Appropriate policy document

The controller has an obligation to have an “appropriate policy document” in place, if the data processing is necessary to perform or exercise the controller’s or data subject’s obligations or rights in connection with employment (Schedule 1(1) DPA). The requirements regarding such an appropriate policy document are described in Schedule 1(38-41) DPA.

Records of processing activities

Controllers are obliged to include further information in their processing records (Schedule 1(41) DPA):

  • details about the processing in the employment context
  • how the processing satisfies the lawfulness of processing (Art. 6 GDPR) and
  • whether the data is retained and erased in accordance with the controller’s policies and, if not, the reasons for not following those policies

Restrictions of data subjects’ rights

Information and access rights do not apply to personal data consisting of training or employment references. (Schedule 2(24) DPA)