Social elections 2024: Know your GDPR obligations | Allen & Overy LLP

Compliance with GDPR requirements is a key factor when you plan and conduct social elections.

Since the social elections procedure involves the processing of a lot of personal employee data, for example, the list of leading personnel, voter lists, candidate lists, etc. (and, moreover, may contain sensitive data, such as union membership), it is important to proceed with the necessary caution.

Observe the GDPR principles

Put GDPR principles at the heart of your approach to processing personal data during the social elections process:

  • Fair, lawful and transparent processing: processing must be reasonable and proportional, based on legal grounds, that is processing must be necessary to comply with the social election regulations. Also, you must be transparent with employees about your processing activities.
  • Purpose limitation: personal data collected for the social elections should not be used for any other purpose that is incompatible with that purpose (and vice versa, data collected for other purposes must not generally be used for social elections purposes).
  • Data minimisation: you should only process personal data that you actually need to process in relation to the social elections.
  • Accuracy: every reasonable step must be taken to ensure that inaccurate personal data is either erased or rectified without delay.
  • Storage limitation: personal data must not be kept for longer than is necessary.
  • Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of such data.
  • Accountability: you are responsible for, and must be able to demonstrate compliance with, the data protection principles.

How can you prepare?

Below, we set out some practical advice in relation to the GDPR principles to help you protect the privacy of your employees during the upcoming social elections.

Update your GDPR data register if needed

As an employer, you must maintain an up-to-date register of all processing activities under your responsibility. The data processing register must contain details on the processing of personal data in relation to the social elections.

You should check your data register and update it if necessary.

Inform your employees about the processing of their personal data

Employees should be informed about the processing of their personal data (ie, questions covering points including ‘why’, ‘how’, ‘for how long’, etc.). Check the privacy notice provided to your employees to verify whether they are sufficiently informed how their personal data is processed for the social elections.

When posting information during the social election process, it is important to include the legal basis for the processing of personal data. For example, the FPS Employment proposes to include the following wording when posting the notice notifying the employees of the election date, which is done on the 90th day prior to election day (ie, between 13 and 26 February 2024 depending on the actual election date) (day X):

This data is disclosed in accordance with the information duty in Article 14 of the Social Elections Act of 4 December 2007. As this message contains personal data, the General Data Protection Regulation of 27 April 2016 (GDPR) applies.The company will process the personal data only for the purpose for which it is collected and only for as long as this is necessary or according to the legal retention periods.

Provide training to your HR personnel

It is crucial to consider employees working directly with personal data in connection with the social elections and ensure that they fully understand the consequences of relevant GDPR obligations. If employees handle personal data and do not understand the GDPR obligations, they could very well put the company at risk.

Transfer data with caution

1. Communicate voter lists via a closed platform

The Belgian Data Protection Authority has previously issued guidance to employers not to distribute voter lists by email. Voter lists are best made available electronically via a closed platform or on the company’s secured intranet website which is only accessible to company employees. That being said, you are allowed to send an email to employees with a link to the intranet website provided that only the employees of the company have access to it.

2. Be careful with requests from trade unions

It is possible that trade unions will request the personnel (email) address list to allow them to reach out and target employees in the context of the social elections. This is processing that is not necessarily compatible with the original purpose of the employer for obtaining data, ie personnel management and payroll administration. The Belgian Data Protection Authority had, during the previous social elections, advised in this respect that an employer may therefore only share personal data of its employees with trade unions requesting information provided that each individual employee has given their prior unambiguous and informed consent in this regard.

Observe the mandatory retention periods but do not keep data longer than needed

The social election legislation itself sets out a number of mandatory minimum retention periods for various forms and data.

For example, on day 150 prior to election day (day X – 60) you must provide a formal written announcement, containing the list of leading personnel functions and an indicative list of members of the leading personnel (leidinggevend personeel/personnel de direction), and the list of leading personnel functions and an indicative list of executive staff (kaderleden/cadres) to your relevant employee representative bodies. This notice must be retained for up to 25 days after election day. If someone lodges an appeal, this retention period will be extended.

For other data, the retention periods are longer. For example, the list of leading personnel which must be provided on the 125th day prior to election day (day X – 35), must be kept until the next social elections (that will be organized presumably in 2028) and the posting of the composition of the polling offices on day 30 prior to election day (day X + 60) must be kept until 86 days after election day.

Make sure to align your processes to keep track of these different retention periods.

Secure your electronic voting process

You can let your employees vote electronically in the social elections, as long as your current works council, health and safety committee, or the trade union representation if the company does not currently have such bodies in place, agrees.

Electronic voting can be organized to allow voting from the employee’s usual workplace (ie, not requiring them to vote electronically in a physical polling station) through an end-to-end encrypted network connection that guarantees a reliable authentication of the voter.

When contracting with a service provider to arrange e-voting, you will need to make sure that there are guarantees to ensure vote secrecy, to prevent any influence on voting behaviour during the vote, and to protect personal data.

Leave a Comment

Your email address will not be published. Required fields are marked *