Employee’s consent and the General Data Protection Regulation
Under current legislation, employers often rely on an employee’s consent in their employment contract to the processing of their personal data. This article looks at how this will change under the General Data Protection Regulation (GDPR).
The GDPR, which will come into effect on 25 May 2018, applies to the processing of personal data carried out by organisations operating within the EU. If you have employees, in respect of whom you hold personal data, you will need to ensure that you are GDPR compliant. ‘Personal data’ means any information relating to a person, who can be directly or indirectly identified, for example, by name, identification number, location data or online identifier. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria, such as chronologically ordered sets of manual records containing personal data. In reality, if you hold personal data relating to your employees or track their activities for performance, disciplinary or other employment-related actions, you will need to ensure that you are GDPR compliant.
- As was the case under the Data Protection Act 1998, you must have at least one valid lawful basis in order to process personal data. However, the GDPR places more emphasis on being accountable for and transparent about your lawful basis for processing and you should review your existing processing practices, identify the most appropriate lawful basis (see below) and check that it applies.
- The six lawful bases for processing under the GDPR are as follows:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Currently, many employers rely on an employee’s consent to process their personal data and usually such consent is included in the employment contract. However, the GDPR sets a high standard for consent. Consent means offering individuals real choice and control. It must be specific, informed, freely-given separate from other terms and conditions, and revocable. Given that an employer is in a position of power over an employee, the employee is unlikely to be seen to be giving their consent freely except in exceptional circumstances and it will be very difficult under the GDPR to rely on consent to process their personal data.
Alternative legal bases you might use include:
- Contract: The data processing could be necessary for the performance of the employment contract – such as the processing of the employee’s bank details in order to pay the employee’s salary direct into their bank account.
- Legal obligation: The data processing could be necessary in order to comply with the employer’s legal obligation to disclose employee salary details to HMRC.
- Legitimate interests: This is likely to assume substantial prominence under the GDPR and will be used by employers as their legal basis where they can demonstrate that it is in line with people’s reasonable expectations and would not have an unwarranted impact on them.
You may need to review your template documentation such as employment contracts and any free-standing employee data processing consents and assess upfront which legal basis you will be relying on for data processing going forward and document this. There is no standard form for this, as long as you ensure that you keep a record showing that you have properly considered which lawful basis applies to each processing purpose and can justify your decision. This will help you comply with accountability obligations. You will also have to inform employees upfront in writing, by way of a privacy notice, about your lawful basis for processing their personal data before starting to process it. It’s important to get this right first time as retrospectively switching lawful basis is likely to be inherently unfair to the employee and lead to breaches of accountability and transparency requirements.
For existing employees: it will not be necessary for you to amend the contracts of existing employees to comply with the GDPR. However, you should issue a new privacy notice (also known as an information notice or fair processing notice) to existing employees by 25 May 2018, providing information on the processing of their personal data and overriding any invalid data protection clauses in the contract. The GDPR specifies the information that you must provide in the privacy notice. This includes the purposes for which the employer will process the employee’s personal data, the legal bases for the processing, information about the retention period and information about the employee’s rights as a data subject.
For new employees: you should replace any provision concerning consent to data processing in your template documentation with, for example, a new provision referencing the alternative legal bases for data processing to be included in your privacy notice.
Failure to comply with the GDPR for violations relating to breaches of the data protection principles or conditions for consent can result in fines of up to €20 million or 4% of annual worldwide turnover of the preceding financial year (whichever is greater). This is significantly higher than the existing maximum fine of £500,000.
In short, if as an employer, you previously regarded non-compliance with EU data protection law as a low-risk issue, you should now re-evaluate your position.
This material is for general information only and is not intended to provide legal advice.
For further information please contact: