Personal data processing restrictions concerning employees. Implementation recommendation for German companies

Academic Paper from the year 2021 in the subject Business economics - Business Management, Corporate Governance, grade: 1,3, The FOM University of Applied Sciences, Hamburg, language: English, abstract: This paper poses the following questions: What do companies have to consider to act compliant to GDPR? And which restrictions apply to companies in context with employee data processing? The objective of this paper is to find answers to these questions and to derive appropriate recommendations for action to support German companies in implementing appropriate measures for GDPR compliance. Companies need to collect and process personal data about their employees over the whole employee life cycle, from recruiting, over development until exit of employees. Consequently, companies are affected by the European Union's General Data Protection Regulation (GDPR), which came into effect on the 25th of May 2018. It regulates the processing of personal data by a company, an organization or an individual related to natural persons, also called data subjects. As in companies, the human resource department is involved in the whole employee journey, they play a major role as an entity which controls and processes personal data. Therefore, the implementation of appropriate measures to comply with the GDPR as laid out in this paper is essential for all companies who employ people. In the course of the advancing digitization, companies depend more and more on data and face several challenges, ranging from a frequently changing workforce, to ever-changing regulations to the unexpected pandemic with a shift of the way of working with employees and the enforcement to re-think the way employees are managed. According to Statista, Germany has the second highest aggregated value of GDPR fines imposed in Europe between May 2018 and January 2021 with 69 million euro. Only Italy registered 300.000 euro more fines during that period. No deviation between the kind of data breaches, whether