Union representatives

Guide: Processing of personal data by union representatives in the private sector

IDA has developed this guide for union representatives for IDA on how to deal with colleagues' personal data in relation to the General Data Protection Regulation (GDPR). If you have any questions, you are always welcome to contact IDA.

The short version: The three most important GDPR tips for union representatives

The GDPR may seem overwhelming for a union representative. But complying with these three rules will help you and minimise the risk of breaching the GDPR rules. 

Be confident with the GDPR and minimise the risk of data breach with these three rules. 

Membership of a trade union is considered sensitive personal data. Both you and IDA must therefore take great care to protect members' personal data.  

  1. Use the Bcc field when sending emails to several recipients. This will prevent recipients from seeing each other's email addresses, and you will not risk disclosing their trade union membership. 
  2. Store data securely: Members' data is confidential, so it must not be freely accessible on your computer or on your desk. Be careful with your password and never leave your computer open. Physical documents should be stored in a locked drawer or a locker.

Generally, store data securely so only you have access to it. 

  1. Only process the data that is necessary: Do not process data that is not necessary for your function as a union representative or for a given case. And remember to erase data when it is no longer relevant for you, e.g. when an employee resigns.
    This will ensure that you comply with the GDPR requirement on data minimisation and the rules regarding erasure.  

When writing to your contact person at IDA, it is often not necessary to write the name of the member in a case. In many cases, it will be enough to write "a colleague". We also recommend that you log on to mit.ida.dk in the union representative tab  and set up a case, rather than sending emails to your contact person. 

Do not hesitate to contact your contact person at IDA if you are in doubt about anything or if you think you have breached the GDPR rules. 

GDPR for union representatives: The detailed explanation:

The objective of these guidelines is to ensure that you can continue to protect members' personal data, and that you always comply with the relevant legislation (the Danish Data Protection Act) when you process such data.

What is personal data?

Personal data is any data that relates to a specific person and makes this person identifiable. However, if the data is made anonymous in such a manner that the member is no longer identifiable, the data will not be personal data.

What data does this concern?

Sensitive personal data is: Trade union membership, data concerning health, sexual orientation, racial or ethnic origin, political opinions, religion or philosophical beliefs. Only the data mentioned above is considered sensitive personal data.
General personal data is: Data that does not fall under the category of "sensitive personal data". This may be name, home address and telephone number, CV, educational background and photos of employees.

Confidential data

Civil registration number (CPR number) has its own category and is therefore not considered sensitive personal data. But it must be managed with the same level of protection as sensitive personal data. A civil registration number (CPR number) may, however, be considered as a key to uniquely identify individuals in an IT system, and therefore it is within the scope of the Danish Data Protection Act.

Basic principles for processing personal data

Basically, personal data must be processed before legislation in the area applies. This may be collection, recording, structuring, storage and disclosure of personal data. A number of general principles apply for processing of personal data. These principles must always be met, regardless of the type of personal data.

  • Data must generally be processed lawfully and in a transparent manner. Processing must have a legitimate purpose, and data must only be processed in relation to that purpose. If a new purpose arises, this must not be incompatible with the original purpose.
  • Data that is processed must be limited to what is necessary in relation to the purpose for which it is processed ("data minimisation").
  • Data must not be stored for longer than necessary and processing must be in a manner that ensures security and confidentiality.

IDA is not automatically the data controller

Union representatives are considered as local representatives of IDA in the workplace. In this connection, IDA aims to ensure that IDA is the data controller for union representatives in the private labour market.

To ensure that IDA is the data controller for your processing of personal data as a union representative, it is therefore important that you have requested union-representative authorisation from IDA (contact your contact person at IDA for questions about this).

In this way, IDA can delegate a number of powers to you. These powers follow from a collective agreement, a local agreement, or from the tasks you carry out as a union representative.

When you serve as a union representative, you are therefore subject to instructions from IDA on how to perform in this position of trust.

This also means that IDA can give you binding instructions on how to handle personal data and that you are obligated to comply with the rules of these guidelines. You are only covered by IDA's data responsibility and powers of instruction in your function as a union representative.

Storage of data and communication with IDA

Note that you have to store data with an appropriate level of security, so only you have access to it. You may only store data for as long as is necessary for the processing, and data must be erased once the purpose has been fulfilled. Rather than sending documents and other personal data directly to your contact person and consultant, we recommend that you upload them to mit.ida.dk. If you cannot open our encrypted emails, ask your contact person to upload the documents etc. to the case. Unfortunately, we cannot guarantee encrypted transport if you choose to send documents directly to us.

FAQ

Below is a list of frequently asked questions. If you cannot find the answer you are looking for, you are welcome to write to us. We will then respond to your inquiry as quickly as possible.

Write to us (via My IDA)

I am going to send out an invitation to a general meeting, a club meeting, etc. Can I send it via email?

You can invite the members you represent to general meetings, club meetings, etc. via email. When you send mass emails to members of IDA, you have to be careful of where you write the recipients' email addresses.

The recipients of such mass emails should not be visible in the actual email.

You should therefore enter the recipients' email addresses in the Bcc field of the email. If you enter the recipients' email addresses in the Bcc field, the recipients cannot see each other's e-mail addresses.

How should I deal with minutes from club meetings?

If you have held a club meeting, and you are going to send the minutes to people other than those who attended the meeting, you must obtain consent from those mentioned in the minutes. Alternatively, you can delete the names mentioned in the minutes. This is because the minutes will disclose trade union membership, which is considered sensitive personal data and requires consent.

What should I do if I need to send an email containing personal data or a civil registration number (CPR number)?

When sending emails containing confidential or sensitive personal data (e.g. payslips, draft contracts or a CV with a civil registration number (CPR number), the data must be encrypted.

The Danish Data Protection Agency has drawn up a description of the principles for encryption of emails at Datatilsynet (in danish).

Can I disclose reasons for salary negotiations?

You must not disclose reasons for salary increases, pay supplements/rejections of pay supplements, etc. containing negative statements about a member to other people without consent from this member. Consideration for the individual member outweighs the interest of disclosing such information. Members will normally have a legitimate interest in keeping any negative statements to themselves.

Can an employer inform employees if an employee is to leave the workplace?

It may be necessary for an employer to inform employees if an employee is to leave. This may be due to operational reasons or it may be to prevent "concerns" at the workplace.

However, an employer must not disclose detailed information about the reason why an employee is leaving.

As a union representative, can I receive contact information (e.g. name, address and telephone number) for a new employee from the employer?

An employer is obligated to provide information to a union representative, so that the union representative can perform their position of trust.

It is important for a union representative to receive all necessary information about a new employee.

Therefore, it is not necessary for an employer to obtain consent from the new employee in order to disclose information to the union representative.

As a union representative, can I get a list of the employees who, pursuant to the collective agreement, fall under IDA's negotiation area?

The employer may disclose information about these employees to IDA or to the union representative, if the disclosure is made to comply with a legal obligation or to comply with the collective agreement, see section 12(2) of the Danish Data Protection Act.

Pursuant to the collective agreement, the union representative is entitled to negotiate on behalf of the people who fall under IDA's negotiation area, see the training annex  to the collective agreement.

Such a list (containing both members and non-members) does not contain sensitive personal data, so in addition to section 12 of the Data Protection Act, this is authorised according to point (e) of Article 6(1) of the GDPR.

How does data minimisation affect me as a union representative?

Data minimisation means that, as a union representative, you should not collect information or have information sent to you that is not necessary for your function as a union representative in a given case. Moreover, you must not send information that is not relevant for a given case.

Can I record a conversation with my manager?

Recording a conversation with your manager is generally not allowed. In a new ruling, it was considered disloyal for an employee to record a conversation with their manager, and a dismissal was justified retroactively.

Until a new decision is made, IDA's advice to members is not to record conversations at the workplace.

Can I send out a list with the results of the annual salary negotiations?

If you send out a list with the results of the annual salary negotiations (open salary policy), the list will include names of the members in addition to salary information.

Before sending out such a list, you must obtain consent from each member. Consent is required because the members' trade union membership will appear on such a list, and this is sensitive personal data.

However, if the employees' trade union membership is not stated on the list of the results of annual salary negotiations, consent will not be necessary.

Remember that membership of a trade union is sensitive personal data, and as a union representative you must therefore not directly or indirectly reveal whether or not a person is a member.

Can I send information about employees to an employer if this is necessary for the terms of employment?

If necessary for an employee's terms of employment, a union representative may send full name, address and work experience, etc. to place the employee at the right salary level, so that the employer can draw up an employment contract for the person concerned.

Can I send calendar invitations (Outlook invitations) to members to ensure that they remember the general meeting or an after-work meeting, for example?

You may send calendar invitations to members of IDA. However, members' names must not appear in the invitation. This would conflict with the Danish Data Protection Act, because it would reveal the members' trade union membership. It is not possible the enter the email addresses of members in the Bcc field in calendar invites.

This can be solved as follows:

  • Go into the calendar function, so you can invite members to a meeting. Create a new meeting, and then select "Scheduling Assistant" and "To...". Then find the people you want to invite. But instead of adding them as "Required", add them as a "Resource".
  • Email addresses can also be entered/copied into the field "Resource" if these people do not exist on your mailing list. The only thing that is important for this solution is adding the people as a "Resource" and not as "Required".
  • Then click "OK" and return to the previous page "Event" and fill in the meeting invite as normal. Note that it is important to delete addresses/people from the "Location" field, as this will otherwise reveal who has received the invitation.

What information am I entitled to receive from IDA as a union representative?

As a union representative, you must be able to carry out your tasks. As a union representative, you are therefore entitled to receive information on the members you represent. Such information may only be used to carry out tasks that fall under your position of trust.

Disclosure of information from the employer

A union representative has a special position in a company. Assessing what a union representative may receive must follow a collective agreement; otherwise processing must follow the rules regarding processing in the Danish Data Protection Act.

There may be some information that a union representative does not need to receive, such as the reason for termination.

An employer may send personal data to a union representative if there is basis for this in a collective agreement. The union representative rules state that union representatives must be able to perform their duties. The rules in collective agreements prevail over the rules in the Danish Data Protection Act.

The rules regarding processing in the Data Protection Act should therefore not be observed when information is exchanged about the employees represented by the union representative if the information is necessary for the union representative to perform their duties.

IDA considers that our union representatives must be notified about all important matters such that the union representative is able to perform their duties and represent and assist our members.

As a union representative, what should I write in the subject field when sending an email related to my position of trust?

As a union representative, you should write "Union representative matter - confidential" in the subject field when sending an email related to your position of trust.

How should I store data related to my position of trust?

As a union representative, you must treat personal data about the people you represent confidentially. Data must therefore not be available to third parties. IDA's advice is therefore to have a locker or a locked file to which only you have access.

IDA currently has several solutions for storing data:

  • OneDrive (Office 365), which is a personal drive in the cloud. Here, you can control who has access to the documents. It is easy to share and store data in OneDrive, and to attach emails in Outlook. (NB! you may store both sensitive personal data and general data on OneDrive, but third parties must not be able to access this data). Disadvantages: OneDrive is a "personal" drive, so if important data is stored on it, and a union representative leaves the company, data will be deleted. However, the data can be transferred before the union representative leaves the company.
  • Teams is a collaboration tool which also allows storage of files, planning, etc. Only members of the Team can access the files. As opposed to OneDrive, Teams is not person-dependent, so if a union representative is leaving the company, a new union representative can be added to the Team and access the same files.
  • Network drives – with rights management. The rights control who has access to the drive. This means that only the people for whom access was intended will have access.
  • Locker – a final solution can be to store documents relating to your position of trust in a locker at your workplace.

We do not recommend using Dropbox, Google Drive and similar, as these are not GDPR-compliant, and you therefore do not know who "owns"/has access to the data stored there.

As a union representative, what should I do when an employee I represent wants access to documents?

The person you represent is entitled to see the personal data you as a union representative have on them. This means that you have to provide the relevant information to the person you represent if the person asks about the material.

What should a consent contain?

There is no requirement that consent should be in writing. But it is always a good idea to obtain written consent as evidence.

Consent must be specific, informed and freely given. The declaration of consent should state what data is being processed, who is processing the data and for what purpose. Furthermore, it should state that the consent may be withdrawn.

Is an employer allowed to read a member's emails?

If the following conditions are met, an employer may go through an employee's emails if there is a suspicion of misuse:

  • An employer may only read an employee's emails if it is necessary. This means that the employer must have a reasonable purpose and this purpose must prevail over the interests of the employee.
  • The employee must be informed in advance.
  • An employer may not generally read employees' private emails. This means that it is a good idea to set up a file in Outlook named "Private" for employees' private emails. An employer may only read an employee's emails if it is necessary. This means that the employer must have a reasonable purpose and this purpose must prevail over the interests of the employee.

Is an employer allowed to obtain a certificate of criminal record?

You can authorise others to obtain your private certificate of criminal record. A criminal record can only be issued to others if you have consented to this. A private certificate of criminal record may be necessary in some situations, e.g. in connection with job search.

An employer may only request or collect information about an applicant's possible criminal offences if this is relevant for the position the applicant is to perform. This means that the purpose must be proportionate and that processing must take place in the least intrusive manner.

A certificate of criminal record is generally obtained by the job applicant, and if the applicant discloses the certificate this is considered a valid consent.