Validity of consent as legal basis in the context of an employment relationship under the GDPR

According to the GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous agreement of the data subject to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement[1].

But how does consent work in a corporate relationship? An employer and employee should have a cooperative and mutually beneficial relationship[2]. In the context of employment, there is also a power imbalance. It is unlikely that the data subject will be able to refuse his or her employer’s consent to data processing without feeling the fear or actual risk of negative consequences as a result of a refusal, given the dependency that results from the employer/employee relationship. Because consent is unlikely to be freely given, the EDPB [3] claims it to be problematic for employers to process personal data of current or future employees based on consent.

In the context of employment, relying on consent as the legitimate ground for processing personal data has undergone certain changes. Employers tended to adopt a straightforward strategy and include a permission term in the employment contract at the time the GDPR became applicable[4]. Employers believed agreement to the contract (including the consent provisions it included) was sufficient to satisfy the legal basis requirement because employees were forced to sign it.

The relationship between an employer and employee is typically viewed as being unbalanced, with the employer holding more power than the employee. In most circumstances, an employer cannot rely on an agreement to use their data since it must be freely given and because of the unequal relationship[5]. There may be circumstances where processing personal data about an employee with their consent is legal, especially if it’s in their best interests. For instance, processing of the employee’s personal data is acceptable and legal if informed prior consent was obtained. This is the case if the company offers incentives to the employee or their family members (for instance, discounts on the company’s services).

What does the Dutch DPA say?

The Dutch DPA appears to have a stricter standard than the EDPB and believes that consent in an employment setting can only be legitimate in extremely rare circumstances[6]. According to GDPR recital 43: “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller”, in the employment relationship, this may be the case. Fully free choice cannot be ensured due to the dependent relationship between the employer and the employee.

Exceptions are possible, although they are extremely rare (for instance, voluntarily choosing to submit a photo for publication on the business website or voluntarily submitting a birthdate for the purpose of yearly birthday celebration). However, the Dutch DPA generally has a very critical perception of consent that is given in working partnerships.

What can be an alternative to consent?

Performance of a contract (GDPR Article 6(b))

To fulfill their obligations to the employee under the employment contract, employers will need to process some employee data. Employers, for instance, must process personal information like names, working schedules, and bank account information in order to pay employees. In that situation, employers are likely to use the fulfilment of a contract as the legal justification for processing. This will provide as the legal justification for processing data pertaining to benefits that are contractually owed to employees, such as keeping track of absences to guarantee that workers receive their legally due occupational sick pay.

The Employer’s legitimate interest (GDPR Article 6(f))

Employers will have to rely on legitimate interests as the legal basis for processing data in any case where it is required to process data but not in connection with the performance of a contract or compliance with a legal obligation.

For example, employers may wish to record when employees enter and exit the office for security reasons. The entry and exit times of certain employees will be considered personal data if the records make this possible. In order to fulfill its obligations under the employment contract or to adhere to a legal requirement, the employer is not required to maintain this information. It must rely on the legal justification for processing, which is that it is required by its legitimate interests in protecting security.

A disadvantage of using legitimate interests as the basis for processing is that it necessitates weighing the interests of the employer and the employee [7]. The employer will not be able to use its legitimate interests as the legal basis for processing if the employee’s interests, rights, or freedoms outweigh those of the employer. It will be harder to demonstrate the legitimate interest’s basis when the processing is more delicate or intrusive. The company should evaluate whether there is another, less intrusive way to accomplish its goals and measure the significance of the processing against any potential negative effects on personnel. Additionally, another practical disadvantage is that exceptions must be made for certain employees when an objection is lifted. That is administratively complicated.

What should employers do?
Employers should evaluate their present processing-related policies. There will need to be a change in strategy for employers who process routine personal data based on consent given in employment contracts[8]. The processing is required for the performance of the contract, which is usually one of the other legal bases that should be used.

In cases where consent is necessary, make sure that it is specified in a distinct, understandable document and that the right to withdraw that consent is stated clearly.

Any Questions?
Lex Digitalis is a full-service agency in the field of privacy, data and cyber security. Lex Digitalis can also advise and assist you in the field of procession special categories of data (processing sensitive data). This includes registration of data processing activities, conducting PIA’s and/or DPIA’s, and formulating reports to the AP and to those involved. You can contact me or one of my colleagues about this (06 – 18536230, dogan.varlioglu@lexdigitalis.nl).

Bibliography
[1] Recital 32 of the GDPR.
[2] Ameyo T, “Employee-Employer Relationship: Call Center Management” https://www.ameyo.com/blog/employee-employer-relationship/
[3] https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
[4] “Consent and Personal Data in an Employment Setting” https://www.taylorwessing.com/en/global-data-hub/2020/july—hr-data/consent-and-personal-data-in-an-employment-setting
[5] “Can My Employer Require Me to Give My Consent to Use My Personal Data?” (European Commission – European Commission) https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/can-my-employer-require-me-give-my-consent-use-my-personal-data_en
[6] “Data Processing in the Employment Context: The Netherlands: Global Data Privacy & Security Handbook: Baker McKenzie Resource Hub” https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/emea/the-netherlands/topics/data-processing-in-the-employment-context
[7] “How to Determine the Legal Grounds for Processing Employee Data under the General Data Protection Regulation (GDPR) Manager’s Guide” https://myhrbusiness.com/wp-content/uploads/2018/01/DP012-How-to-determine-the-legal-grounds-for-processing-employee-data-under-the-General-Data-Protection-Regulation-GDPR-managers-guide.pdf

[8] Charles Russell Speechlys, “Processing Employee Data under the GDPR” https://www.charlesrussellspeechlys.com/en/news-and-insights/insights/commercial/2018/processing-employee-data-under-the-gdpr/