If you have employees in the EEC, remember: they are your data subjects as well!
You need to consider how to collect, process, retain, and otherwise process, your employee’s personal data. As an employer, you may hold special categories of personal data, on which GDPR imposes additional requirements that do not apply to “regular” personal data.
Your contracts with the employees are a very important tool to make sure that a lot of the GDPR related issues are sorted out.
The way you craft the employment agreement (or contractors agreements, for that matter) and your internal privacy policies concerning various issues, may have a lot of weight in determining a lot of crucial aspects of your operations, including, for example:
1. What information are you allowed to collect, use and process?
2. On what basis will you be able to transfer the personal data of employees across borders?
3. How will the personal information be treated post employee’s separation from your organization? Will you have right to access his/hers emails? Documents?
4. Will you be authorized to use third parties services in order to process your employee’s information?
5. How will you be able to control information stored on employee’s portable devices, once they have separated from your organization?
It is also important to ensure that:
1. Your contractors, vendors and third party service providers handling your employees’ information, are also GDPR compliant. You need to have appropriate agreements in place with such third parties, and such agreements must be in compliant with specific requirements of the GDPR.
2. Your enterprise information systems processing HR information must also be compliant with the GDPR, in the way they are designed and operating (e.g., measures for the data protection, access controls, use of sub-processors, appropriate and compliant data storage, compliance with the data protection principles of the GDPR, etc.)