stipulated in your privacy notice, and the employee has been required to share any personal data, they can go straight to the Data Protection Inspectorate and file a complaint.

It gets even more complicated. Article 14 of the GDPR states that wherever you hold on to an individual’s personal data, but did not receive this data directly from them, you must tell them so.

An example. Imagine you’re collecting information about applicants for an open position in your business. If you now keep this information—out of LinkedIn profiles, say, or something you’ve come across googling an applicant’s name—you need to let the applicant know.

On top of that, the same logic applies here as in Article 13 we discussed earlier. You need to give the individual all the information they may need to access, restrict or remove their personal information from wherever you’re keeping it. The same applies for the time for which information is kept, and so on. Full disclosure.

If you don’t follow this rule, again, anyone affected can file a complaint with the DPI simply because you failed to tell them all that.

Legal requirements continue anywhere you conduct background checks with or without the consent of an applicant or employee, or in fact any individual at all you may be looking into. However superficial the procedure, data protection regulations must be observed. The processed data must be accurate, consistent with the purpose for which it was collected, and so on.

Another tripwire is the question of how long an individual’s information is kept, the so-called “data retention period”. For many of our clients this has been a headache in the past, because not only is there the requirement to delete personal data at some point, but in some cases it actually has to be kept for a minimum time period.

An example here is a discrimination claim under Estonia’s Equal Treatment Act. Any person who finds their rights have been violated needs to submit their claim within a year of the moment they realised that damage was done. This means that the company in question then has to hold on to all the relevant data for at least a year in case e.g. an applicant for an open position does submit such a complaint.

Changes are legally binding
, not just a precaution

These are just three examples. In most situations, this is all rather abstract. But today’s hyperconnected world is affecting standard legal texts and agreements, such like an employment contract, and that is what we are looking at here.

So be careful. This isn’t just sound advice here, this is an absolute legal requirement these days. Make sure you are compliant and include these personal data references in your standard contracts ASAP to avoid having to deal with complaints.

If you have any questions, or if you need help with that, we are at your disposal. You can write to advocate
Mari Anne Valberg at Glikman Alvin LEVIN ( or call us on
+372 686 0000.

Related news

Join the newsletter