The arrival of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and of Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "Regulation", has caused considerable problems for employers in the processing of their employees' personal data, particularly with regard to their membership of trade unions. Many employers began to think intensively about how to set up "cooperation" with trade unions so that the processing of personal data would be in accordance with the Regulation, Act 18/2018 Z.z. on personal data protection and, ultimately, with the Labor Code No. 76/2021 Coll. amending and supplementing Act No. 311/2001 Coll. Labor Code, as amended, and amending certain laws, as this is a special category of personal data.
The processing of special categories of personal data is generally prohibited unless one of the exceptions in Article 9(2) of the Regulation applies, where the processing of special categories of personal data is permitted. However, such processing must have a legal basis in accordance with Article 6(1) of the Regulation. Pursuant to Article 9(2)(b) of the Regulation, the scope of the employer's obligations under a collective agreement may be determined if "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, where authorised by Union or Member State law or by a collective agreement under Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject".
Processing of trade union membership data by employers in accordance with the Regulation
In most cases, employers have no interest in processing information about their employees' membership of trade unions, but there are cases where this is simply unavoidable. Examples include deductions from wages for trade unions or cooperation with trade unions in defending the interests of employees.
Many employees pay their union membership fees in the form of deductions from their wages through their employer. For any deductions from wages, the employee and employer must sign a written agreement. It is not necessary, nor is it required by law, for the agreement to include the name of the recipient. It is sufficient to specify the account number and the amount to be paid into that account. This allows the employer to "avoid" processing a special category of personal data. However, care must also be taken with pay slips, and such deductions should only be defined as "other deductions." Another option is to offer the employee a different solution, such as setting up a standing order at a bank or in a mobile banking app, which is probably the easiest way to deduct fees from wages today.
In the case of membership fees being deducted from wages, trade unions often require employers to provide a list of employees who are members of the trade union and from whose wages such deductions were made in the relevant month for internal control purposes to ensure that members are fulfilling their obligations.
In this case, we can refer to Article 88 of the Regulation, which allows "Member States to lay down more specific rules to ensure the protection of the rights and freedoms of employees when processing their personal data in the context of employment, in particular for the purposes of recruitment, the performance of a contract of employment, including the performance of obligations arising from law or collective agreements, for the purposes of management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of the employer's or customer's property, as well as for the purposes of exercising and enjoying employment-related rights and benefits on an individual or collective basis and for the purposes of terminating the employment relationship" and also the processing of special categories of personal data with the application of the exception under Article 9(2)(b) of the Regulation.
However, this legal basis (Article 9(2)(b)) is not an adequate legal basis for the processing of information on the trade union membership of employees by employers when deducting membership fees from wages.
An appropriate solution is to use the above-mentioned exception and lay down new precise rules for the processing of personal data in a manner that would, in selected cases, allow the trade union to request the personal data in question, including special categories of personal data, whereby the employer would be obliged to provide such data in accordance with the collective agreement as formulated above. The collective agreement should define:
- the precise cases in which the exemption in question will apply (when the employer may provide personal data of employees to the trade union organization),
- the scope of personal data and the structure of the information provided and the form of its processing,
- the period for which such personal data will be processed,
- technical and organizational measures to prevent unauthorized access by third parties.
Last but not least, it is necessary to ensure appropriate technical and organizational measures.
This poses a problem or an additional obligation for the employer if the trade union is located on the premises of the controller and uses the controller's premises and technical equipment. In such a case, the members of the trade union must comply with the security measures adopted by the employer. This is a non-standard situation where both the employer and the trade union must take appropriate security measures for the personal data being processed, including special categories. This means that the employer must put in place the following measures with regard to the processing of special categories of personal data, even if such processing does not actually take place:
Personal data processed in data storage facilities that are also used by the trade union organization should only be accessible to authorized persons, and only to the extent that is necessary for their job classification or the performance of their work tasks.
Personal data must be protected during all processing operations by strictly setting rules for the processing of personal data (including sensitive categories of personal data), taking into account all situations from entry into the premises, access to data, security in the online world, and the actual disposal of personal data. Within each processing operation, the person in charge must be properly instructed and the scope and purpose of the processing of personal data must be precisely defined.
Sources:
https://library.fes.de/pdf-files/bueros/slowakei/15455.pdf
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act No. 311/2001 Coll. Labor Code
