HR Data

retention

GDPR Webinar

Gert Beeckmans

(SD Worx),

Laurent De Surgeloose

(DLA Piper)

2

Welcome to our

2nd GDPR WebinarThursday 25th January

Implementing an appropriate

retention of employee data

DLA Piper is a global law firm with lawyers

located in more than 40 countries throughout

Europe, the Americas, the Middle East,

Africa and Asia Pacific, positioning us to help

clients with their legal needs around the

world.

SD Worx are a leading European HR provider

assisting clients with payroll, HR and tax &

legal solutions on a global scale.

3

This webinar will be available for replay on our

website at

www.sdworx.com/gdpr/downloads

#GDPRcountdown

SD Worx @SDWorx SD Worx SD Worx

350

COMPANIES

700

DELEGATES

EXHIBITION &

NETWORKING

You will have to be explicit on data retentionSection 1

Storage Limitation Principle Remains

Not materially different from existing

privacy laws: you can only retain

personal data for a period that is not

longer than the one necessary for

the purposes of the data processing

But GDPR makes the application of this principle more strict

8

– Directive Art 6 (1)c: not excessive in relation to the purposes for which

those data are collected

– GDPR Art 5 (1)c - data minimization principle: limit the data to what is

necessary for the purposes

• Limit the period for which the personal data are stored to a strict

minimum

• Establish time limits for erasure or periodic review

Storage Limitation Principle Remains

9

And requires you to be explicit and transparent

You must specify data retention times in the privacy notice and the data

register

The right on erasure (right to be forgotten)

While data subjects can challenge you

How will you be able to protect

yourself against claims from

individuals and sanctions if you

have to justify a data breach for

personal data that was already

meant to be deleted?

Defining an HR data retention policy

Section 2

Every country has its own rules and

practices that can differ greatly

11

No uniform retention periods on

international level

1

2

3

Mostly centered around minimal

retention guidelines based on

company, social and fiscal laws

Often related to specific type of

documents or information

12

A few examples…

France:

• payroll data 5 years

(including paper payslip)

• but electronic payslips

50 years, or until

employee turns 75

• litigation up to 20 years

Germany:

• data on minimum wage

compliance 2 years

• litigation up to 3 years

• payroll accounts for tax at

least 6 years

Belgium:

• employee records and

social documents 5 years

UK:

• payroll and wage records

6 years from the financial

year end in which

payments were made

Poland:

• employee records 50

years

13

Challenges

– Strict minimum is subjective and

open to interpretation

– Limited or no case law

– Very limited guidance and no

clear cut best practices

14

Check and balance

VS

– Legal requirements for document

retention defined by social and tax

regulations

– Information needed for potential future

legal proceedings (depending on how

long potential litigation period goes)

– Company needs to keep certain

information

– Limiting the storage period to a

strict minimum under GDPR

15

Recommendations

Ensure you know the minimal legal requirements for document retention within every

country that you are active in

Assign information owners

Determine overall HR retention times based on a limited number of overall categories

of HR data and your HR systems (e.g. recruitment, contract & benefits, payroll) and

only then add any additional requirements for specific documents.

Organize a periodical review of documents and information and delete anything you

no longer need

1

2

3

4

16

Example

– C: Completion or Closure – events whose end date is unknown at the time the record

is created

– S: Superseded – date when records have been replaced, revised or made obsolete

Practical HR cases

Section 3

Mr. X applied for a job. He was not selected

because of a mismatch with company values.

Afterwards, it was discovered that the

applicant already tried to apply for a job

multiple times. The company would therefore

like to keep recruitment records so that they

could first check if an applicant already

applied previously. How long can they keep

recruitment information of applicants?

18

Example 1:

Erasing data of applicant that

was not selected

- The employer should not keep recruitment records for

unsuccessful applicants beyond the statutory period in

which a claim arising from the recruitment process may

be brought.

- Generally speaking, data protection authorities have

advised for very short retention periods (from 4 weeks

up to maximum 6 months) for recruitment related data

such as interview notes, assessment reports, CVs, etc.

- The employer could keep a limited record for a longer

period of time if he has a valid purpose (e.g. talent

pool) and if the applicant consents to this

- Advise to clearly communicate privacy notice on

applicants data as part of the recruitment process

19

Example 1:

Erasing data of applicant that

was not selected

Mr Z is dismissed by his employer. The

employer justifies the dismissal based on

performance reasons. After his dismissal

he request the employer to erase all his

personal data as he claims they are no

longer necessary in relation to the purpose

for which it was originally collected or

processed (i.e. the execution of the

employment contract between the parties).

20

Example 2:

Data retention vs request for

erasure after dismissal ("right to be

forgotten")

- Mr Z has a right to be forgotten and to submit such a request

- However, the employer can refuse to erase all the personal

data if:

▪ those information will be necessary for the exercise or

defence of the legal claims;

▪ some data cannot be erased as they were collected to

comply with legal obligations or for the performance of a

public interest task or exercise of official authority

- Employee was dismissed based on performance reasons.

There is a risk that the employee will challenge the reasons

invoked of his dimissal (in certain countries employees

challenge the reason to obtain an additional indemnity).

Certain data regarding the employee should therefore be

retained in the framework of a defence of legal claim.

21

Example 2:

Data retention vs request for

erasure after dismissal ("right to be

forgotten")

22

Mr X was employed by employer A. During his

employment he benefitted from a

complementary pension scheme funded by the

employer. When he was dismissed the

employee decided to leave his pension

reserves in the pension plan of employer. The

employing entity was dissolved and its

pension obligations were transferred to

another sponsoring company of the pension

fund. The ex-employee starts a judicial

proceeding against the sponsoring entity

regarding the pension benefit. The pension

plan/regulations has been lost.

Example 3:

Retention of pension documents

23

- How long should the employer keep pension

documents?

- The employer (or the successor) should keep the

records in relation to the pension scheme as long as

this pension plan is valid and in force.

- After, those records could be kept for a sufficient period

in order to keep evidence in case of litigation.

- Liability issue for the employer (or the successor).

Example 3:

Retention of pension documents

24

Company T hires employees under a

temporary employment contract.

How long should/can the company keep the

employment contracts of the former

employees?

Example 4:

Erasing temporary employment

contract of former employees

25

- The employer should keep the temporary

employment contracts for the minimum duration

foreseen in the applicable legislation (legal

requirement).

- The employer could obviously keep those

documents for a longer period of time in case of

litigation.

- Advise to keep the contracts as long as the

statutory limitation periods applicable in criminal law

are running.

- Advise to clearly draft privacy notice for personal

documents of employees.

Example 4:

Erasing temporary employment

contract of former employees

13:15 – Session:

Gert Beeckmans

Frank Rudolf

@SDWorx | @SDWorxUKI | #InspireEurope18

Thank you

For more information visit: sdworx.com/gdpr

Or email us: WeAreGlobal@SDWorx.com

SD Worx

@SDWorx

SD Worx

SD Worx

#GDPRcountdown