Transferring personnel data

Sometimes it is necessary for you as an employer to transfer (provide) personnel data to other organisations or people within or outside your own organisation. However, your employees have given their information in confidence. That is why you are not allowed to simply transfer their personnel data. On this page you can read what the rules are.

On this page

Conditions for transferring personnel data

If you, as an employer, want to transfer personnel data, you must adhere to the following conditions from the General Data Protection Regulation (GDPR):

  • You may only transfer personnel data in a manner that is lawful, fair and transparent to your employees. Note: in concrete terms, ‘transparent’ means that you inform your employees about their data being transferred.
  • The personnel data that you want to transfer must have been collected for a specific and legitimate purpose, which you have described in detail.
  • The transfer of personnel data must have a legal basis.
  • The transfer of personnel data must be compatible with the purpose for which these data were collected. For example, if companies ask you for personnel data so they can send advertisements to your employees, you are not allowed to respond to that.

Basis for transferring personnel data

As an employer, you need a legal basis under the GDPR to transfer personnel data. The GDPR sets out 6 possible legal bases. When transferring personnel data, these 3 legal bases are the most obvious:

  • it is necessary for the performance of a contract;
  • there is a statutory obligation to provide data;
  • the employee has given their consent.

Performance of a contract

You may transfer employee data if this is necessary to perform a contract between that employee and you, such as the employment contract. For example, if the employee is given a lease car, you transfer the details of this employee to the leasing company.

Legal basis of contract

Statutory obligation

You may be obliged by law to transfer certain personnel data. For example, you are obliged:

  • to transfer to the Tax and Customs Administration all data that are important for tax purposes;
  • to report a long-term sick employee to the Employee Insurance Agency (Dutch: UWV);
  • to transfer certain data about a suspected employee in criminal cases.

Legal basis of statutory obligation

Consent

If you are planning to transfer personnel data, while this is not necessary, you can ask your employees for consent. You must clearly explain to your employees what the consent is for and what the consequences are if they give their consent.

If an employee does not give their consent, this should not have any negative consequences for them. Employees may withdraw their consent at any time. From that moment on, you may no longer transfer their personnel data.

Legal basis of consent

 

Role of the works council in transferring personnel data

If you intend to transfer personnel data, you must discuss this with the works council first. The works council has a legal right of consent to proposed disclosures of personnel data. This means you are not allowed to establish, change or withdraw a regulation for transferring personnel data without the consent of the works council.

Transferring personnel data within a multinational

Companies can share personnel data across the organisation. For example, if there is a central database with personnel data or an Intranet containing personal data of all employees.

For a multinational, this may result in personnel data ending up in a country outside the EEA. In principle, this is only allowed if that country has an adequate level of protection. This means that personal data are at least as well protected there as within the EEA.

If the country outside the EEA does not have an adequate level of protection, transfer is only permitted on the basis of one of the statutory provisions of Chapter V of the GDPR.

For more information, see: Transfer within and outside the EEA.

Transferring information about undesirable behaviour

If a complaint has been filed against one of your employees about undesirable behaviour, such as sexual misconduct, a complaints committee or confidential advisor will collect sensitive information about your employee. This committee or person must handle this with care.

During the complaints procedure, nothing has been proven yet. This means the complaints committee or confidential advisor must be very reluctant to transfer information.

Whether the direct manager of the employee in question must receive information about an ongoing complaints procedure varies from case to case. This depends, among other things, on the nature and severity of the undesirable behaviour and whether the behaviour (also) takes place in the manager’s department.

If the complaint has been declared well-founded, the complaints committee or confidential advisor will inform the manager of the decision.

A reasonable retention period for the information of the complaints committee or confidential advisor is a maximum of 2 years after the complaint has been settled. It is not necessary to retain this information indefinitely. It is important that you as an employer agree on a clear retention period for this.

You can retain the opinion of the complaints committee or confidential advisor in the personnel file of the employee in question.