Why data protection is also an HR task

Practical examples in HR-specific situations

Collect personal data at events

Usually a person registers for an event and personal data is requested. It is important that only personal data that is necessary for the purpose of carrying out the event is requested. There must also be a privacy policy on the registration page or website that provides answers to the following questions:

• What is done with the personal data?
• Why exactly were these collected?
• How long are they kept and when are they deleted?
• What are the rights of the data subject in relation to data protection?

Is the person’s consent legally valid? The new colleague is asked whether she can publish her photo on the intranet – in addition to the information about the new entry

The core requirement for valid consent is voluntariness. In the employee-employer relationship, it is questionable to what extent the employee’s consent can be voluntary. There is always an asymmetry of power woven into the relationship between employers and employees, which is already evident in the right to issue instructions.

In this case, a pragmatic solution would be to give the person the opportunity to make their own photo selection.

An employee leaves the company. Which data can and may continue to be used?

After an employee leaves, the employer’s interests change. However, the latter may well have a well-founded interest in retaining the former employee’s personal data beyond the end of the contract. From a legal perspective, risks could arise, for example in the form of possible demands for additional wages from the former employee. This justification ends at the latest when the statute of limitations for additional wage claims expires, i.e. 5 years after the end of the employment relationship.

Companies often maintain contact with their former employees, for example in the form of alumni or retiree events. It is therefore advisable to take measures when leaving the country in order to ensure that future personal data processing is lawful. When joining an alumni organization or other association, it makes sense to include a privacy section or create a privacy agreement. This means that all future data processing can be planned in advance and former employees will not be surprised when they receive information.

The data protection law between Europe and Switzerland (September 1, 2023)

The new data protection law between Switzerland and Europe came into effect on September 1, 2023. The main goal of the revision is to align Swiss data protection law with EU law (GDPR). There are some significant changes to note:

1. When there is a possibility of a higher risk to the privacy or fundamental rights of the individuals involved, a risk assessment must be conducted.
2. Data protection now applies only to personal data of natural persons, while legal entities such as businesses or associations are exempt.
3. Principles such as “Privacy by Default” and “Privacy by Design” are introduced.
4. The requirement to provide information is expanded. Before collecting personal data, the individuals concerned must be informed in advance.
5. Starting from September, genetic and biometric information will be classified as highly confidential and protected data.

You are unsure or have questions about HR issues relating to data protection. Contact us – we look forward to advising you and supporting you in implementing your project.