Employee data protection for multinationals

Data collection starts during recruitment where conflicting interests are obvious. The employee wants to present himself well and to protect his privacy while the employer needs to assess whether the job applicant is the right choice. Although the approach in the US and EU is often different, the legal issues an employer faces are often similar. The main issues of the recruitment process concerning data protection are summarised below.

Questionnaires. To have a consistent database of job applicants and potential employees and to develop a standard initial assessment, employers often use questionnaires during the recruitment process. If a multinational company wants to introduce a questionnaire for its subsidiaries or divisions the different legal restrictions of the relevant jurisdictions must be taken into account to develop a questionnaire that can be used throughout the whole company. With EU regulation, the following requirements should be respected:

Some European jurisdictions have more restrictive provisions. For example, the French courts hold that the questions must have a direct bearing on the type of employment sought. The gathering and storing of a candidate’s personal information which directly or indirectly reveals the candidate’s race, his political, philosophical or religious views, membership in trade unions, or information on his health or sexual life is prohibited, unless the candidate gives express consent. This written consent does not, by itself, justify gathering such information if there is no direct and necessary link to the proposed position. Such information can only be gathered if the candidate’s civil rights are respected in the process, and if the need for the information is justified by the specific nature of the available position. The hiring questionnaires, regardless of whether they are computerised or not, must be declared to the National Commission for Computer Science and Liberty (Commission Nationale de l’Informatique et des Libertés (CNIL)). Several references should appear on the questionnaire:

The CNIL adopted a recommendation on the gathering and treatment of personal information in the recruitment process. It also created, in consultation with the Recruitment Council Union (le Syndicat du Conseil en Recrutement-Syntec), a candidate questionnaire intended to serve as a model for recruitment professionals.

Recruiting agency. If job applications are transmitted by a recruiting agency the applicant should, in most European jurisdictions, be informed of the employer’s identity, or only anonymous data should be sent.

Arrest records. In many jurisdictions, an employer can only request information about any arrest or detention from an employee in very limited circumstances. Under California law, an employer may ask about arrests for which an employee or applicant is currently out on bail or on his own recognisance pending trial (Cal. Labour Code § 432.7) (most of the US examples are taken from the state of California where statutes and case law provide a high standard of employee protection). Employers can also request information from applicants about any felony convictions. However, employers should avoid a policy that bars anyone convicted of a felony from employment with the company since such this may violate California law.

The situation in Europe is comparable. Criminal records are considered sensitive and consequently specially protected. For example, in the UK, it was previously possible to require job applicants to obtain their criminal records and have the applicant pass these on to any potential employer (“enforced subject access”). With the enactment of the Data Protection Act 1998, this is no longer possible. Employers are not able to require enforced subject access to obtain a copy of a prospective employee’s criminal record. Under special circumstances, employers are able to request a disclosure from the Criminal Records Office, for example, for a position involving contact with children and vulnerable adults. In France, the recruiter may not, under any circumstances, ask questions regarding legal sentences including the number of points on a driver’s licence, except in the case of certain specific positions (for example, a security guard) that require exemplary morality and respectability. In that case, an extract of the legal record may be requested.

Pregnancy. In all EU jurisdictions, the question of whether an employee is pregnant is considered gender discrimination.

Medical and physical examinations. Requiring an applicant to submit to a medical or physical examination is not illegal but may raise concerns. The information revealed by a medical examination is private in nature and the examination itself is often intrusive. Consequently, many jurisdictions have developed rules restricting the circumstances in which an employee must agree to such examinations. Very often these examinations are subject to the consent of the employee and must be job-related.

In Germany, medical examinations are allowed if the employee gives consent and only if they are limited to evaluate ability to perform job-related functions. In France, it is compulsory for the doctor to carry out such an examination when an employee is being recruited. For reasons of medical privacy, the aptitude sheet may only indicate the ratings “fit” or “unfit” to determine if the candidate is able to carry out the job being sought. The situation is similar in California, where the employer must subject all potential employees applying for similar positions to such an examination, the employee must be given an opportunity to submit an independent medical opinion before a final determination of disqualification is made, and the results of the examination must be kept on separate forms and in confidence.

Disability. Closely linked to the question of medical and physical examinations is the question of whether the employer can ask the job applicant about disability. In the EU, it is likely to be considered discrimination if the employer asks about the existence of disability. The employer could be subject to discrimination claims.

In California, employers are barred from requesting medical examinations to determine the existence or extent of a disability. Physical examinations are allowed only after making an offer of employment, and then only if all applicants in the same job category are required to be examined.

HIV results. Disclosures of HIV tests usually are subject to the authorisation of the employee. The California Health and Safety Code prohibits employers from testing for HIV and AIDS without the subject’s written consent or from using HIV or AIDS test results to make hiring and other employment decisions. In Europe, the situation is similar. In Germany, for example, HIV infection results can only be requested if an HIV infected employee would present a danger to other employees or clients such as in medical posts.

Data to be stored or deleted. When an employer does not hire an applicant, different jurisdictions have varying rules on whether an employer can keep the applicant’s information. Under German law, storage of a rejected applicant’s information is possible only if the applicant gave consent or will apply in the near future for another job opening. In all other circumstances, the data must be deleted. This limitation applies equally to online applications. Therefore, it is useful to include an indication or notification that the data may be stored for a certain period of time in the application form and request the applicant’s consent if the employer wants to do so. This is provided for in the respective statutes. For example, in France, the CNIL recommends that the candidate who has undergone the recruitment process, whether or not that process results in a job, be informed of the length of time the information regarding him will be kept and his right to request that those records be deleted at any time. Whatever the situation, the time the information is kept should not exceed two years after the last contact with the individual in question.

Verifying whether the information given by the applicant is true. Employers have an interest in knowing whether a job applicant is telling the truth and often need to verify the information provided by the job applicant. In most jurisdictions, this is possible but it is advisable to inform the employee from the start that information checks may be carried out. When verifying school or university information, it is advisable to request an employee’s written consent. Still, whether such a procedure is legal needs to be confirmed in the relevant jurisdiction.

Practical problems arising during the employment relationship are very often linked to the use of electronic devices and employee monitoring. A multinational with subsidiaries and divisions also has to take into account local requirements such as information obligations for a data protection authority or consultation rights of trade unions or employee’s representative body. The main topics linked to data protection during the employment relationship are analysed below.

Audio and video recording. The employer’s ability to monitor, observe and conduct searches of employees, even those suspected of misconduct, is limited. Often a determining factor is whether the employee is in a workplace where the general public has free access. Videotaping is permitted in most jurisdictions when the employee can expect to be videotaped. Under German law, employees must be informed of any videotaping. A German labour court even ruled that a secretly videotaped theft of an employee could not be used for a dismissal since it was not disclosed to the employee that monitoring was taking place. This is still valid case law and is often applied by the lower courts even though the German Federal Labour Court recently ruled that the use of videotapes to investigate a theft is permissible.

Videotaping can be subject to co-determination rights of trade unions or of a representative employees’ body. The German Shop Constitution Act provides for a co-determination right for any electronic device or data processing system which allows the monitoring of employees.

In France, regarding cyber-surveillance in the workplace, the employer can control the professional activity of his employees. However, his power of direction is limited by two principles:

No means of evidence may be used by the employer against employees if the means of control was installed without this double information (for instance, the employer who intends to dismiss an employee cannot justify his decision by using information that was illegally obtained).

Eavesdropping and telephone monitoring. The use of eavesdropping, electronic surveillance devices and telephone wiretapping is usually limited. Employers cannot eavesdrop on private communications where the parties reasonably expect that the communication will not be overheard or recorded. While US federal laws allow a “business extension exception” (permitting an employer to monitor business calls from an extension in the ordinary course of business), Californian law does not. German law allows the monitoring of business calls from an extension if this is indicated by a sound and the employee has to be aware that a monitoring is possible. With respect to eavesdropping and telephone monitoring it has to be determined for the respective jurisdiction whether this triggers consultation or co-determination rights of trade unions or an employees’ representative body.

Email. Employers can make several strong arguments supporting the need for email monitoring. Company email can be a source of potential copyright infringement for employers, which can be found vicariously liable for infringement by their employees. Employers may also be found liable for defamation, sexual harassment and discrimination. In the US, some courts have found that the company’s interest in preventing inappropriate and unprofessional comments or even illegal activity over its email systems outweighs any privacy interest the employee may have.

On the other hand, email will be protected if it is of a private nature. Under US and EC law, protection depends on the extent to which workers can reasonably expect to keep their email messages private on the company’s email system. Given the widespread use of email in the office, employers are advised to adopt and distribute a written email policy informing employees of company guidelines regarding non-business use of emails, providing advance notice that the use of private passwords is restricted and warning employees that the email system may be monitored. The general guidelines on the use of email may also trigger co-determination rights of the representative body of the employees.

The French Supreme Court ruled that an employee at work has a right to protect the intimacy of his right of privacy. This statement implies, among other principles, the principle of secrecy of correspondence. Therefore, the employer cannot, without breaching this principle, acknowledge the content of personal electronic messages sent or received by the employee through devices put at the employee’s disposal for work even in the event that the employer has prohibited the personal use of the devices. In the case in point, the employer had opened and read a file entitled “Private” and had used its content to dismiss the employee.

Internal guidelines for storage of data. Given that statutes and case law provide for a multitude of rules on data protection, it is advisable to designate a person within the company to be responsible for ensuring that employment practices, procedures and data storage and processing comply with the relevant provisions. Many statutes in the EU actually oblige the employer to establish a data protection co-ordinator (as is the case in Germany) within the company.

It also must be ensured that superiors, managers and the responsible human resource teams that process information about employees understand their responsibilities and are aware of the relevant provisions.

Regular review of stored data. In the EU, data storage is often only permitted if the stored data is necessary to the employment relationship. Personal data that is irrelevant or beyond the employment relationship must be eliminated. This can be checked with a regular review on adequate procedures.

Register of data controllers. For every company or establishment within a multinational, it must be assessed whether there are any obligations to notify a register of data controllers as may be required in France or the UK. For example, in France, all automated processing of personal information must be declared to the CNIL. The declaration file must indicate the information gathered, the purpose, the place where the candidate may exercise his right of access and the persons or organisations who receive the information.

Consultation and co-determination rights of trade unions and employees’ representative bodies. In some European jurisdictions, employees’ representative bodies must be consulted on data protection issues. This involves information on how to obtain the data and questions about the storage of the data, or monitoring. This must be verified for each jurisdiction separately. In Germany, implementation of an email system is subject to co-determination with the works council.

Rights of the employees. Under most European jurisdictions, employees are entitled to access the data stored and verify whether the data is correct, to control the data is transferred to and how the employer receives the data. If the data is not correct the employee can request that the data is corrected.

In a multinational firm there are obligations that arise when transferring data across borders. This occurs frequently for US or EU parent entities that require personal employee data in the respective subsidiaries outside the home country. Under all jurisdictions within the EU, the transfer of personal data to non-European nations that do not meet the European “Adequacy Standard for Privacy Protection” is prohibited. Although the US and the EU share the goal of enhancing privacy protection for citizens, the US takes a different approach to privacy. As a result of these different privacy approaches, the implementation of the European Directive on Data Protection could have significantly hampered the ability of US companies to engage in many trans-Atlantic actions. To bridge these different privacy approaches and provide a streamlined means for US organisations to comply with the Directive, the US Department of Commerce, in consultation with the European Commission, developed a “safe harbour” framework.

Companies that decide to participate in the safe harbour must comply with the safe harbour’s requirements and publicly declare that they do so. To qualify for the safe harbour, an organisation can either join a self-regulated privacy programme that adheres to the safe harbour’s requirements or develop its own self-regulated privacy policy that conforms to the safe harbour. In order to comply with the safe harbour requirements, a company must respect the seven safe harbour principles:

To benefit from a safe harbour, a company must self-certify to the US Department of Commerce its adherence to the safe harbour principles described above. The company must provide a letter, signed by a corporate officer on behalf of the company joining the safe harbour, that contains a description of the activities of the company with respect to personnel data received from the EU and a description of the company’s privacy policy. Other information on the privacy policy may also be included.