The adoption of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “Regulation,” has caused significant problems for employers in processing employees’ personal data, particularly regarding their union membership. Many employers have begun to give serious thought to how to structure their “cooperation” with trade unions so that the processing of personal data complies with the Regulation, Act No. 18/2018 Coll. on the Protection of Personal Data, and finally in accordance with the Labor Code No. 76/2021 Coll. itself, which amends and supplements Act No. 311/2001 Coll. the Labor Code, as amended, and which amends and supplements certain laws, as this concerns a special category of personal data.
The processing of special categories of personal data is generally prohibited unless one of the exceptions under Article 9(2) of the Regulation applies, in which case the processing of special categories of personal data is permitted. However, such processing must have an appropriate legal basis in accordance with Article 6(1) of the Regulation. Pursuant to Article 9(2)(b) of the Regulation, the scope of an employer’s obligations may be established under a collective agreement if “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, provided that this is permitted by Union law or the law of a Member State or by a collective agreement under the law of a Member State, providing appropriate safeguards for the protection of the fundamental rights and interests of the data subject”.
Processing of data on trade union membership by employers in accordance with the Regulation
In most cases, an employer has no interest in processing information about its employees’ trade union membership, but there are instances where this is simply unavoidable. Examples include payroll deductions for trade unions or cooperation with trade unions in defending employees’ interests.
Many employees pay their union dues through payroll deductions arranged by the employer. For any payroll deductions, the employee enters into a written agreement with the employer. It is neither necessary nor required by law for the agreement to include the recipient’s name. It is sufficient to specify the account number and the amount to be transferred to that account. This allows the employer to, so to speak, “avoid” processing a special category of personal data. However, care must also be taken with pay stubs, and such deductions should be listed only as “other deductions.” Another option is to offer the employee an alternative solution, such as setting up a standing order at the bank or via the bank’s mobile app—which is probably the simplest way to deduct fees from wages these days.
In the case of paying union dues via payroll deduction, trade unions often require the employer to provide a list of employees—union members—from whom such a deduction was made in the relevant month, for their internal verification of whether members are fulfilling their obligations.
In this case, we can rely on Article 88 of the Regulation, which allows “Member States to lay down more specific rules by law or collective agreements to ensure the protection of rights and freedoms when processing employees’ personal data in the context of employment, in particular for the purposes of recruitment, the performance of the employment contract, including the fulfillment of obligations arising from legislation or collective agreements, as well as for the purposes of management, planning, and organization of work, equality and diversity in the workplace, health and safety at work, protection of the employer’s or customer’s property, as well as for the purposes of asserting and exercising rights and benefits related to employment on an individual or collective basis and for the purposes of terminating the employment relationship” and also the processing of special categories of personal data with the application of the exception under Article 9(2)(b) of the Regulation.
However, this legal basis (Article 9(2)(b)) is not an adequate legal basis for the processing of information regarding employees’ union membership by the employer when making payroll deductions for the collection of membership dues.
An appropriate solution is to utilize the aforementioned exception and establish new, precise rules for the processing of personal data in a manner that would, in selected cases, allow a trade union to request the relevant personal data, including special categories of personal data, whereby the employer would be obligated to provide such data in accordance with a collective agreement formulated in this manner. The collective agreement should define:
- a precise description of the cases in which the exception in question will apply (when the employer may provide employees’ personal data to the trade union),
- the scope of personal data, the structure of the information provided, and the form of its processing,
- the duration of the processing of this personal data,
- technical and organizational measures to prevent unauthorized access by third parties.
Last but not least, it is necessary to ensure appropriate technical and organizational measures.
Here a problem arises, or rather an additional obligation for the employer, if the trade union is based on the operator’s premises and uses the operator’s facilities and technical resources. In such a case, the members of the trade union must comply with the security measures adopted by the employer. This creates a non-standard situation where both the employer and the trade union must adopt appropriate security measures regarding the personal data being processed, including special categories of personal data. This means that the employer must implement the following measures regarding the processing of special categories of personal data, even if such processing does not actually take place:
Access to personal data processed on data storage systems also used by the trade union should be limited to authorized persons, and only to the extent necessary for their job classification or the performance of their work tasks.
Personal data must be protected during all processing operations through strict rules for the processing of personal data (including sensitive categories of personal data), taking into account all situations from entry into the premises, access to data, online security, all the way to the actual disposal of personal data. As part of each processing operation, the authorized person must be properly instructed, and the scope and purpose of personal data processing must be precisely defined for them.
Sources:
https://library.fes.de/pdf-files/bueros/slowakei/15455.pdf
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act No. 311/2001 Coll. Labor Code
