Ex-Employee Data Retention Policies Face New EU Privacy Regime

EU employers should adopt policies on how long they will keep information on former employees to ensure compliance with the bloc’s new privacy regime, privacy attorneys told Bloomberg Law.

Companies will need to take into account both limitations on retaining personal data set out in the EU General Data Protection Regulation, which takes effect May 25, 2018, and legitimate legal needs to hold on to information on former employees long after they leave the company.

The GDPR doesn’t set specific time limits on how long companies may retain data on individuals no longer in their employ. But the Article 29 Working Party of privacy officials from the 28 EU member countries issued an opinion with guidance on new obligations under the GDPR that stated former employee data should only be stored for the “minimum amount of time needed.” Companies should specify a fixed retention period and delete information on former employees “whenever it is no longer needed,” the group said.

Given the absence of specific data retention rules in the GDPR or from the guidance, companies should look to data retention laws in the EU countries where they operate, and to laws that govern employment issues such as discrimination, taxes, or payroll, to determine whether limits on how long a matter can be challenged with a lawsuit may provide benchmarks for justifying data retention, privacy attorneys said.

“It is appropriate to retain former employees’ personal data up to the expiry of the statute of limitation period provided by local laws,” Giulio Coraggio, head of DLA Piper’s technology sector practice in Italy, told Bloomberg Law.

The relevant statutory limitation periods vary across the 28 EU member countries, making the need to tailor specific data retention policies an even more complex undertaking.

Beware Blanket Policies

The GDPR requires companies that control the collection and use of personal data to whenever possible set limits on data retention.

“Employers, as data controllers, must be clear about the length of time for which employment records are retained and also why that information is being retained,” Michelle Ryan, an employment attorney at the Ronan Daly Jermyn in Cork, Ireland, told Bloomberg Law.

Companies should avoid a blanket data retention period policy, but shouldn’t shy away from coming up with written policies that cover specific situations, as the GDPR includes new requirements that companies document their privacy and data security compliance efforts.

Company policies should allow retention for periods tailored to specific kinds of data retained for specific needs, such as defending a particular type of claim, according to Stephanie Creed, an employment attorney at Taylor Wessing LLP in London, told Bloomberg Law.

Employers will need to be able to justify their data retention decisions, Creed said. Employers should identify the data they collect and store, the purpose for which it was collected and retained, and the period for which they intend to retain it, she said.

If the data of former employees may need to be retained for a long time, there are security protocols companies can employ.

“The level of access within the company should be considerably restricted to avoid misuse,” Coraggio said. Encrypting such data and giving the key to unlock the data to an independent third party, “such as a public notary who is instructed to decrypt data only upon request from a competent court,” can safeguard against misuse, Coraggio said

Country Guidance

It is unlikely that EU-level officials will provide any more detailed data retention guidance given the differences in statutes of limitations across the bloc, Ryan said. Companies may get only general country-level guidance on data retention periods under the forthcoming GDPR.

The Confederation of Danish Industry recently told its business members that under the GDPR, Danish companies would likely be justified in retaining personal information for up to five years. But “if there is a legitimate purpose for retaining the data, then it can be retained,” the group said.

The Danish privacy office intends to release new guidance in handling personal information in the workplace in February 2018, Astrid Mavrogenis, head of department at the Danish data protection office, told Bloomberg Law.

But neighboring country privacy regulators don’t have specific plans for new guidance on storing workplace data.

“We’ve had only a few cases referring to the length of time employee data is retained, and do not think we will see more after the GDPR takes effect,” Bjorn Erik Thon, director of the Norwegian privacy office, told Bloomberg Law. The office has no plans to release new guidance on workplace data retention, he said. “Storage for a given period, up to several years, is okay as long as the data is relevant.”

Finland is examining whether any changes to its special workplace data privacy law are needed because of the GDPR, Finland Data Protection Ombudsman Reijo Aarnio told Bloomberg Law.

Sweden hasn’t taken any specific position on retention of employee data under the GDPR, a spokesperson with the Swedish Data Protection Authority, told Bloomberg Law.

To contact the reporter on this story: Marcus Hoy in Copenhagen at correspondents@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com