Transferring personnel data
Sometimes it is necessary for you as an employer to transfer (provide) personnel data to other organisations or people within or outside your own organisation. However, your employees have given their information in confidence. That is why you are not allowed to simply transfer their personnel data. On this page you can read what the rules are.
On this page
Conditions for transferring personnel data
If you, as an employer, want to transfer personnel data, you must adhere to the following conditions from the General Data Protection Regulation (GDPR):
- You may only transfer personnel data in a manner that is lawful, fair and transparent to your employees. Note: in concrete terms, ‘transparent’ means that you inform your employees about their data being transferred.
- The personnel data that you want to transfer must have been collected for a specific and legitimate purpose, which you have described in detail.
- The transfer of personnel data must have a legal basis.
- The transfer of personnel data must be compatible with the purpose for which these data were collected. For example, if companies ask you for personnel data so they can send advertisements to your employees, you are not allowed to respond to that.
Basis for transferring personnel data
As an employer, you need a legal basis under the GDPR to transfer personnel data. The GDPR sets out 6 possible legal bases. When transferring personnel data, these 3 legal bases are the most obvious:
- it is necessary for the performance of a contract;
- there is a statutory obligation to provide data;
- the employee has given their consent.
Performance of a contract
You may transfer employee data if this is necessary to perform a contract between that employee and you, such as the employment contract. For example, if the employee is given a lease car, you transfer the details of this employee to the leasing company.
Statutory obligation
You may be obliged by law to transfer certain personnel data. For example, you are obliged:
- to transfer to the Tax and Customs Administration all data that are important for tax purposes;
- to report a long-term sick employee to the Employee Insurance Agency (Dutch: UWV);
- to transfer certain data about a suspected employee in criminal cases.
Legal basis of statutory obligation
Consent
If you are planning to transfer personnel data, while this is not necessary, you can ask your employees for consent. You must clearly explain to your employees what the consent is for and what the consequences are if they give their consent.
If an employee does not give their consent, this should not have any negative consequences for them. Employees may withdraw their consent at any time. From that moment on, you may no longer transfer their personnel data.
Note: Consent is not necessarily seen as a valid reason for transferring personnel data. That is because your employees depend on you. As a result, they may feel pressured to give consent.
Example 1: name, photo and location
As an employer, you want to transfer data of your employees to your customers as an additional service. Such as their name, photo and current location. For example, if your employees are parcel delivery persons, meal delivery persons or taxi drivers.
This is not allowed. You may only transfer personnel data to your customers if this is necessary for the provision of services. That is not the case in this case. It is also not allowed if your employees were to give their consent for this. Because your employees are dependent on you, they are not free to refuse. And in that instance, their consent does not apply.
Example 2: employee directory
As an employer, you want to place an employee directory on the Intranet with photos of your employees. Because this is not necessary, you must ask your employees for their consent. In this case, consent from your employees is valid. Your employees will not easily experience pressure to participate in an internal directory.
You do have to make it clear to your employees that participation is voluntary. An employee should not experience negative consequences for refusing to participate. You must also provide sufficient information to your employees about what exactly happens with their photos.
The consent only applies to the directory. For example, you cannot post photos of employees who have given consent on your external website as well.
Your employees may withdraw their consent at any time. From that moment on, you must remove the photo of the employee in question from the directory.
Role of the works council in transferring personnel data
If you intend to transfer personnel data, you must discuss this with the works council first. The works council has a legal right of consent to proposed disclosures of personnel data. This means you are not allowed to establish, change or withdraw a regulation for transferring personnel data without the consent of the works council.
Transferring personnel data within a multinational
Companies can share personnel data across the organisation. For example, if there is a central database with personnel data or an Intranet containing personal data of all employees.
For a multinational, this may result in personnel data ending up in a country outside the EEA. In principle, this is only allowed if that country has an adequate level of protection. This means that personal data are at least as well protected there as within the EEA.
If the country outside the EEA does not have an adequate level of protection, transfer is only permitted on the basis of one of the statutory provisions of Chapter V of the GDPR.
For more information, see: Transfer within and outside the EEA.
Transferring information about undesirable behaviour
If a complaint has been filed against one of your employees about undesirable behaviour, such as sexual misconduct, a complaints committee or confidential advisor will collect sensitive information about your employee. This committee or person must handle this with care.
During the complaints procedure, nothing has been proven yet. This means the complaints committee or confidential advisor must be very reluctant to transfer information.
Whether the direct manager of the employee in question must receive information about an ongoing complaints procedure varies from case to case. This depends, among other things, on the nature and severity of the undesirable behaviour and whether the behaviour (also) takes place in the manager’s department.
If the complaint has been declared well-founded, the complaints committee or confidential advisor will inform the manager of the decision.
A reasonable retention period for the information of the complaints committee or confidential advisor is a maximum of 2 years after the complaint has been settled. It is not necessary to retain this information indefinitely. It is important that you as an employer agree on a clear retention period for this.
You can retain the opinion of the complaints committee or confidential advisor in the personnel file of the employee in question.