GDPR definitely applies to employees as well. It applies to all handling of personal data.
One of the most important rules in GDPR is the requirement for companies to have an up to date list of all places where personal data is being stored, the reason it's stored there and what it's used for and the retention policy.
So an employee creating their own lists of previous employees could potentially get the company in trouble if it was discovered during some external audit if it wasn't listed.
Not speaking about GDPR, but your post is triggering me (my issue, not yours).
Here’s what is crazy to me about employee PII (personally identifiable information) being considered sensitive.
Say in a well designed system you can audit who made each change or the last change to each business record. As an example, each database table has a login ID of who modified the last record/row most recently.
Now every single such table is polluted with PII?
I get having a list of all the places where personal data is stored, but some people think we need a list of all the places a pointer to personal data is stored (ie an identifier that enables linking; that is what “PII” literally means) and that is just such a bigger dataset I don’t think it is appreciated how deep the rabbit trail goes applying policy to technology.
Every email in an organization contains PII and every system emails can get saved and attached to.
Back to your comment, does GDPR require just listing the personal information locations, or also the (PII) identifiers to it? Is a name alone considered personal information (if I sign my emails with my name does that go on the list and if so, can companies just declare huge subsystems as having personal information?)
Depending on the business, employee data can be more of a concern than customers.
A business probably handles sensitive private data on employees (e.g. medical conditions, family records). Employees know this, and could report an ex-employer out of spite, especially if they're aware of poor data security.
They don't need to be a citizen, they don't need to have any sort of contractual arrangement with the data processor. If they're alive and identifiable, the GDPR applies.
>This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
It's not part of the operative text of the regulation, but it provides for a clarification on what a "natural person" is, and the principal prohibition in the regulation is the processing of data about an identified or identifiable natural person.
I would also assume, but I'm not 100% sure, that there's some case law from the CJEU around whether or not the definition of "natural person" includes dead people, which is why it's not in the main body of the text.
I can certainly see many European businesses would be wary of an employee keeping this list.