Securiti AI Recognized as a Customers’ Choice For DSPM By Gartner Peer Insights


Employee Privacy Rights: What You Need to Know

Published November 2, 2022 / Updated March 2, 2024

Listen to the content

What are Employee Data Obligations and Privacy Rights?

Modern privacy laws like the GDPR, CPRA, and LGPD treat customers and employees equally regarding their personal data, granting them several rights and safeguards. These laws have also placed obligations on organizations to securely process employee personal data and fulfill any data access requests submitted by employees.

Commonly, these laws provide employees the right to access, delete, or amend their personal data by submitting a request. Employees can also opt-out of certain types of data processing. For example, in general, employees can request access to their sickness records, interview notes, disciplinary records, or emails containing their personal information.

However, employers can refuse to provide access to certain records, such as confidential performance evaluation reports, management forecasting and planning reports, or data containing third-party information. These rights - their applicability and exceptions - may vary from one privacy law to another. Therefore, it is essential to identify which of the global privacy laws apply to your organization and employees.

Failure to protect employee privacy rights according to modern privacy laws may expose organizations to excessive fines, reputational damage, and potential criminal liabilities.

Explore each law in detail below. You will find expertly crafted, summarized information on the following privacy laws:

  • GDPR.
  • CPRA.
  • LGPD.
  • NZPA.

Before we move forward, it’s important to understand the employee privacy rights every employer needs to know. Understanding employee privacy rights will enable employers to better address issues and avoid unnecessary data subject access requests stemming from employees as well as ensure compliance with evolving data privacy laws.

Employee Privacy Rights

Following are employee privacy rights:

Invasion of employee’s privacy is unacceptable. However, if, for instance, a worker is caught on camera taking an organization’s property home without authorization, the business may be justified in performing a physical search.

Video Surveillance

If your business is private, you have the legal right to videotape personnel in order to keep them safe and secure and to protect your business. However, using audio in video recordings should be avoided as this could be against the federal wiretap statute, which covers oral communication.

Additionally, stay away from deploying video surveillance in areas where employees expect a reasonable level of privacy, such as common rooms, restrooms, break rooms, or other areas.

Background and Credit Card Checks

The Fair Credit Reporting Act (FCRA) mandates businesses to obtain the consent of job applicants before conducting their background checks and creditworthiness assessment. Make sure your job description and job advertisement are very explicit about the fact that background checks are required if you hire for positions that require them.

Internet and Email

Anyone who unlawfully and willfully intercepts oral, wire, or electronic communication is in violation of the Electronic Communications Privacy Act of 1986 (ECPA). Additionally, access to this kind of information while it is being stored is forbidden by the Stored Communications Act (SCA). Private companies do, however, have the right to keep an eye on their employees' correspondence and internet usage.

Social Media

Social networking platforms are being used by employers more than ever to find talent and check the credentials of potential workers. However, utilizing social media might result in legal issues so it’s always best to take explicit consent from the employee before examining their social media.

Genetic Information

Employers are not allowed to discriminate against employees based on their genetic histories under the Genetic Information Nondiscrimination Act (GINA). If your business has 15 or more employees and is a public or private employer, the law applies to you.

Alcohol and Drug Test

Employers have the right to test their employees for drug and alcohol usage, but they’re not allowed to disclose the results of those tests. Organizations should have policies regarding alcohol and drug usage to avoid any confusion.

Social Security Numbers (SSNs)

Identity theft cases are increasingly on the rise. To slow the rise of identity and credit fraud, many states have implemented legislation. Make sure you are aware of the laws in this regard in your state.


The GDPR obligates employers to give their employees and customers the same rights in connection to their personal data.

For example, employees have the following rights:

  • The right to information;
  • The right to access;
  • The right to rectification (correction);
  • The right to erasure (deletion);
  • The right to restriction of processing;
  • The right to data portability; and
  • The right to object to automated individual decision-making including profiling.

Under the GDPR, an employer must have a legal basis to process employee personal data. The legal basis could be:

  • The performance of the contract,
  • Compliance with a legal obligation,
  • Protection of vital interests of the data subject,
  • Performance of a public task,
  • Protection of legitimate interests of the employer or a third party,
  • The employee’s consent.

Employers must ensure they process employee data lawfully, fairly, and transparently, regardless of the applicable legal basis. They must also adhere to the 7 principles relating to the processing of personal data, such as purpose limitation, data minimization, accuracy, and storage limitation.

Under the GDPR, employers are responsible for protecting employees' personal data. Therefore, employers must have a data breach management mechanism in place that meets mandatory breach notification requirements.

For example, under the GDPR, employers are required to notify personal data breaches to the regulatory authority where a breach is likely to result in a risk to the rights and freedoms of employees. If the risk is high, then employers must also notify the impacted employees without undue delay.

Finally, the GDPR includes obligations for cross-border data transfers or sharing employee personal data with third parties. For instance, an employer may share personal data with external parties such as HR or medical insurance services, etc. In doing so, it is the employer’s responsibility to assess the privacy and compliance practices with the provisions of the GDPR, of all external parties.

To learn more about each provision in detail, visit our knowledge article about GDPR employee data obligations explained.

California - CPRA

The CPRA mandates that employers give employees and customers equal rights on their personal data.

From January 1, 2023, under the CPRA, employees have the following rights:

  • The right to access;
  • The right to delete;
  • The right to correct;
  • The right to opt-out of the sale/sharing of personal data;
  • The right to limit the disclosure of sensitive personal data;
  • The right to opt-in to financial incentives for processing of his personal data;
  • The right to access information on automated decision making (pending regulations);
  • The right to opt-out of automated decision making (pending regulations); and
  • The right to non-discrimination.

The CPRA obligates employers to honor these employee rights.

The CPRA also obligates employers to notify employees at or before the collection of their personal data. There are restrictions on using personal data for any non-disclosed purposes as well.

Under the CPRA, employers are also responsible for protecting the data of their employees. To do so, employers must have a mechanism to meet all of CPRA’s data security requirements.

Employers are also required to have a breach management notification system. This system is set up to notify employees of any unredacted/unencrypted personal information, or account/password details. Employers must also notify employees in the case when the encryption key of encrypted personal information is compromised.

Finally, the CPRA includes obligations for sharing employee personal data with third parties. The CPRA mandates employers to sign contracts with a third party, service provider, or contractor with whom it discloses, sells, or shares employee personal information to ensure the transferred data is afforded the same level of protection by the recipient organizations as was provided by the CPRA.

To learn more about CPRA’s strict requirements, visit our knowledge article about CPRA employee data obligations explained.

Brazil - LGPD

The LGPD, which applies to both private and public entities in Brazil, mandates that employers give employees and customers equal rights to their personal data.

Under the LGPD, employees have the following rights regarding their personal data:

  • The Right to Confirmation;
  • The Right to Access;
  • The Right to Correction;
  • The Right to Anonymization;
  • The Right to Portability;
  • The Right to Deletion;
  • The Right to Information on data sharing;
  • The Right to Information about consequences for denying consent;
  • The Right to Revocation of consent;
  • The Right to Oppose non-consent based processing;
  • The Right to Request for review of decisions made solely on the basis of automated processing.

The LGPD also mandates that employers implement all necessary technical and administrative controls that enable the protection of personal data from unauthorized, accidental, or unlawful access.

Under the LGPD, employers are obligated to ensure that the following principles are followed when processing employee personal data:

  1. Purpose of processing: Any processing of employees’ personal data must have a legitimate, specific, legal, and explicit purpose.
  2. Prevention of harm from processing: Employers must ensure that appropriate measures are taken to protect an employee's data from damage due to processing.
  3. Adequacy of processing: The processing activity should adequately match up with the stated purpose of the processing.
  4. Necessity of processing: Employers must limit the collection and processing of employees’ personal data to the minimum necessary for the stated purpose.
  5. Accountability of processing: Employers must be able to demonstrate the adoption of measures capable of achieving compliance.
  6. Maintenance of the Quality of Data: Employers must ensure the accuracy, clarity, relevancy, and currentness of their employees’ personal data.

To learn about all employer obligations under the LGPD, visit our detailed guide on Employee Data Obligations under LGPD. You will also learn about the employer’s obligations to ensure data protection, fulfill data breach management notification requirements, honor third-party personal data sharing requirements, and more.

New Zealand - NZPA

New Zealand's new Privacy Act has been effective since December 1, 2020. It is a modernized version of the 1993’s Privacy Act and incorporates several privacy principles that can be found in major global privacy laws.

For instance, similar to the GDPR or CPRA, the NZPA grants employees the right to access and the right to correct their personal information from their employer.

Additionally, an employer’s obligations under the NZPA include the following:

  • Employee personal data must be processed only on the basis of a lawful function.
  • The collection of employee personal data must not be unfair or unreasonably intrusive.
  • Employee personal data must be kept accurate and updated.
  • Employee personal data must not be kept longer than is required for lawful processing purposes.
  • Personal data must be processed for specified, and stated purposes, and
  • Employees must be informed of the collection of their data.

Employers are also required to implement all necessary controls and systems to ensure the obligations (mentioned above) are met and employee data is protected.

Under the NZPA, employers are required to protect their employee data against any loss, disclosure, or misuse by having adequate security controls in place. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee.

While sharing an employee’s personal data with external parties, employers are required to assess the third party’s privacy practices and their compliance with NZPA requirements.

As far as cross-border data transfers are concerned, employers can transfer personal information outside New Zealand only if they fulfill specific conditions described under the NZPA.

To learn all the details about Employee Data Rights and Employer Obligations under the NZPA, refer to our expert-curated guide.

Singapore - PDPA

Singapore’s Personal Data Protection Act (PDPA) has several provisions governing the collection, disclosure, use, and care of personal data. It recognizes the rights of customers and employees to give them more control over their personal data and aims to guarantee the protection of their personal data.

Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.

PDPA provides the following rights to employees:

  • Right to withdraw consent: Employees may at any time withdraw any consent given or deemed to have been given under the PDPA in respect of the collection, use, or disclosure of their personal data for any purpose by an employer. Section 16 of the PDPA sets out a number of requirements that must be complied with by either the employee or the employer in relation to a withdrawal of consent.
  • Right to access: Employees have the right to request access to their personal data. An employee may also request to access the CCTV footage that they appear in.
  • Right to rectification: Employees have the right to request the correction of their personal data.

These rights are similar to the ones granted to employees in the GDPR and CPRA.

In addition, the PDPA imposes certain obligations on employers regarding employee personal data. For instance, employers must collect employee consent before collecting, using, or disclosing their personal data. However, an employer can also process its employees' data without consent for managing and terminating the employment relationship or for evaluative purposes.

If the employer wishes to use the personal data for purposes for which consent may not be inferred or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent.

Also, employers should provide notices to employees if CCTVs are in place at workstations.

Other obligations include aligning with Purpose, Accuracy, Access, and Retention Limitations principles.

Employers also have Data Protection, Data Breach Notifications, Third-Party Data Disclosure, and Data Protection Impact Assessment obligations under the PDPA. To understand these obligations in detail, please refer to our guide, how to Manage Employees’ Data Under Singapore's Personal Data Protection Act (PDPA).

Key Takeaways:

  1. The introduction of modern privacy laws like the GDPR, CPRA, LGPD, NZPA, and Singapore's PDPA has significantly enhanced the rights and protections granted to individuals concerning their personal data, treating employees and customers equally.
    Here are the key takeaways for organizations to operationalize these laws in relation to employee personal data:
  2. Applicability and Compliance: These laws apply to any entity processing personal data, covering both customers and employees. They detail obligations for organizations to process employee personal data securely and respond to data access requests from employees.
  3. Employee Rights: Employees are granted rights to access, delete, amend, and opt-out of certain data processing activities. These rights are subject to exceptions, such as when dealing with confidential performance evaluations or third-party information.
  4. Obligations for Organizations: Organizations must:
    Obtain explicit consent for data processing or fulfill other legal bases,
    Notify employees about data collection and processing,
    Implement security measures to protect personal data,
    Manage data breaches effectively,notifying regulatory bodies and affected individuals when necessary,
    Appoint a Data Protection Officer (DPO) if required,
    Conduct Data Protection Impact Assessments (DPIAs) as needed,
    Maintain records of processing activities,
    Ensure proper handling of third-party data processing,and
    Comply with cross-border data transfer requirements.
  5. Specific Rights Under Different Laws:
    GDPR: Grants comprehensive rights including access, rectification, erasure, and portability, with strict legal bases for processing and cross-border data transfer obligations.
    CPRA: Expands on California's CCPA, introducing rights to correct, opt-out of data sale/sharing, and limit the use of sensitive personal data.
    LGPD: Brazilian law offering rights similar to GDPR, emphasizing data protection, and the accountability of processing.
    NZPA: Updates New Zealand's privacy framework, focusing on access, correction, and security, including breach notification requirements.
    Singapore's PDPA: Balances employee rights to withdraw consent, access, and rectification, with employer obligations for consent, notification, and lawful processing for employment purposes.
  6. Operationalizing Compliance:
    Understand which laws apply to your organization,
    Categorize and secure personal data inventories,
    Establish transparent processing practices through policies and notices,
    Develop frameworks for responding to data subject requests,
    Conduct risk assessments and implement necessary security measures,
    Appoint a knowledgeable DPO where required, Create consent management processes,
    Enable employees to exercise their data rights effectively,
    Adopt and review technical and organizational measures for data protection, and
    Examine data handling practices and third-party agreements for compliance.
  7. Securiti's Role: Offers automation solutions to help businesses comply with global privacy standards, emphasizing data privacy as a fundamental human right. Organizations should leverage such solutions to streamline compliance processes, minimize risks, and protect the privacy rights of employees and customers alike.

Frequently Asked Questions (FAQs)

Employee privacy rights and policy refer to the rights that employees have concerning the protection of their personal data and privacy in the workplace. These rights include the right to data privacy, the right to be informed about data collection, and the right to access and control their personal information, among other rights.

An employee privacy policy is a document that outlines how an organization collects, uses, and safeguards employee personal data. It also explains employees' rights regarding their data and how they can exercise those rights.

Employers should consider risks related to data breaches, unauthorized access to employee data, compliance with data protection laws, and the potential impact on employee privacy when implementing workplace monitoring or surveillance systems.

The rights to privacy in the workplace encompass employees' rights to have their personal information protected, to be informed about data collection practices, and to have their privacy respected, balanced with the employer's legitimate interests.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You