Are employees’ official data subject to the GDPR?

In one of the latest publications on the UODO website, the office explained that it is possible for the employer to use the email address of a former employee containing his name, e.g. to inform persons contacting the employer at this address about other available forms of contact.

It is assumed that the employee’s email address falls under the so-called „Business data”, i.e. information about employees related to the performance of their official duties. Some employers mistakenly assume that „business data” is not personal data, and therefore their processing is not subject to restrictions arising from the GDPR.

Scope of business data

The service data include basic information about the employee related to his professional sphere, and therefore primarily:

1. name and surname,
2. position / department
3. work telephone number assigned to the employee,
4. business email address assigned to the employee.

Such data are posted by employers, e.g. on the employer’s website, on the intranet, business cards, stamps or posted on a board in the workplace. Employees’ business data are often also included in the content of contracts with their contractors to facilitate contact during the performance of the contract.

It is worth noting that the scope of official data does not include, among others employee image or private contact details, e.g. private telephone number, home address and private profile on a social networking site.

Business data and the GDPR

The employees personal data are protected as are all other employees personal data processed by the employer. Neither the GDPR nor the Labor Code introduces a separate definition of „business data”. They belong to ordinary personal data. However, due to their close relationship with the performance of official duties, it is recognized that the employer may have a legitimate interest in processing them, including making them available to his contractors and colleagues – as part of his business.

Employee’s consent to the processing of official data

The President of PUODO (and earlier GIODO) has repeatedly pointed out that the processing of an employee’s business data, and in particular their disclosure, in connection with his official duties does not require his consent. Provision of work usually involves the need to contact third parties – colleagues, clients, contractors, offices ect. Making the possibility of, for example, transferring the official data of the employee responsible for settling the matter to the client on the consent of that employee, would pose a significant threat to the proper functioning of the employer.

Legal basis for the processing of official data

When processing the official personal data of its employees in order to e.g. maintain business contacts with the contractor or perform the contract, the employer may seek the legal basis for processing in art. 6 clause 1 letter f GDPR, i.e. the legitimate interest of the administrator. This interest must be clearly indicated to the employee, e.g. maintaining business contacts, communication with subcontractors, etc.

Sharing business data with contractors

By providing personal data of its employees to contractors, e.g. by indicating the name, surname, position and telephone number of the employee responsible for handling the order in the content of the contract, they are made available to another administrator, not entrusted. The contractor does not process this data for the benefit of the employer, but pursues its own purposes as part of its business. There is therefore no need to conclude a contract with him to entrust the processing of personal data.

Information obligation towards the employee

An entity that received the business data of its contractor’s employee for business contacts is first required to provide employees with information about the processing of personal data (the so-called information clause). This should be done at the first contact with an employee of the contractor or at the time of further disclosure of this data (e.g. subcontractor) – but no later than within a month of obtaining it. Please note that if personal data were obtained from a third party, the information clause should additionally indicate the source of the personal data.

In order to facilitate the implementation of this obligation, contractors sometimes publish the content of information about the processing of personal data by the contractor already in the contract and oblige the employer to provide it to employees.

In addition to the information obligation, the contractor also has other obligations of the data controller, including primarily data processing in accordance with the principles set out in art. 5 GDPR and related to the implementation of the rights of data subjects.