EPISODE 8: GDPR and HR: how to treat personal data of employees and job applicants

11 May 2018

HR is the guardian of a wealth of personal data

By necessity an HR department collects and treats a considerable set of personal data on present and former employees, and on job applicants. These sensitive data are essential to meet legal obligations, enable transactions between the employer and the employee, and allow the execution of the contract.

1. Data to meet contractual obligations, such as:

  • Salaries
  • Tax certificates
  • Social security

2. Data to enable employees to perform their jobs, e.g.:

  • Evaluations
  • Assessments

3. Data to meet legal requirements like:

  • Social security obligations
  • Withholding payroll tax
  • Traffic violations with company cars


GDPR also applies for HR data

Long before GDPR arrived, Bisnode’s HR department took great care to treat personal data with the utmost confidentiality and security. Extreme respect for private data is part of the Bisnode DNA. For instance: asking questions or keeping data on personal conviction, nationality, sexual orientation... have always been totally off-limits for Bisnode.

As an international company Bisnode Group wants to bring its internal cross-border sharing of HR data in line with GDPR. That’s why Bisnode took specific measures to fully align HR and GDPR on an international level.


Extra measures we took to fully align HR and GDPR

Bisnode took specific measures to clarify the rights and obligations of its employees and job applicants on an international level, in full compliance with GDPR. We always clearly specify which personal data will be kept and shared for which purposes.


Privacy policy for employees

All Bisnode employees receive a GDPR compliant privacy policy. The policy clearly states how their personal data will be used within HR and within the Bisnode Group.


Biometric data

Bisnode employees who submitted biometric information, e.g. to get access to the data server rooms, will receive an extra privacy guarantee. This document clarifies which biometric data are used for which purposes. It also asks their signed permission to use these biometric data.


Former employees

We need to keep the data of our former employees in view of compliance with certain legal obligations, amongst other regarding pensions. These data have to be stored until their retirement. Bisnode deletes all other personal data that are no longer relevant: e.g. reports, family related data...


Involving the trade unions

Bisnode informs its trade union representatives about the GDPR measures concerning employees. For instance, we tell them which data are passed on to the Sodexo meal voucher service or to our insurance broker. We provide the unions with all the assistance they need to inform and reassure their members.


Persons of trust

The operation of our “persons of trust” program at Bisnode did not require any specific GDPR measures. Their confidential information never reaches the HR department. By engaging a confidential advisor, employees give their councilors their explicit consent to take further measures.


How to make a GDPR risk assessment of (sub)contractors?

That's the subject of part 9 of our special on GDPR reports on Bisnode’s risk assessment procedures.


Looks complicated? Glad to help you!

Looks complicated? Glad to help you!

Don’t worry: whenever in doubt about a GDPR data issue, do not hesitate to contact your Bisnode consultant. Getting GDPR ready? Been there! Done that! We’re ready to help and get you on your way.

Subscribe to our newsletter