In the GDPR, data subjects (in our case workers) have what is typically defined as 8 Data Subject Rights. These are:
- The Right to Information
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Data Portability
- The Right to Object
- The Right to Avoid Solely Automated Decision-Making
The first of the eight rights can be found in Articles 13 and 14 of the GDPR. Article 13 refers to information that employers must provide when they collect personal data directly from data subjects (you/the workers). Article 14 covers their responsibilities when they obtain data about the data subject from a third party or indirectly.
It holds that the data subject has the right to ask a data controller what kind of data they process and why the data controller (the employer) needs it.
What kind of information does your employer need to provide?
Article 13 says that they must provide the following information when they collect data (not after):
- Controller identity and contact details and those of the controller’s EU representative (if applicable)
- Data Protection Officer contact details (if a DPO was appointed)
- Legal basis for processing and purposes of processing
- Country where the processing occurs
- Legitimate interests of the processor and third parties
- Any recipients of personal data
- Any intention to transfer personal data outside the specified processing place and to a third country (particularly if the country is outside the EU)
- Data retention policy (how long data is stored)
- Explanation of rights to rectification, erasure, restriction of processing, and portability
- Explanation of right to withdraw consent
- Explanation of right to complain to the relevant supervisory authority
- If data collection is a contractual requirement and any consequences
- Existence of profiling and other types of automated decision-making and information about the logic behind them
Article 14 states that the employer needs to provide the same information even if they don’t collect the data directly from a data subject.
The right to information is very broad. As a data subject you can ask what personal data the employer collects generally, what processors the controller works with, and how the data gets used.
- The Right of Access (art 15 GDPR)
The right to access allows the data subject (the worker) to access the personal data belonging to them that the employer processes.
What can you demand access to? In addition to asking specifically about your personal data file, you can ask about:
- Why and how the employer processes the personal data
- Categories of personal data involved
- Who sees the data (including and especially in countries outside the EU)
- How long the employer intends to store the data
- How you can exercise your rights
- Any available information to the source of data when the employer does not collect the data from the data subject
- The use of profiling and automated decision-making
The right to access adds an extra layer of transparency to employer’s processing activities because it allows data subjects to confirm what data the employer has compared to the data they say they have. The Right of Access also sets you up to exercise further rights, like the right to rectification or the right to erasure.
The law allows you to request a copy of the data at no cost to them. However, if you request multiple copies, the employer can begin to assess a “reasonable fee based on administrative costs.” In other words, the employer can’t ask for an amount of money that would prevent you from upholding your rights or be seen as punitive.
- The Right to Rectification (art 16 GDPR)
The data subject (the worker) shall have the right to obtain from the controller (the employer or a third party if they set the purposes and means of processing) without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
This right really depends on whether you know what data the employer holds on the worker. Here article 15 on Data Subject Access Requests is important.
- Right to erasure (‘right to be forgotten’) (article 17 GDPR)
This right is strongly linked to the principle of data minimisation that we covered in a previous phase. If an employer repurposes the data (i.e. uses it for other reasons than the original reason they informed you about), you can ask for it to be erased. This right is also interesting when we later in this guide talk about the moving or selling of data.
- The Right to Restriction of Processing (article 18 GDPR)
This right amounts to a ‘pausing’ of processing. The data can only be stored, but not otherwise processed. This right is good to keep in mind especially if you have contested the accuracy of the personal data the employer has on a worker or the data subject (worker) has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
- The Right to Data Portability (article 20 GDPR)
This right says:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”
This means that you have the right to transfer your personal data from one controller (employer) to another.
- The Right to Object (article 21 GDPR)
Using this right is going to take some preparation work, but could well become useful. It basically says that a worker has the right to object to the processing of his or hers personal data if the employer cannot justify that they have a legitimate interest in doing so.
For your consideration, an employer can generally determine if their processing is based on legitimate interests if they are using an worker’s data in a way that the worker would expect or otherwise deem reasonable – and where the processing has a minimal impact on their privacy. If not, the right to object could become a powerful tool. This right could become relevant if you think the employer or a third party is for example profiling you or the workers in a way that overrides the interests, rights and freedoms of the worker. Union busting tools could be an example of this.
- The Right to Avoid Solely Automated Decision-Making (article 22 GDPR)
This article gives you the right to not be subject to decisions based solely on automated decision making. In other words, the right to be free from decisions taken exclusively by a digital system or tool.
This right is important in your quest to ban intrusive systems or tools, but also in keeping management responsible and liable for the digital systems they are deploying.
But note:
The Article 22 prohibition on significant, solely automated decisions, does not apply if the processing is necessary for the performance of a contract (e.g. an employment contract).
This means some solely automated and significant decisions in the employment context will be permissible under the GDPR.
But you should probe whether the processing is genuinely necessary for the performance of the employment contract, as opposed to being merely desirable or convenient for the employer.