I. Scope and definitions
1.1 The principles set out in this Recommendation apply to the collection and use of personal data for employment purposes in both the public and private sectors.
These principles apply to automatically processed data as well as to other data on employees which are held by employers, in so far as such information is necessary to make automatically processed data intelligible.
Manual processing of data should not be used by employers in order to avoid the principles contained in this Recommendation.
1.2 Notwithstanding the principle laid down in paragraph 1.1, second sub-paragraph, a member state may extend the principles of this Recommendation to manual processing in general.
1.3 For the purposes of this Recommendation :
The expression "personal data" covers any information relating to an identified or identifiable individual. An individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time, cost and manpower.
The expression "employment purposes" concerns the relations between employers and employees which relate to recruitment of employees, fulfilment of the contract of employment, management, including discharge of obligations laid down by law or laid down in collective agreements, as well as planning and organisation of work.
1.4 Unless provisions of domestic law exist to the contrary, the principles of this Recommendation apply, where appropriate, to the activities of employment agencies, whether in the public or private sector, which collect and use personal data so as to enable a contract of employment to be established between the persons registered with them and prospective employers.
1.5 This Recommendation does not, to the extent necessary for the protection of State security, public safety and the suppression of criminal offences, apply to confidential information collected or held by employers for employment purposes on persons recruited for posts or who work in jobs closely related to these matters.2. Respect for privacy and human dignity of employees
2.1 Respect for the privacy and human dignity, in particular the possibility of exercising social and individual relations at the place of work, of the employee should be safeguarded in the collection and use of personal data for employment purposes.3. Information and consultation of employees
3.1 In accordance with domestic law or practice and, where appropriate, in accordance with relevant collective agreements, employers should, in advance, fully inform or consult their employees or the representatives of the latter about the introduction or adaptation of automated systems for the collection and use of personal data of employees.
This principle also applies to the introduction or adaptation of technical devices designed to monitor the movements or productivity of employees.
3.2 The agreement of employees or their representatives should be sought before the introduction or adaptation of such systems or devices where the consultation procedure referred to in paragraph 3.1 reveals a possibility of infringement of employees' right to respect for privacy and human dignity unless domestic law or practice provides other appropriate safeguards.4. Collection of data
4.1 Personal data should in principle be obtained from the individual employee. The individual concerned should be informed when it is appropriate to consult sources outside the employment relationship.
4.2 Personal data collected by employers for employment purposes should be relevant and not excessive bearing in mind the type of employment as well as the evolving information needs of the employer.
4.3 In the course of a recruitment procedure the data collected should be limited to such as are necessary to evaluate the suitability of prospective candidates and their career potential.
In the course of such a procedure, personal data should be obtained solely from the individual concerned. Subject to provisions of domestic law, sources other than the individual may only be consulted with his consent or if he has been informed in advance of this possibility.
4.4 Recourse to tests, analyses and similar procedures designed to assess the character or personality of the individual should not take place without his consent or unless domestic law provides other appropriate safeguards. If he so wishes, he should be informed of the results of these tests.5. Storage of data
5.1 The storage of personal data is permissible only if the data have been collected in accordance with the rules outlined in paragraph 4 and if the storage is intended to serve employment purposes.
5.2 The data stored should be accurate, where necessary kept up-to-date and represent faithfully the situation of the employee. They should not be stored or coded in a way that would infringe an employee's rights by allowing him to be characterised or profiled without his knowledge.
5.3 Where judgmental data are stored relating to the performance or potential of individual employees, such data should be based on fair and honest evaluations and must not be insulting in the way they are formulated.6. Internal use of data
6.1 Personal data collected for employment purposes should only be used by employers for such purposes.
6.2 Where data are to be used for employment purposes other than the one for which they were originally collected, adequate measures should be taken to avoid misinterpretation of the data in the different context and to ensure that they are not used in a manner incompatible with the original purpose. Where important decisions affecting the employee are to be taken based on data so used, he should be informed.
6.3 The interconnection of files containing personal data collected and stored for employment purposes is subject to the provisions of paragraph 6.2.7. Communication of data to employees' representatives
In accordance with domestic law and practice or the terms of collective agreements personal data may be communicated to employees' representatives in so far as such data are necessary to allow them to represent the interests of the employees. 8. External communication of data
8.1 Personal data collected for employment purposes should be communicated to public bodies for the purposes of their official functions only within the limits of employers' legal obligations or in accordance with other provisions of domestic law.
8.2 The communication of personal data to public bodies for purposes other than the exercise of their official functions or to parties other than public bodies, including enterprises in the same group, should only take place:
a. where the communication is necessary for employment purposes which are not incompatible with the purposes for which the data were originally collected and where employees or their representatives are informed of this; or 9. Transborder data flows
b. with the express and informed consent of the individual employee; or
c. if the communication is authorised by domestic law.
Transborder transfers of personal data collected and stored for employment purposes should be subject to the principles stated in paragraphs 6 and 8.10. Particular categories of data
10.1 Personal data relating to racial origin, political opinions, religious or other beliefs, sexual life or criminal convictions referred to in Article 6 of the Convention for the protection of individuals with regard to automatic processing of personal data, should only be collected and stored in particular cases within the limits laid down by domestic law and in accordance with appropriate safeguards provided therein. In the absence of such safeguards, such data should only be collected and stored with the express and informed consent of the employees.
10.2 An employee or job applicant may only be asked questions concerning his state of health and be medically examined in order:
a. to determine the suitability of an employee or job applicant for his present or future employment;
b. to fulfil the requirements of preventive medicine; or
c. to grant social benefits.
10.3 Health data may not be collected from sources other than the employee concerned except with his express and informed consent or in accordance with provisions of domestic law.
10.4 Health data covered by medical secrecy should only be stored by personnel who are bound by rules on medical secrecy. The information should only be communicated to other members of the personnel administration if it is indispensable for decision-making by the latter and in accordance with provisions of domestic law.
10.5 Health data covered by medical secrecy should be stored separate from other categories of personal data held by the employer. Security measures should be taken to prevent persons outside the medical service having access to the data.
10.6 The data subject's right of access to his health data should not be restricted unless access to such data could cause serious harm to the data subject, in which case the data may be communicated to him through a doctor of his choice.11. Publicity in regard to personal data
11.1 Information concerning personal data held by the employer should be made available either to the employee concerned directly or through the intermediary of his representatives or brought to his notice through other appropriate means.
This information should specify the main purposes of storing the data, the sort of data stored, the categories of persons or bodies to whom the data are regularly communicated and the purposes and legal basis of such communication.
11.2 The information should also refer to the rights of the employee in regard to his data as provided for in paragraph 12 of this Recommendation as well as the ways and means of exercising the right of access.12. Right of access and rectification
12.1 Each employee should on request be enabled to have access to all personal data held by his employer which concern him and, as the case may be, to have such data rectified or erased where they are held contrary to the principles set out in this Recommendation. In the case of judgmental data, each employee should have the right in accordance with domestic law to contest the judgment.
12.2 Exercise of the rights referred to in paragraph 12.1 may in the case of an internal investigation conducted by the employer be deferred until the close of the investigation if the result of the investigation would be otherwise threatened.
12.3 When an employee is faced with a decision based on automatic processing of data held by an employer, he should have the right to satisfy himself that the data have been lawfully processed.
12.4 Except where provisions of domestic law exist to the contrary, an employee should be entitled to designate a person of his choice to assist him in the exercise of the right of access or to exercise the right on his behalf.
12.5 If access to data is refused or if a request for rectification or erasure is denied, domestic law should provide a remedy.13. Security of data
13.1 Employers or firms which may process data on their behalf should implement adequate technical and organisational measures designed to ensure the security and confidentiality of personal data stored for employment purposes against unauthorised access, use, communication or alteration.
13.2 The personnel administration, as well as any other person engaged in processing the data, should be kept informed of such measures and of the need to respect them.14. Conservation of data
14.1 Personal data should not be stored by an employer for a period longer than is justified by the purposes outlined in paragraph 1.3 or is required in the interests of a present or former employee.
14.2 Personal data submitted in furtherance of a job application should normally be deleted as soon as it becomes clear that an offer of employment will not be made.
14.3 Where such data are stored with a view to a further job application, the data should be deleted if the candidate concerned so requests.
Where it is necessary to store data submitted in furtherance of a job application for the purpose of defending legal actions, the data should only be stored for a reasonable period.