Latvian Personal Data Processing Law
Law on the Processing of Personal Data
Personas datu apstrādes likums
Latvia
RET-LV-NA-PROTECT-2018
Latvia's Law on the Processing of Personal Data, enacted in 2018, serves as the national framework for implementing the EU's General Data Protection Regulation (GDPR). This legislation establishes comprehensive rules for the collection, storage, and use of personal data, including employee remuneration information, ensuring the protection of individuals' fundamental rights and freedoms. While not directly addressing pay equity, it mandates transparent and lawful handling of all employee data, impacting how pay-related information is managed and secured by employers across all sectors. The law empowers the Data State Inspectorate (DVI) with significant enforcement and oversight responsibilities.
Overview
The Law on the Processing of Personal Data (Personas datu apstrādes likums) in Latvia, adopted on June 21, 2018, and effective from July 5, 2018, serves as the national legislative framework for the implementation of the General Data Protection Regulation (GDPR) (EU) 2016/679. This pivotal legislation aims to establish a robust system for the protection of personal data at the national level, ensuring that the fundamental rights and freedoms of natural persons are safeguarded in the digital age. It delineates the institutional structures necessary for data protection, defines their competencies, and sets forth the foundational principles governing the processing and free movement of personal data within Latvia. The law's enactment was a direct response to the broader European Union initiative to harmonize data protection standards, thereby providing a consistent and high level of protection across member states.
The primary purpose of this Law is to create the legal prerequisites for a comprehensive personal data protection system, which includes specifying the roles and responsibilities of various entities involved in data processing. It outlines the operational principles for data protection specialists and establishes clear rules for how personal data should be handled, from its collection to its eventual deletion. While the law itself does not directly mandate pay equity or specific pay transparency measures, it profoundly impacts how employers manage and process employee data, including sensitive information related to remuneration. By setting stringent standards for data processing, it indirectly contributes to a framework where data used in employment decisions, including those affecting pay, must be handled fairly, lawfully, and transparently. This ensures that any data utilized in compensation decisions is subject to rigorous privacy and security protocols, fostering a more accountable environment for employers.
Historically, Latvia's data protection landscape evolved significantly with the advent of the GDPR. The Law on the Processing of Personal Data replaced previous national legislation, such as the Law on the Protection of Personal Data of Natural Persons of 2000, to align fully with the enhanced requirements of the GDPR. This transition marked a shift towards a more comprehensive and rights-based approach to data protection, emphasizing accountability for data controllers and empowering data subjects with greater control over their personal information. The law's key innovations include strengthening individual rights, imposing stricter obligations on data controllers and processors, and granting the Data State Inspectorate (DVI) enhanced enforcement powers. These changes are critical for all sectors, including employment, where the processing of personal data, such as salary details, is an integral part of operations, demanding a higher standard of care and compliance from employers.
Definitions
The Law on the Processing of Personal Data incorporates the extensive definitions provided in Article 4 of the GDPR, ensuring consistency with the broader European data protection framework. Key terms such as 'personal data,' 'processing,' 'data subject,' 'controller,' and 'processor' are central to understanding the scope and application of the law. 'Personal data' is broadly defined as any information relating to an identified or identifiable natural person. This includes direct identifiers like names and identification numbers, as well as indirect identifiers such as location data, online identifiers, or factors specific to an individual's physical, physiological, genetic, mental, economic, cultural, or social identity. In the employment context, this encompasses a vast array of employee information, including their salary, benefits, performance reviews, and even trade union membership, all of which must be handled with strict adherence to the law's principles.
'Processing' is another fundamental term, covering virtually any operation performed on personal data, whether automated or manual. This includes the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. For employers, this means that every action taken with employee data, from collecting CVs during recruitment to processing payroll, managing performance, and archiving former employee records, falls under the purview of this definition. The law mandates that all such processing must adhere to strict principles, including lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality, ensuring a comprehensive approach to data governance.
The law also clearly defines the roles of 'controller' and 'processor.' A 'controller' is the natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data. In most employment scenarios, the employer is the controller, bearing the primary responsibility for ensuring compliance with the law. A 'processor,' on the other hand, processes personal data on behalf of the controller. This could include third-party payroll providers or HR software vendors. The law establishes specific obligations for both controllers and processors, emphasizing accountability and the need for appropriate technical and organizational measures to protect personal data. Understanding these definitions is crucial for employers to navigate their responsibilities effectively and ensure the lawful handling of all employee-related data, including remuneration details, throughout the entire data lifecycle.
Covered Employers
The Law on the Processing of Personal Data, by virtue of its alignment with the GDPR, applies broadly to virtually all employers operating within Latvia or processing the personal data of individuals residing in Latvia. There are no specific size thresholds that exempt smaller employers from its core obligations. Any entity, regardless of its size or sector, that collects, stores, or otherwise processes personal data of its employees, job applicants, or former employees, is subject to the provisions of this law. This comprehensive scope ensures that data protection standards are uniformly applied across the employment landscape, from small businesses to large corporations and public sector organizations. The law's territorial scope also extends to processing activities outside Latvia if they relate to data subjects in Latvia, or if the controller/processor is established in Latvia, thereby capturing a wide range of cross-border operations.
The law's applicability to employers is extensive, covering all stages of the employment lifecycle. This begins with the recruitment process, where employers collect personal data from job applicants, including CVs, contact information, and qualifications. The Data State Inspectorate (DVI) has issued specific guidance for employers on personal data processing during recruitment, highlighting the importance of determining necessary data, informing applicants about data processing, and managing data storage and deletion. During active employment, the law governs the processing of a wide range of employee data, such as names, personal identification codes, contact details, job titles, education, work experience, health data (e.g., occupational health assessments), and crucially, remuneration information. This includes data used for payroll, benefits administration, performance management, and internal communications, all of which must adhere to strict data protection principles.
While the law does not specify exemptions based on employer size, certain obligations, such as the requirement to appoint a Data Protection Officer (DPO), may depend on the nature, scope, and purposes of the processing activities. For instance, a DPO is mandatory for organizations whose core activities consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or of processing on a large scale of special categories of data. However, even if a DPO is not formally required, all employers must still adhere to the fundamental data protection principles and ensure the lawful, fair, and transparent processing of employee data. The law's broad reach underscores the universal responsibility of employers to protect the privacy and personal data of their workforce, including all data related to their compensation and employment terms, regardless of the company's scale.
Employee Rights
Under the Law on the Processing of Personal Data, employees, as data subjects, are afforded a comprehensive set of rights concerning their personal data, which are directly derived from the GDPR. These rights are fundamental to empowering individuals to control their personal information, including sensitive details related to their employment and remuneration. Key among these is the right of access, which allows employees to obtain confirmation as to whether their personal data is being processed, and if so, to access that data and receive information about the purposes of the processing, the categories of personal data concerned, the recipients to whom the data has been or will be disclosed, and the envisaged period for which the personal data will be stored. This means an employee can request to see their own salary records, performance evaluations, and other employment-related data held by their employer, ensuring transparency regarding their personal information.
Beyond access, employees also possess the right to rectification, enabling them to request that inaccurate personal data be corrected without undue delay. If their salary information, contact details, or employment history are incorrect, they have the right to have them updated, ensuring the accuracy of records. Furthermore, the right to erasure, often known as 'the right to be forgotten,' allows employees to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if they withdraw consent and there is no other legal ground for processing. This right is particularly relevant after an employment relationship ends, though employers may retain certain data for legal or legitimate business purposes for specified periods, such as tax or social security obligations, which must be clearly communicated.
Other crucial employee rights include the right to restriction of processing, which allows individuals to limit how their data is used in specific situations, and the right to object to processing, particularly when data is processed based on legitimate interests or for direct marketing. While the Law on the Processing of Personal Data does not explicitly grant 'pay comparison rights' in the sense of demanding access to other employees' salary data for equal pay purposes, the right to access one's *own* remuneration data is a significant aspect. Moreover, the principles of fairness and transparency in data processing, enshrined in the law, indirectly support the broader goal of equitable treatment in employment. Employees can exercise these rights by submitting written inquiries to their employer, and if unsatisfied, they have the right to lodge a complaint with the Data State Inspectorate, which is obligated to investigate such claims.
Pay Transparency Requirements
It is crucial to clarify that the Latvian Law on the Processing of Personal Data, as an implementing act for the GDPR, does not directly impose 'pay transparency requirements' in the sense of mandating salary range disclosures in job postings, publishing pay scales, or requiring employers to provide comparative pay information to employees for equal pay purposes. The law's focus is on the *protection* and *processing* of personal data, including remuneration data, rather than on the substantive aspects of pay equity or wage transparency. Therefore, employers will not find provisions within this law that dictate specific formats or deadlines for disclosing salary information to the public or to employees beyond what is necessary for individual data subjects to understand how their own data is processed, or what is required by other specific labor laws.
However, the overarching principles of data protection, particularly transparency (Article 5(1)(a) of GDPR), have indirect implications for how pay-related data is handled. Employers are obligated to process personal data, including salary information, in a transparent manner in relation to the data subject (the employee). This means that employees must be informed about the collection, use, storage, and other processing activities concerning their remuneration data. This information is typically provided through privacy notices or data protection policies, which should clearly articulate the purposes for processing salary data (e.g., payroll, tax compliance, benefits administration), the legal basis for such processing, and the categories of recipients with whom this data might be shared. While this ensures transparency *to the individual* about their own data, it does not extend to broader pay transparency initiatives across the workforce, such as disclosing salary bands for all positions.
Furthermore, the data minimization principle (Article 5(1)(c) of GDPR) dictates that personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This means employers should only collect and process salary-related data that is genuinely required for legitimate employment purposes. Any collection of excessive or irrelevant pay data would be a violation of the law. While the law does not mandate the disclosure of salary ranges, it does ensure that any pay data collected is handled with strict adherence to privacy principles. Any future pay transparency legislation in Latvia would need to be a separate legal instrument, potentially interacting with this data protection law regarding the processing of the disclosed data, but not originating from it, as the current law's scope is strictly data protection.
Reporting & Audit Obligations
The Law on the Processing of Personal Data, in conjunction with the GDPR, imposes significant reporting and audit obligations on data controllers, including employers, though these are distinct from specific 'pay equity audits.' The primary reporting obligation relates to data breaches. Employers are required to notify the Data State Inspectorate (DVI) without undue delay, and where feasible, not later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the data subjects without undue delay. This obligation applies to any personal data, including employee remuneration data, if it is compromised, emphasizing the critical importance of data security.
Another crucial obligation for employers, particularly those engaged in large-scale or high-risk processing of personal data, is to conduct Data Protection Impact Assessments (DPIAs). A DPIA is a process designed to identify and minimize the data protection risks of a project or plan. It is mandatory when a type of processing, in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. While not a 'pay equity audit,' a DPIA could be relevant if an employer implements a new HR system that processes extensive employee data, including salary information, in a way that could pose significant privacy risks. The DVI provides guidance on when DPIAs are necessary and how they should be conducted, ensuring that potential risks to employee data, including pay data, are identified and mitigated proactively before processing begins.
Furthermore, controllers and, where applicable, their representatives, are required to maintain records of processing activities under their responsibility. These records must contain specific information, such as the purposes of the processing, categories of data subjects and personal data, categories of recipients, and, where possible, the envisaged time limits for erasure of different categories of data. These records serve as a crucial tool for accountability and demonstrate compliance with the data protection principles. The DVI has the power to request these records as part of its investigative and auditing functions. While these obligations are not focused on assessing pay equity directly, they ensure a structured and documented approach to managing all employee personal data, including remuneration, thereby contributing to overall data governance and accountability within an organization and facilitating oversight by the supervisory authority.
Governance & Enforcement Bodies
The primary governance and enforcement body for the Law on the Processing of Personal Data in Latvia is the Data State Inspectorate (Datu valsts inspekcija - DVI). The DVI is an independent public authority operating under the supervision of the Cabinet of Ministers, specifically through the Minister of Justice. Its core mission is to protect the fundamental rights and freedoms of individuals in the realm of data protection. The DVI acts as the supervisory authority for data protection in Latvia, fulfilling the tasks and exercising the powers stipulated in both the GDPR and the national Law on the Processing of Personal Data. Its independence is a cornerstone of its effectiveness, ensuring that its decisions are based solely on legal principles and its own convictions, free from external influence or political pressure, thereby safeguarding its impartiality.
The DVI's roles and responsibilities are extensive. It is tasked with monitoring and enforcing the application of data protection laws, investigating complaints lodged by data subjects, conducting investigations and audits, and imposing administrative fines for violations. The Inspectorate also plays a crucial advisory role, providing guidance to data controllers and processors on their obligations and offering information to data subjects about their rights. For employers, the DVI is the central point of contact for data protection matters, including reporting data breaches and seeking clarification on compliance requirements related to employee data processing. The DVI also actively cooperates with other European data protection authorities through the European Data Protection Board, ensuring a consistent application of GDPR across the EU and facilitating cross-border enforcement.
Individuals who believe their data protection rights have been infringed, including those related to the processing of their remuneration data, have the right to lodge a complaint with the DVI. The complaint filing process typically involves submitting a written complaint to the Inspectorate, outlining the alleged violation and providing supporting evidence. The DVI then investigates the complaint, which may involve requesting information from the employer, conducting on-site inspections, and interviewing relevant parties. The Inspectorate has the power to issue warnings, reprimands, orders to comply, and ultimately, to impose administrative fines. The DVI's strategic objectives for 2021-2025 include promoting the implementation of personal data protection, facilitating efficient and lawful data protection, educating society, and remedying violations in a timely manner, while minimizing bureaucracy and ensuring effective protection of data subjects' rights.
Monitoring & Evaluation
The Data State Inspectorate (DVI) is endowed with robust powers for monitoring and evaluating compliance with the Law on the Processing of Personal Data and the GDPR. These powers are essential for ensuring that data controllers, including employers, adhere to their obligations regarding the lawful and secure processing of personal data. The DVI's monitoring activities encompass a range of tools, including proactive inspections, reactive investigations based on complaints, and thematic audits. Inspections can be conducted both announced and unannounced, allowing the DVI to assess an organization's data processing practices in real-time. During these inspections, DVI officials have the authority to access premises, demand information, examine documents, and interview personnel to verify compliance with data protection principles and specific legal requirements, including those pertaining to employee remuneration data.
The investigation of complaints forms a significant part of the DVI's monitoring function. When an employee or any other data subject lodges a complaint regarding the processing of their personal data, including their remuneration details, the DVI is obligated to investigate the matter thoroughly. This involves gathering evidence, communicating with both the complainant and the data controller, and assessing whether a violation of the law has occurred. The DVI's strategy emphasizes remedying violations in a timely manner, ensuring that individuals' rights are upheld. The frequency of audits and inspections is determined by various factors, including the nature and scale of data processing activities, the level of risk involved, and the number of complaints received against a particular entity or sector. Organizations processing large volumes of sensitive employee data, such as salary and health information, may face closer scrutiny due to the higher potential for risk.
Evaluation criteria for compliance are based directly on the principles and provisions of the GDPR and the national Law on the Processing of Personal Data. These include assessing whether data processing is lawful, fair, and transparent; whether data is collected for specified, explicit, and legitimate purposes; whether data minimization is observed; whether data is accurate and kept up to date; whether storage limitation principles are followed; and whether appropriate security measures are in place to protect data integrity and confidentiality. For employers, this means demonstrating a clear legal basis for processing employee data, implementing robust technical and organizational security measures, and respecting data subjects' rights. The DVI's enforcement actions, including the imposition of fines, are often preceded by these monitoring and evaluation activities, highlighting the importance of continuous compliance and proactive data governance by employers to avoid penalties and uphold privacy standards.
Enforcement & Penalties
The Law on the Processing of Personal Data, by incorporating the enforcement mechanisms of the GDPR, provides for significant penalties for non-compliance, designed to be effective, proportionate, and dissuasive. For serious infringements, administrative fines can be substantial, reaching up to €20 million, or in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher. Less severe infringements may incur fines up to €10 million, or up to 2% of the total worldwide annual turnover. These high penalty ceilings underscore the seriousness with which data protection violations are treated and serve as a strong deterrent for employers who fail to uphold their obligations regarding employee personal data, including remuneration information, ensuring a high level of accountability.
The Data State Inspectorate (DVI) has a range of corrective powers at its disposal, beyond monetary penalties. These include issuing warnings and reprimands, ordering the rectification or erasure of personal data, imposing a temporary or permanent ban on processing, and ordering the suspension of data transfers to a third country. The DVI's criteria for determining the amount of a fine or the type of corrective measure take into account various factors, such as the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, any actions taken to mitigate the damage suffered by data subjects, the categories of personal data affected, and the degree of cooperation with the supervisory authority. This nuanced approach ensures that enforcement actions are tailored to the specific circumstances of each violation, promoting fairness while maintaining strict compliance.
In addition to administrative fines, Latvian criminal law provides for criminal liability for individuals who commit criminal acts involving personal data, with potential penalties including imprisonment for up to 5 years, probationary supervision, community service, or a fine. Criminal liability can arise from illegitimate data processing that results in material damage, processing for purposes of vengeance or blackmail, or processing involving violence, threats, or deceit. Data subjects also have the right to compensation for both material and non-material damage suffered as a result of an infringement of the law. This right to compensation allows employees to seek redress if their personal data, including sensitive pay information, has been mishandled, leading to demonstrable harm. The appeals process for DVI decisions typically involves appealing to an administrative court, ensuring a judicial review of enforcement actions and providing a mechanism for legal challenge.
Relationship to Other Laws
The Law on the Processing of Personal Data operates in close conjunction with, and is largely subordinate to, the General Data Protection Regulation (GDPR) (EU) 2016/679. As a national implementing law, its primary function is to provide the necessary legal framework for the application of the GDPR within Latvia, addressing areas where Member States are permitted to introduce more specific provisions. Therefore, the GDPR takes precedence in most aspects of personal data protection, and the Latvian law fills in the gaps or specifies details where the GDPR allows for national derogations. This relationship ensures a harmonized approach to data protection across the European Union while allowing for some national specificities, particularly in areas like public sector data processing or certain employment-related contexts, ensuring a coherent legal landscape.
In the employment sphere, the Law on the Processing of Personal Data interacts significantly with other national labor laws and regulations. While the data protection law dictates *how* employee data, including remuneration details, must be processed (e.g., lawful basis, data minimization, security), national labor laws govern *what* data employers are legally required or permitted to collect and for what purposes (e.g., payroll, tax, social security contributions). For instance, labor laws might mandate the collection of certain personal data for employment contracts or health and safety regulations. The data protection law ensures that even when such data collection is legally required, it must still adhere to data protection principles, such as transparency and data minimization. This means employers must balance their obligations under both sets of laws, ensuring all data handling is both legally compliant and privacy-respecting.
Conflicts between the Law on the Processing of Personal Data and other national laws are generally resolved by applying the principle of lex specialis (specific law overrides general law) or by interpreting laws in a way that ensures the highest level of personal data protection. In practice, employers must navigate both data protection requirements and their obligations under labor law, ensuring that their data processing activities are compliant with all applicable legal frameworks. For example, while labor law might require an employer to retain certain employee records for a specific period, the data protection principle of storage limitation dictates that data should not be kept longer than necessary for the stated purpose. The Data State Inspectorate often provides guidance on how these various legal obligations should be reconciled, particularly in complex areas like employee data management and retention, to avoid legal inconsistencies and ensure comprehensive compliance.
International Context
The Law on the Processing of Personal Data in Latvia is inextricably linked to the broader international and European legal landscape, primarily through its role as the national implementing legislation for the General Data Protection Regulation (GDPR) (EU) 2016/679. The GDPR represents a landmark achievement in global data protection, establishing a comprehensive and stringent framework for the processing of personal data across the European Union and the European Economic Area. Latvia's law ensures that the principles, rights, and obligations set forth in the GDPR are directly applicable and enforceable within its jurisdiction. This alignment means that Latvia adheres to the highest international standards for data protection, influencing how personal data, including employee remuneration data, is handled by organizations operating within or interacting with the EU, thereby facilitating secure cross-border data flows.
Beyond the GDPR, Latvia's data protection framework is also influenced by international conventions and global trends in privacy. The Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), and its modernized Protocol (Convention 108+), have historically shaped data protection principles in Europe. While the GDPR has largely superseded many aspects of Convention 108 for EU member states, the underlying principles of fair and lawful processing, data minimization, and data subject rights remain foundational. Furthermore, the increasing global interconnectedness and the rise of digital economies necessitate robust data protection laws to facilitate secure international data transfers. Latvia's adherence to the GDPR ensures that its data protection standards are recognized and respected globally, particularly in the context of cross-border employment and the transfer of employee data between different jurisdictions, upholding a consistent level of privacy protection for its citizens.
Implementation Timeline
| Date | Milestone | Status |
|---|---|---|
| April 27, 2016 | General Data Protection Regulation (GDPR) adopted by the European Parliament and Council | Adopted |
| May 25, 2018 | GDPR became directly applicable in all EU Member States | In Force |
| June 21, 2018 | Latvian Parliament (Saeima) adopted the Law on the Processing of Personal Data | Adopted |
| July 5, 2018 | Law on the Processing of Personal Data entered into force in Latvia | In Force |
| Ongoing | Data State Inspectorate (DVI) issues guidance and interpretations to ensure consistent application | In Force (Amended through guidance) |
| February 2024 | Linklaters guide on Data Protected Latvia references the Personal Data Processing Law, indicating continued relevance | In Force (Referenced) |
| April 2024 | DVI publishes guidance for employers on personal data processing during recruitment, clarifying specific obligations | In Force (Guidance issued) |
Compliance Checklist
| Requirement | Action Required | Deadline |
|---|---|---|
| Establish Lawful Basis for Processing | Identify and document a legal basis (e.g., consent, contract, legal obligation, legitimate interest) for all processing of employee personal data, including remuneration. | Ongoing |
| Ensure Data Minimization | Collect and process only personal data that is adequate, relevant, and limited to what is necessary for the specified purposes (e.g., only essential data for payroll and HR management). | Ongoing |
| Maintain Transparency | Inform employees (data subjects) about how their personal data, including pay information, is collected, used, stored, and shared through clear and accessible privacy notices. | Ongoing (especially at data collection points and upon policy updates) |
| Implement Data Subject Rights Procedures | Establish clear, documented procedures for employees to exercise their rights (access, rectification, erasure, restriction, objection, portability) regarding their personal data. | Ongoing (respond to requests without undue delay, within one month) |
| Appoint Data Protection Officer (DPO) | Assess if a DPO is required based on the nature, scope, and purposes of data processing (e.g., large-scale processing of sensitive data or regular monitoring). If so, appoint and involve DPO. | Ongoing (as applicable, and ensure DPO independence) |
| Conduct Data Protection Impact Assessments (DPIAs) | Perform DPIAs for new processing activities likely to result in a high risk to individuals' rights and freedoms (e.g., new HR systems handling extensive employee data or biometric data). | Before commencing high-risk processing |
| Implement Security Measures | Put in place appropriate technical and organizational measures to ensure the security of personal data, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage. | Ongoing (regularly review and update measures) |
| Maintain Records of Processing Activities | Keep detailed, up-to-date records of all processing activities under the employer's responsibility, including purposes, categories of data, recipients, and retention periods. | Ongoing (and available to DVI upon request) |
| Report Data Breaches | Notify the Data State Inspectorate (DVI) of personal data breaches without undue delay, and where feasible, within 72 hours of becoming aware. Notify affected data subjects if high risk. | Within 72 hours of discovery (to DVI); without undue delay (to data subjects if high risk) |
| Ensure Data Accuracy | Take reasonable steps to ensure that employee personal data is accurate and, where necessary, kept up to date. Establish mechanisms for employees to correct inaccuracies promptly. | Ongoing (regular data review and update processes) |
| Adhere to Storage Limitation | Retain employee personal data, including pay records, for no longer than is necessary for the purposes for which it was collected, in accordance with legal retention periods and internal policies. | Ongoing (implement and enforce data retention policies) |
| Facilitate International Data Transfers | If transferring employee personal data outside the EU/EEA, ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions, binding corporate rules). | Before transferring data internationally |
Sources and References
© RewardsET.com / Smitteck GmbH — created on 22-Jan-2026 using Gemini 2.5 Flash