'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on August 21, 2021 AUTHOR - Privacy Research Team
Modern privacy laws like the GDPR, CPRA, and LGPD treat customers and employees equally regarding their personal data, granting them several rights and safeguards. These laws have also placed obligations on organizations to securely process employee personal data and fulfill any data access requests submitted by employees.
Commonly, these laws provide employees the right to access, delete, or amend their personal data by submitting a request. Employees can also opt-out of certain types of data processing. For example, in general, employees can request access to their sickness records, interview notes, disciplinary records, or emails containing their personal information. However, employers can refuse to provide access to certain records such as confidential performance evaluation reports, management forecasting, and planning reports, or data containing third-party information. These rights - their applicability and exceptions - may vary from one privacy law to another. Therefore, it is essential to identify which of the global privacy laws apply to your organization and employees.
Failure to protect employee privacy rights according to modern privacy laws may expose organizations to excessive fines, reputational damage, and potential criminal liabilities.
Explore each law in detail below. You will find expert crafted, summarized information of the following privacy laws:
The GDPR obligates employers to give their employees and customers the same rights in connection to their personal data.
For example, employees have the following rights:
Under the GDPR, an employer must have a legal basis to process employee personal data. The legal basis could be:
Employers must ensure they process employee data lawfully, fairly, and transparently, regardless of the applicable legal basis. They must also adhere to the 7 principles relating to the processing of personal data such as purpose limitation, data minimization, accuracy and storage limitation.
Under the GDPR, employers are responsible for protecting employee personal data. Therefore, employers must have a data breach management mechanism in place that meets mandatory breach notifications requirements. For example, under the GDPR, employers are required to notify personal data breaches to the regulatory authority where a breach is likely to result in a risk to the rights and freedoms of employees. If the risk is high, then employers must also notify the impacted employees without undue delay.
Finally, the GDPR includes obligations for cross-border data transfers or sharing employee personal data with third parties. For instance, an employer may share personal data with external parties such as HR or medical insurance services, etc. In doing so, it is the employer’s responsibility to assess the privacy and compliance practices with the provisions of the GDPR, of all external parties.
To learn more about each provision in detail, visit our knowledge article about GDPR Employee Data Obligations Explained.
The CPRA mandates that employers give employees and customers equal rights on their personal data.
From January 1, 2023, under the CPRA, employees have the following rights:
The CPRA obligates employers to honor these employee rights.
The CPRA also obligates employers to notify employees at or before the collection of their personal data. There are restrictions on using personal data for any non-disclosed purposes as well.
Under the CPRA, employers are also responsible for protecting the data of their employees. To do so, employers must have a mechanism to meet all of CPRA’s data security requirements.
Employers are also required to have a breach management notification system. This system is set up to notify employees of any unredacted/unencrypted personal information, or account/password details. Employers must also notify employees in the case when the encryption key of encrypted personal information is compromised.
Finally, the CPRA includes obligations for sharing employee personal data with third parties. The CPRA mandates employers to sign contracts with a third party, service provider or contractor with whom it discloses, sells or shares employee personal information to ensure the transferred data is afforded the same level of protection by the recipient organizations as was provided by the CPRA.
To learn more about CPRA’s strict requirements, visit our knowledge article about CPRA Employee Data Obligations Explained.
The LGPD, which applies to both private and public entities in Brazil, mandates that employers give employees and customers equal rights on their personal data.
Under the LGPD, employees have the following rights regarding their personal data:
The LGPD also mandates that employers implement all necessary technical and administrative controls that enable the protection of personal data from unauthorized, accidental, or unlawful access.
Under the LGPD, employers are obligated to ensure that the following principles are followed when processing employee personal data:
To learn about all employer obligations under the LGPD, visit our detailed guide on Employee Data Obligations under LGPD. You will also learn about the employer’s obligations to ensure data protection, fulfill data breach management notification requirements, honor third-party personal data sharing requirements, and more.
New Zealand's new Privacy Act has been effective since December 1, 2020. It is a modernized version of the 1993’s Privacy Act and incorporates several privacy principles that can be found in major global privacy laws.
For instance, similar to the GDPR or CPRA, the NZPA grants employees the right to access and the right to correct their personal information from their employer.
Additionally, an employer’s obligations under the NZPA include the following:
Employers are also required to implement all necessary controls and systems to ensure the obligations (mentioned above) are met, and employee data is protected.
Under the NZPA, employers are required to protect their employee data against any loss, disclosure, or misuse by having adequate security controls in place. In case of a privacy breach that has caused serious harm to the concerned employee, the employer must notify the Privacy Commissioner and the affected employee.
While sharing an employee’s personal data with external parties, employers are required to assess the third party’s privacy practices and their compliance with NZPA requirements.
As far as cross-border data transfers are concerned, employers can transfer personal information outside New Zealand only if they fulfill specific conditions described under the NZPA.
To learn all the details about Employee Data Rights, and Employer Obligations under the NZPA, refer to our expert-curated guide.
Singapore’s Personal Data Protection Act (PDPA) has several provisions governing the collection, disclosure, use, and care of personal data. It recognizes the rights of customers and employees, to give them more control over their personal data, and aims to guarantee the protection of their personal data.
Recruitment companies, employment agencies, head-hunters, and other similar organizations are also subject to the Data Protection Provisions of the PDPA.
PDPA provides the following rights to employees:
These rights are similar to the ones granted to employees in the GDPR and CPRA.
In addition, the PDPA imposes certain obligations on employers regarding employee personal data. For instance, employers must collect employee consent before collecting, using, or disclosing their personal data. However, an employer can also process its employees' data without consent for managing and terminating the employment relationship or for evaluative purposes.
If the employer wishes to use the personal data for purposes for which consent may not be inferred or to which there is no applicable exception under the PDPA, the employer must then inform the employee of those purposes and obtain his/her consent. Also, employers should provide notices to employees if CCTVs are in place at work stations.
Other obligations include aligning with the principles of Purpose, Accuracy, Access, and Retention Limitations. Employers also have Data Protection, Data Breach Notifications, Third-Party Data Disclosure, and Data Protection Impact Assessment obligations under the PDPA. To understand these obligations in detail, please refer to our guide How to Manage Employees’ Data Under Singapore's Personal Data Protection Act (PDPA).