A day for an employee’s personal data

What would a working day look like if personal data were processed within one day?

08:00 – Applying for a job, submitting a CV and motivation letter. The employer makes a preselection of the candidates. The legal basis for data processing is pre-contractual negotiations at the request of the person. Candidates’ personal data may be retained by the employer for up to one year.

08:30 – Screening and job interview. Screening may be conducted with the consent of the employee. Where there are specific statutory requirements for the workplace (e.g. working with children), the background survey shall be based on the fulfillment of a legal obligation. The data may be stored for one year from the date of application.

09:00 – Performing a mental ability or professional test. Data processing is based on employee consent. Retention for up to one year if it is decided not to recruit the person. If a person is employed, the tests may be retained for the duration of the employment contract.

09:30 – Conclusion of an employment contract, employee payroll and benefits. The legal basis for the processing of personal data is the performance of the contract. The employer must keep the employment contract for the duration of employment and for ten years from the date of termination of the employment contract (50 years for employment contracts concluded before 2009).

10:00 – transfer of personal data to accounting. The accountant forwards the personal data to the Tax and Customs Board. The legal basis for processing is the fulfillment of the employment contract and legal obligations. The data is stored for the period established by the Accounting Act, i.e. seven years.

10:30 – Setting up of work computer and accounts. The employer has access to the employee’s computer, emails, call separation, and cloud service accounts. Data processing is based on the performance of the employment contract and legitimate interest. The data can be retained during the employment relationship and in case of disputes until the claims expire (usually three years).

11:00 – A social media account is created for the employee. Data processing (such as adding a profile photo of an employee) is done to fulfill contractual obligations, but only if an account is required to perform the employment contract. If an account is not required for the performance of the contract, the employer may create an account only with the consent of the employee.

11:30 – Introducing the new employee to colleagues. The employer is not allowed to collect personal information about the employee (e.g. hobbies and pets). When an employee discloses such information to co-workers, it is a personal activity.

12:00 – Video surveillance, vehicle GPS unit, and door card. Video tracking captures a person’s image (face and body). The door card system logs employee entering and leaving work, and the GPS unit allows to track the location of the employee. The legal basis for data processing is the legitimate interest of the employer. The conditions for storing personal data can be described in the rules of work organization.

12:30 – Access to employer databases. The employee receives an account and passwords for databases that allow access to the customer’s personal information. The legal basis for the processing of personal data by the employee is the performance of the employment contract. The conditions for data processing are set out in the work organization rules or the information security guide.

13:00 – Taking pictures for the employer’s marketing materials. The legal basis for the processing of personal data is the consent of the employee. Such photos may be retained by the employer during the employment relationship.

13:30 – Adding the name of the employee to the website and a post-announcement with a photo. Data processing is based on a legitimate interest if the workplace requires communication with the public and clients. Unless the workplace is public or requires customer interaction, the photo may only be published on the website with the employee’s consent.

14:00 – Accident at work resulting in bodily injury to a worker. The employer is obliged to inform the Labour Inspectorate and to draw up a report (personal injury information is a special type of personal data). Data processing is carried out to fulfill a legal obligation. The period of retention is 55 years.

14:30 – Temporary incapacity to work, pregnancy, and maternity leave. The employer shall forward the relevant data to the Social Insurance Board. The collection and processing of personal data are based on the fulfillment of a legal obligation.

15:00 – conducting a seminar and interview for the media. The seminar materials will introduce the employee and include a photo of the employee. The presentation will be recorded and made available to the public on the web. The legal basis for the processing is the performance of contractual obligations. Data will be retained as long as the employer has a legitimate interest in making the materials available to the public.

15:30 – Employee evaluation. The legal basis for data processing is the performance of the employment contract and the data may be retained during the employment relationship. After the termination of the employment contract, the employer must delete the data.

16:00 – Occupational health check. Employer’s legal obligation, data is kept for 10 years from the end of the contract. The employer does not obtain health information from the physician, but the physician can make recommendations for improving the working environment.

16:30 – A bailiff requires the employer to withhold employee’s pay. Personal details of the employee are disclosed (e.g. obligation to pay alimony). The legal basis for data processing is the fulfillment of the employer’s legal obligation. The bailiff’s records are kept by the employer in the same way as accounting records.

17:00 – Employee shows holiday photos. The personal activity of the employee. Such data may not be used by the employer in the employment relationship (stored on the employer’s server, shared on the web, etc).

17:30 – Labour dispute in the labor dispute committee. Personal data of the employee may be disclosed to the Commission if this is necessary to resolve the dispute and protect the employer’s rights. The legal basis for data processing is the fulfillment of a legal obligation (Labour Dispute Resolution Act) and a legitimate interest (protection of the employer’s interests). Personal data can be stored until the claims expire.

18:00 – Recruitment service request to the employer. The employer may disclose personal information to a third party with the employee’s consent. Professional skills may be provided by the employer if it is necessary to assess the suitability of the employee for the new job (legitimate interest).

« Back to articles
Hedman

Our memberships:
FinanceEstonia,
Teenusmajanduse Koda,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum