Employers almost always maintain personnel files on their employees. Such files may include various documents, such as copies of contracts, a copy of ID, reports of performance reviews and warnings. All of these documents and data qualify as personal data. This means that the Personal Data Protection Act (Wbp) and soon the General Data Protection Regulation (AVG) apply.
This blog discusses the privacy aspects of personnel records. It also provides some practical guidance.
The basic principle is that employers may only include personal data in personnel files that are necessary for the purpose of the personnel file, which is the retention of data that employers need in order to execute employment contracts with their employees (principle of data minimization).
Examples of data and documents that may be kept in the personnel file are:
A copy of the employment contract;
reports of appraisal and performance reviews;
absence frequency;
any warnings; and
(to the extent permitted by law) the BSN number and a copy of the ID.
To prevent data breaches, employers must secure personal data. The Wbp, as well as the AVG, states that employers must take appropriate technical and organizational measures for this purpose. We mention some points of attention:
Is access to personnel files limited to those employees for whom it is necessary to perform their duties?
Have employees who have access to personnel files signed a confidentiality agreement?
Is it ensured that personnel files are kept and stored in the correct department and systems?
The basic principle based on the AVG is that data should not be kept longer than the purpose for which it was collected or used.
Some personnel file data is subject to legal retention obligations. One example is the tax retention obligation. This means that the Internal Revenue Service requires employers to retain tax-relevant data for a certain period of time. Examples are the payroll tax statement and a copy of the identity document. These must be kept for 5 years after the employee leaves employment.
There are no statutory retention periods for other personnel file data. Consider, for example, reports of performance reviews. For this type of data, the guideline is a retention period of 2 years after the employee leaves employment.
Employers are allowed to keep data of their (former) employees longer if, for example, there is a labor dispute or if a lawsuit is pending.
Every employee has the right to see their personnel file. If an employee requests this, employers must grant the request. In addition, employees may request a copy of the personnel file. Employers must comply with this request (free of charge) as well.
Only in very exceptional cases can a request for access or copy be refused, for example if state security is at stake. This will not happen quickly.
Access need not be given to internal notes/correspondence that contain the personal thoughts of certain employees of the employer (think of the HR manager, for example) and are intended solely for internal consultation and deliberation. This follows from case law and also applies to provision of copies.
Finally, employees can also request that data in the personnel file be corrected or deleted.
With the advent of the AVG, a comprehensive information obligation for employers towards their employees is going to apply. The information obligation arises as soon as employers process personal data of their employees. This duty therefore also applies when creating and maintaining personnel files.
Given the duty to inform, employers must provide information on, among other things:
The purpose or purposes for which they process personal data;
How long the data will be kept; and
the rights the employee has regarding the processing of his personal data (consider, among other things, the right to inspect).
The AVG does not prescribe the manner in which employers must inform their employees. The information obligation is form-free. It is recommended that a chapter on privacy be added to the personnel handbook or company regulations, for example, in which the above information is provided. Organizations that do not have such documentation can also suffice with a privacy statement that specifically addresses the internal situation.
We advise employers to include the aforementioned aspects surrounding the design and handling of personnel files in their privacy policies. After May 25, 2018, employers are also obliged to do so and the Autoriteit Persoonsgegevens can take enforcement action if employers are in default on this point.
If present within the organization, it is further important to involve the Works Council in the privacy policy (consider the right of consent).
This article can also be found in the Privacy in the Workplace file
