On 26 November 2018, the Data Protection Agency published a guidance on data protection in relation to employment relationships. The guidance reviews the most common problems in relation to the general data protection regulation and employment relationships. The guidance should be read in conjunction with the Agency’s other guidelines.

The employer decides whether to employ or dismiss employees and arranges the assignments to be performed by the employees. The employer is therefore controller in relation to the processing of data collected in connection with the employment, etc. There has been a lot of doubt as to who will be the controller in relation to the shop stewards’ assignments - is it the shop steward or the union. The shop steward is employed with the employer, but is the spokesperson in relation to the management as the local link in a professional structure. According to the guidance, it depends on how the union in question is organised in relation to the shop steward’s powers of direction, whether the shop steward or the union is to be considered controller.


Many had hoped that the guidance would provide further directions on the use of consent in employment relationships. Unfortunately, it doesn’t - it merely refers to the general guidelines concerning consent.


The guidance contains a review of the most important data used in connection with the recruitment procedure, during and after the employment and the employer’s possibility of disclosing data to e.g. insurance companies and unions. In addition, it describes the possibilities of control of employees, requirements for deletion of data, etc. Data processed in connection with the recruitment procedure may for instance be:

  • Obtaining of references: This is normally based on consent. It is important to keep in mind which data are to be obtained as the consent must be informed and specified, and if the data are sensitive, the consent must also be explicit.
  • Criminal records and children’s certificates: These may be obtained only if this is objective and proportionate and normally only with the candidate's consent.

Data processed during the employment may for instance be:

  • Data to pension companies. In general, disclosure may take place under section 12 (1) of the Data Protection Act or Article 6 (1) (b) of the Data Protection Regulation.
  • Data transferred between group companies: The guidance is very cautious when it comes to private employers’ disclosure between group companies. The guidance only states that there may be authority to transfer data as the group companies may be considered independent controllers. A reference to the Regulation’s recital no. 48 could perhaps be a nice service information. It appears from recital no. 48: Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected”.


Employees have the same rights as other data subjects under the data protection rules. This means that the employer must inform the employee of the data processed by the employer on the employee. There are no formal requirements for the fulfilment of the duty of disclosure.

The right of access implies that, on demand, the employee is entitled to receive information on e.g. the purpose of the processing of the data on the employee, the data categories and any recipients of the data. In addition, the employee must be informed about the right to rectify and delete data, etc. As the purpose of the right of access is to create transparency in relation to the processing of the data, the Data Protection Agency states that information in letters, memos and e-mails, etc. prepared or sent in a work context are not data covered by the right of access.


The guidance contains a section on the unions’ processing of personal data. In general, a person’s membership of a union is sensitive data covered by Article 9 of the Data Protection Regulation. The union is authorised to process the data when the processing is part of the union’s work as a trade organisation. In addition, the union is authorised to process data when this is a requirement for observance of the union’s or the data subject’s labour law obligations or specific rights authorised by law or collective agreements. For more information, see the guidance’s supplementary information on the exchange of data between trade unions and shop stewards and disclosure of information to the members.