Processing and erasure policy RECRUITMENT AND PERSONNEL ADMINISTRATION DANISH TECHNOLOGICAL INSTITUTE
Indholdsfortegnelse
2
1 Introduction
3
2 Principles for processing personal data
4
3 Principles for erasing personal data
5
4 Processing personal data in applications for positions at the danish technological institute
6
5 Processing personal data about employees
9
6 Erasure policy
13
7 Penalties
16
Annex 1 – Overview of deadlines for erasure
17
1 Introduction 1.1
This Data Processing and Erasure Policy has been drawn up with a view to ensuring that the Danish Technological Institute complies with data protection law (Act No. 502); see also the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016) when processing personal data relating to either
1) Danish Technological Institute employees or associates or 2) applicants for positions at the Danish Technological Institute.
3
2 Principles for processing personal data
4
2.1
The foundation of data protection law is that processing the personal data of others is unlawful, irrespective of whether such data are ordinary or sensitive personal data. Under data protection law, the processing of personal data is only lawful where such processing is justified on objective grounds and in accordance with certain fundamental data processing principles.
2.2
Among other things, these fundamental data processing principles imply that • the processing of personal data must always be lawful, reasonable and transparent; • personal data must only be processed for a specific, legitimate purpose; • the personal data processed must be kept to a minimum; • personal data must always be correct and up to date; and • personal data must not be stored for longer than is necessary.
2.3
As a rule, all Danish Technological Institute employees are at all times obliged to adhere to the fundamental data processing principles when processing personal data relating to Institute staff or applicants for positions at the Institute.
3 Principles for erasing personal data 3.1
According to the fundamental data processing principles, personal data must not be stored for longer than is necessary. After such time, the personal data must be deleted.
3.2
Personal data in physical documents will normally be erased by destroying or shredding the documents containing the data. The procedure for erasing personal data in electronic form is described in more detail in our IT security policy.
3.3
An alternative to erasure is data anonymisation. This would typically be relevant in statistical contexts (for example in absence or pay statistics). The procedure for anonymising personal data in electronic form must be discussed with IT and Communications.
5
4 Processing personal data in applications for positions at The Danish Technological institute
6
4.1
Applications for all positions at the Danish Technological Institute must be submitted and processed through the Institute’s online recruitment system (“the Recruitment System”). This applies to both advertised vacancies and unsolicited applications.
4.2
Should an employee receive an application outside the Recruitment System, for example by e-mail, he or she is obliged to send a reply to the sender, stating that applications for positions at the Danish Technological Institute can only be submitted via the Recruitment System, and that the application has been deleted. A standard response letter can be found on the intranet under “HR værktøjer - skemaer og skabeloner” (“HR tools: Forms and templates”) and in Outlook under “Insert - signature”.
4.3
The reason why applications must only be received via the Recruitment System is to ensure that all applications are processed in compliance with data protection law, including the duty of disclosure, and the Danish Technological Institute guarantees applicants such compliance through our Recruitment Policy, which will automatically be shown to all users of the Recruitment System.
4.4
The Recruitment Policy contains all relevant information about the manner in which the Danish Technological Institute processes personal data that we either receive directly from the applicant or collect in the course of the recruitment process. All employees involved in the recruitment process are thus obliged to review the Recruitment Policy and ensure that every recruitment is in compliance with its rules. The Recruitment Policy is on the intranet under the GDPR tab and in the staff manual under “Politikker” (“Policies”).
7
4.5
The following guidelines must be adhered to in connection with each recruitment for a position at the Danish Technological Institute:
• • • • •
8
Applications and other recruitment material must only be processed by employees directly involved in the recruitment process. Obtaining references for applicants requires the prior written consent of the applicant on one of the consent forms drafted by Personnel and Development. The applicant will automatically receive a consent form when invited to the second interview. Obtaining personality test results requires the prior written consent of the applicant. Similarly, credit ratings must only be obtained for the purpose of processing applications for positions of trust; the prior written consent of the applicant is necessary. Only the consent forms drafted by Personnel and Development may be used for the purpose of obtaining consent. References for former Danish Technological Institute employees must only be given if the business enterprise requesting the reference has submitted signed consent from the former employee in advance. Only ordinary personal data about the former employee may be disclosed. Sensitive personal data must not be disclosed. Data about an applicant’s health may only be obtained if, in the specific circumstances, this is deemed necessary in order to evaluate the applicant’s ability to perform the duties involved in the position in question.
5 Processing personal data about employees 5.1
Personal data about Danish Technological Institute employees must be processed in compliance with the this policy and the Employee Personal Data Protection Policy applicable from time to time. This applies whether or not the personal data were provided by the employee or obtained in other ways and whether the data in question are ordinary or sensitive data. All employees are thus obliged to review the Employee Personal Data Protection Policy and to ensure that any processing of employee personal data for which they are responsible is in compliance with the Employee Data Protection Policy. You will find our Employee Data Protection Policy on the intranet in the staff manual under “Politikker” (“Policies”).
9
5.2
All final and official documents containing employee personal data that must be stored must as a rule be stored in the employee’s digital personnel file in the IT system of the Danish Technological Institute – and in no other place. Documents containing personal data already stored in an employee’s personnel file, must thus not be stored in any other place – neither in electronic nor in paper-based form. Examples of information and documents that will typically be stored in the employee’s own personnel file are
1) ID information, 2) Information relating to educational background and work experience, 3) Information about pay, sickness absences, pension matters, taxes and account numbers and 4) Information relating to other employment conditions, such as any reprimands and warnings, records of performance and development reviews, interviews about sickness absences, and other interviews, conversations and meetings.
10
An employee has access to the documents and information in his or her personnel file at all times. Other than that, documents and information in the personnel file are only accessible to relevant members of staff in Personnel and Development when relevant, to the employee’s immediate superior and vice president.
Personnel and Development is responsible for ensuring, in consultation with each employee individually, that the personal data and documents in the employee’s personnel file are in compliance with the fundamental data processing principles applicable from time to time, also by ensuring that all personal data are correct and up to date.
5.3
Only when a document contains employee personal data not suitable for storing in the employee’s personnel file must the document be stored in TI folders in the “Personal GDPR” folder of the employee’s immediate superior or other relevant superior or vice president. All “Personal GDPR” folders must be organised so they contain one subfolder for each relevant employee labelled with the employee’s initials and “GDPR”.
Documents containing personal data already stored in the “Personal GDPR” folders of the employee’s immediate superior or other relevant superior or vice president must not be stored in any other place – neither in electronic nor in paper-based form. Documents containing the personal data of an employee must thus always be stored in one place only.
Documents containing personal data that are not suitable for storing in the employee’s own personnel file and that must instead be stored in a “Personal GDPR” folder could, for example, be various types of internal work documents or documents that are not final.
All executives, including the immediate superior or vice president, are responsible for ensuring that personal data and documents in their “Personal GDPR” folders are in compliance with the fundamental data processing principles applicable from time to time, also by ensuring that all personal data are correct and up to date.
11
12
When an employee resigns or is terminated, his or her immediate superior is obliged to review all documents relating to him or her that are stored in the “Personal GDPR” folder. Documents that are no longer relevant must be erased and all other material forwarded to Personnel and Development, who are subsequently responsible for processing them in compliance with data protection law. All documents stored in “Personal GDPR” folders are thus only related to people currently employed by the Danish Technological Institute.
5.4
Sensitive employee personal data should be kept to a minimum in e-mails. E-mails containing sensitive personal data about an employee must be erased from Outlook as soon as possible after use. Should it prove necessary to store an e-mail containing sensitive personal data about an employee, such data must be stored in the “Personal GDPR” folder in accordance with the guidelines set out in clause 5.3 above.
5.5
Physical documents containing employee personal data should be stored in locked and/or closed drawers or cabinets at the end of the working day.
6 Erasure policy 6.1
Applications and other material collected or received from applicants for positions at the Danish Technological Institute must be erased not later than 180 days after receipt. Please also see Annex 1, which contains an overview of specific deadlines for erasing data in the recruitment process.
6.2
As a rule, employee personal data will be stored throughout the employment relationship and for up to five years after termination of the employment relationship.
When an employee has left the workplace and no longer has access to his or her personal e-mail account at the workplace, then his or her e-mail account will only be kept active for a period of up to 12 months after termination of the employment relationship. See also Annex 1, which contains specific deadlines for erasing personnel administration data.
13
14
6.3
Information about industrial injuries at the Danish Technological Institute is normally processed in the EASY system (the public industrial injury system accessible through www.virk.dk) but, on the recommendation of Arbejdsmarkedets Erhvervssikring (AES), should also be stored at the Danish Technological Institute for five years after the time of the injury. See also Annex 1, which contains specific deadlines for erasing industrial injury data.
6.4
Notwithstanding the above procedures and deadlines for erasing data and the information set out in Annex 1, there may be specific circumstances that make it necessary for the Danish Technological Institute to store personal data for a longer period of time than otherwise indicated.
The reason may be specific circumstances related to a specific project, in which the Commission or public authorities, for example, require documentation of pay and other employment conditions to be stored for a specific period of time. Special EU or other statutory requirements may also apply in specific situations.
Moreover, there may be specific reasons that personal data are exempt from these guidelines, for example:
• The processing of employee personal data outside an HR context because the employee’s name is mentioned in a contract between a client and the Danish Technological Institute.
• Legal proceedings that are pending and brought by or against the Danish Technological Institute in which such data are part of the material required to conduct the proceedings. • Pending industrial injury proceedings that are ongoing after the employee’s departure. • Other pending cases that involve public authorities – e.g. appeal boards, supervisory authorities or the police – that require the processing of employee personal data.
6.5
If you are in doubt whether or not a situation is included in these exemptions, contact Personnel and Development to discuss the circumstances in more detail.
15
7 Penalties 7.1
Failure to comply with the Processing and Erasure Policy may – subject to a specific evaluation of the nature, seriousness or recurrences of the offense – have an impact on your employment relationship and may result in dismissal or summary dismissal.
This Danish Technological Institute Processing and Erasure Policy was last updated on 24 May 2018.
16
Deadlines for erasure during the recruitment process Object
Purpose
System etc.
Application, CV, marks etc.
Recruitment Online Recruitment System, 180 days material collected, physical printed material, e-mail
References
Recruitment Online Recruitment System, 180 days material collected, physical printed material, e-mail
Various e-mail messages, Recruitment E-mail messages including rejections
Deadline for erasure
180 days
17
Deadlines for erasure for personnel administration
18
Object
Purpose
System etc.
Deadline for erasure
Personnel folder/file
Personnel administration
HR system, physical archive, e-mail
5 years after termination of employment
Records of performance and development reviews
Personnel administration
HR system, physical archive, e-mail
5 years after termination of employment
E-mail in-tray after employee’s departure
Personnel administration
Outlook
1 year after termination of employment
Time/absence records
Personnel administration
Payroll, time registration system
5 years after termination of employment
Sickness history and records of sickness absence interviews
Personnel administration
HR system, physical archive, e-mail
5 years after termination of employment
Pensions, group life and Personnel health insurance administration
HR system, physical archive, e-mail
5 years after termination of employment
Warnings, dismissal, summary dismissal and severance agreement
HR system, physical archive, e-mail
5 years after termination of employment
Personnel administration
Deadline for erasure of industrial injury data Genstand
FormĂĽl
System etc.
Deadline for erasure
Industrial injuries
Ordinary and sensitive data
HR system, physical archive, e-mail
5 years
Deadlines for erasing data on checks/monitoring of employees Genstand
FormĂĽl
Video surveillance Crime prevention purposes
System m.v.
Deadline for erasure 30 days
19
Processing and erasure policy RECRUITMENT AND PERSONNEL ADMINISTRATION DANISH TECHNOLOGICAL INSTITUTE