As we explained in the first part of this article, the processing of workers personal data may represent one of the greatest risks to compliance with data protection regulations by any company or organization, due to the large amount of such personal data to which it will have access, which will therefore require taking all the necessary technical and organizational measures to guarantee the security and confidentiality of such data for which the Company is responsible for processing.
Although, generally, the processing of workers personal data shall be legitimized by the employment relationship itself or, by compliance with the legal obligations that are generated, there may be processing of workers’ personal data that requires their express consent. For example, if the company intends to publish the name or photograph of its employees, it will require their express consent because it would be processing of personal data that is not strictly necessary for the fulfilment of the employment relationship and that is not legitimized by the existence of the employment relationship itself and, in short, requires additional legitimization in the form of the express consent of the employees concerned.
On the other hand, it is necessary to understand that there is no regulatory compliance by the Company without compliance by all its workers since, in practice, it is they who will process all the personal data that is their responsibility, and it would be of no use if the compliance protocols that are established were only known by the Management or by whoever is designated as responsible for managing compliance with data protection regulations.
Therefore, the company or organization must take all the necessary organizational measures to ensure that its workers comply with data protection regulations in the exercise of their functions. To this end, all the technical or organizational security measures taken by the Company must be shared with the workers affected by the processing of personal data within their respective areas of responsibility.
The first technical and organizational security measure to be taken by any organization must be aimed at ensuring that workers can only access those personal data, whether they belong to customers, suppliers, third parties or their own colleagues, that are strictly necessary for the performance of their duties.
In this sense, a measure that will almost always be essential will be the establishment of responsibility and access control plots to personal data by persons or departments, thus ensuring that no worker has access to personal data that is outside the scope of their functions. In this sense, the company must be as restrictive as possible in applying the principle of minimization in the processing of personal data established in current data protection regulations. Processing the least amount of data possible for the shortest time possible and only when and by whom it is essential.
It will also be necessary for workers to know the limits regarding the transfer to third parties of personal data to which they have access to avoid incurring in transfers that are not legitimate.
The Company must not neglect to inform its employees of the rules regarding the processing of CVs that they may receive from third parties, as well as the protocols for the destruction of confidential documents or those containing personal data, as well as establishing the means to guarantee that such destruction of documentation ensures that this information will not be kept longer than legally permitted.
Finally, another of the essential organizational measures that the Company must pursue is the training and awareness of its employees in compliance with data protection regulations. It is of little use for a company to adopt protocols for compliance with data protection regulations if its staff are not properly trained and aware of the subject.
Therefore, it is necessary for the Company to try in terms of the awareness and training of its workers in data protection matters to ensure that all of them assimilate the protocols and security measures that are adopted and what compliance with data protection regulations means within their respective areas of responsibility so that, in short, effective, and comprehensive compliance with these regulations can be achieved in the Company.
Do not hesitate to consult us on any of these matters, we will be happy to help you ensure compliance with data protection regulations in your organization.