Employers process many personal data of their own employees. These are sometimes stored into a personal file. The employers can create a personal dossier only if it is necessary in order to do a job contract or a date like a public employee. And they should take into account the employee’s privacy.

Employee’s file conditions.
The General Data Protection Regulations (GDPR) and the legislation on the actuation of the GDPR (UAVG) offers the conditions for the employee’s file creations. Employers are:

• responsible for the correctness and the accuracy of data into the personal dossier;
• may not include more information in the personnel file than is necessary and the data must be relevant;
• must inform workers, including the data they collect, for what purposes and on the basis of what legal basis;
• must secure the personal data appropriately so that they do not get lost or end up in the wrong hands;
• may not retain the personal data for longer than is necessary;
• should allow employees to access their data – this applies in principle to the entire personnel file – and, where appropriate, to limit or delete it;
• workers must separately indicate the right of objection to the processing of data on the grounds of the legitimate interest;
• should, where appropriate, allow employees to exercise their right to data portability.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DEI PAESI BASSI