Share this content

GDPR for employees/shareholders??

GDPR consent given by director, what are rules re employee/shareholder data?

Didn't find your answer?

We have an engagement letter which covers GDPR, approved by the director. A 50% shareholder (husband of director and other 50% shareholder) has advised us that:

a) he does not want us to use an online document storage system (in this case Iris OpenSpace, but could be any) for shareholder accounts and other shareholder documents because he considers them unsafe.  He wants us to use password protected attachments, which is fine, but means we have to spend time and use a system we would not use ordinarily.

b) he wants us to remove any personal details from our systems and to receive a confirmation that his 'right to be forgotten' has been taken care of.  In the case of accounts our database would have him recorded as a shareholder and would have information about him that would be on public record at Companies House. However, we also process the payroll for the company and if we remove his details from the payroll we will be unable to process his pay!

What is the GDPR position? Do we need to get consent from every shareholder and every employee?  If so, it is ridiculous because a) it will take up an enormous amount of resources and I doubt whether clients will be willing to pay and b) we will spend our time chasing people to give consent before we can process company forms such as Confirmation Statements, etc and employee payrolls. 

Replies (6)

Please login or register to join the discussion.

By ireallyshouldknowthisbut
27th Jul 2018 09:00

As its H&W, speak to wife. Advise husband is an idiot.

You can implement said things at a cost of XXX

Await retraction of earlier rubbish from husband.

Thanks (3)
Replying to ireallyshouldknowthisbut:
By BryanS1958
27th Jul 2018 09:41

I did consider that, but didn't want to be named in divorce proceedings (come to think of it, maybe I could get my name removed under GDPR!).

Thanks (0)
By paulwakefield1
27th Jul 2018 09:03

There is no absolute right to be forgotten especially where you have a current legal basis to process data other than relying on consent.

Processing payroll and holding the director's details in relation to his involvement in your client I would have thought would not allow an exercise of a right to be forgotten.

Thanks (2)
Replying to paulwakefield1:
By paulwakefield1
27th Jul 2018 09:04

ireallyshouldknowthis has put it more succinctly. :-)

Thanks (1)
By Moonbeam
27th Jul 2018 11:10

Given what you've said, marriage is rocky already and this person could make your life very difficult in future as a way of punishing wife.
Charge an absolute fortune for things you can implement.

Thanks (1)
By jcace
27th Jul 2018 14:23

The chances are that you are not processing his personal data on the basis of consent, but on some other legal basis. It is likely that you are obliged to process the personal data to comply with the law. You therefore have a legal basis for holding personal data. The client has no automatic absolute right to be forgotten -
ICO guidance on "erasure" is as follows:
Individuals have the right to have their personal data erased if:
*the personal data is no longer necessary for the purpose which you originally collected or processed it for;
*you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
*you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
*you are processing the personal data for direct marketing purposes and the individual objects to that processing;
*you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
*you have to do it to comply with a legal obligation; or
*you have processed the personal data to offer information society services to a child.

Thanks (1)
Share this content