Privacy plays an important role in employment agreements. Consider for instance:

  • What are the conditions to be met by employers when creating personnel files?
  • Who are the persons and organisations that employers are allowed to pass data to?
  • What questions and records may be asked and filed by an employer when an employee reports sick? (also see www.werkenziekte.nl)
  • Who may ask for what data and records, and process these data when an employee reports sick?
  • What questions may be asked by employers to applicants, and how must they treat the outcomes?
  • When are employers allowed to screen applicants or employees?
  • Are employers allowed to check their employees’ email, internet and telephone use?
  • What is the role of the staff council when it comes to privacy of employees?
  • Is an employer allowed to use cameras to control employees?
  • Can camera pictures play a role in dismissal proceedings?

Although the rules are often clear enough, the question primarily concerns the steps that can or must be taken when rules have been violated. Employers obviously are responsible for the correctness and accurateness of the records contained in personnel files, and for the requirement to prevent excess filing of records. Personnel data must be properly protected and secured, and employees must be in a position to instruct rectification, restriction or deletion of records and data.
Employers may (be forced to) supply personnel data to persons within or outside the organisation, like the tax department, a lawyer or their contracted payroll office. Of course, employers are not allowed to supply personnel data and records to third parties just like that.

Medical records are special personal data and may not be processed by employers. The company doctor is the link between the employer and the sick employee and must “translate” medical information into non-medical information for the employer to work with.
Employers are allowed to file the following records regarding sick employees:

  • The telephone number and (nursing) address on which the employee may be reached.
  • The amount of time presumed by the employee to reach final recovery.
  • Current duties and arrangements.
  • The condition whether the illness relates to an accident at work, but not whether the sickness absence is work-related.
  • Whether it concerns a traffic accident with a possibility for recourse. This implies that the employer may possibly reclaim from the party that caused the accident the costs due to the sickness absence and re-integration.
  • Whether the employee qualifies for one out of the four fall-back provisions pursuant to the Dutch Sickness Act (Ziektewet). In that respect, the employee is not always obliged to mention the provisions he or she qualifies for. This question may only be asked if the person has been employed for over two months.

Employers collect many personal records and particulars during applications. Not only are records like these found in letters of application and CVs but in applicants’ recorded interviews as well. Records may also originate from screening, assessment or psychological/medical examination (pre-employment examination). When an applicant does not get the function, the employer usually deletes the data and records not later than four weeks after completion of the application procedure.

Applicants may give their permission for filing their data over longer periods, for instance in case of a possible prospect of a suitable job. In situations like this, the reasonable term for deleting records is one year after completion of the application procedure.

Screening is an aid for restricting risk on the employer’s side. Screening is mandatory by law for certain functions (in child care for instance). The main conditions for screening are a legitimate reason on the part of the employer (legitimate interest), a necessity for screening and for the employer to inform the applicant or employee both in advance and in arrears. Screening implies that an employer requests information about an applicant or employee in order to assess his or her integrity. For instance by telephoning an applicant’s references or finding out if the applicant is black-listed.

Preparing and using black lists is not allowed just like that. Organisations that wish to compile black lists must at least have a compelling interest. It is not allowed to share a black list without the permission of the Dutch Personal Data Authority (Autoriteit Persoonsgegevens).

Employers have various employee control options. For instance camera surveillance, telephone exchanges, admission portals and computer systems. It is not prohibited to control employees. Employers must however account for their employees’ privacy. So employers are not allowed to all-day monitor their employees just like that.

Secret control, so without the employee’s consent, usually is not allowed. Illegally obtained evidence, camera pictures for instance, may in principle be used in a dismissal procedure.

The staff council (ondernemingsraad; OR) plays an important role in the protection of employee privacy. In some cases an employer may be obliged to ask the staff council for its permission or advice. Article 33 section 3 of the Dutch General data protection regulation implementation act (Uitvoeringswet Algemene verordening gegevensbescherming; UAVG) puts an obligation on the employer to ask the permission of the staff council (OR) in order to process penal records relating to personnel. The staff council may also express at its own initiative its views on the use of personnel records and data. It may do so for instance in response to questions or complaints on the part of employees.

Any questions about work floor privacy? Do not hesitate to contact Elfi Arbeidsrecht Advocaat!