Identification requirements: employers, pay attention!
On May 25, the GDPR (General Data Protection Regulation), went into effect. Do you know its exact implications for your duty of identification?
As an employer in The Netherlands, it has been your responsibility to perform an extensive identification process for your employees since 2005. On May 25, the GDPR (General Data Protection Regulation, also known as AVG in The Netherlands) went into effect. Do you know its exact implications for your duty of identification? In other words: do you have your affairs in order or are you at risk of being fined? Let’s take a quick look at your responsibilities and obligations.
Duty to verify
Whenever you hire new staff, it is your duty to verify without a doubt the identity of your employees. The easiest way to do so is of course to request your employee’s proof of identity. A quick look at the photo on the document would be enough to satisfy most employers. Strictly speaking, though, this method is inadequate. It does not take into account that you might be looking at a falsified identity document. That’s why, aside from the GDPR, it is always wise to verify the document and its owner with a specialized service provider. That way you can be confident that you are storing accurate information in your personnel file.
Duty to maintain
As an employer, it is always your duty to be able to provide the identity information of your employees at the very first request. In order to do so, you maintain personnel files full of that exact information. Of course, you should store those files safely in a place where not just anyone can access them. The GDPR/AVG adds a new dimension to this responsibility: you need to prove that you are taking every possible measure to protect and guarantee the privacy of the individuals in question. Additionally, it should be transparent how long you plan to keep their information on file. That term should not be any longer than strictly necessary. You should record this timeline in a document in order to comply with the GDPR. Are you working with an external party for salary administration? In that case, it’s your duty to sign a Data Processing Agreement with that party.
Duty of care
Your employees have the duty to identify themselves. As an employer, it is your responsibility to enable them to identify themselves in the case of an official check. That can be as simple as showing a valid piece of ID. As part of your duty of care, it is your job to inform your employees of that fact. The same goes for individuals who perform work for you, but who aren’t permanent staffers, like temp workers or freelancers.
Are you already compliant with the new norm?
As you can tell, the odds are great that you are already in compliance with the GDPR. Perhaps you need to update a few documents and possibly one or two Data Processing Agreements. It could give you peace of mind to chat with a pro in the field of identity processing: give DataCheker a call. We look forward to helping you out.