We are often asked how businesses are expected to comply with GDPR requirements when disclosing employee data in a situation where the Transfer of Undertakings (Protection of Employment) Regulations (TUPE) applies.
In accordance with TUPE, the transferor (e.g. the seller or current employer) is required to provide the transferee (e.g. the buyer or new employer) with certain Employee Liability Information (ELI), including personal data about the age and dates of birth of the employees, their terms and conditions of employment and information about any disciplinary and grievance procedures in the 2 years prior.
In these circumstances, the GDPR condition for the lawful processing of personal data will be satisfied as it is “necessary to comply with a legal obligation”. Strictly speaking therefore it does not matter whether or not the information is anonymised.
Whilst this may be reassuring, businesses should avoid being lulled into a false sense of security and dropping their guard when it comes to the protection of employee data.
Whilst the ELI is useful to the buyer/new employer, it is unlikely to consist of all information it requires in relation to the transferring employees. More often than not further information will be requested as part of a due diligence exercise, including details about employees on sickness absence or maternity leave for example. It can be difficult to keep track of what is protected as ELI information and what is not.
For the information that is not captured by the ELI exception, the current employer/seller may try to rely on the legitimate interests condition. Under GDPR legitimate interests that are relevant are no longer limited to the interests of the disclosing business however this lawful basis requires a careful balancing act between the benefit to the discloser/third party and the impact on an individual’s privacy and their expectations. Businesses will need to be able to demonstrate compliance, e.g. by documenting its assessment.
Therefore, to be on the safe side and avoid data protection breach issues it is wise to anonymise all employee data from the outset. The simplest way is to refer to each employee by number and use that number code when referring to them through the whole due diligence process.
So who wins? Well technically it is a draw but GDPR might win in extra time!
To discuss this topic further or to discuss any other issues relating to Employment Law, please contact Emma McLoughlin, Associate Solicitor in our Employment Team on 020 8614 4590 or by email on [email protected].