Matheson experts discuss new rules around consent under GDPR for employers.
Under GDPR, consent remains a legitimate processing ground for both sensitive and non-sensitive data. However, GDPR, unlike existing rules, sets out clearly defined requirements around consent, and mandates that consent may only be obtained for one or more specific purposes, with multiple consents required where the employer intends on using data for multiple purposes.
Consent under GDPR
For consent to be valid, GDPR requires an employer to demonstrate, among other things, that consent:
- is freely given
- is specific and informed (clear language)
- has unambiguous indication of wishes by statement or other clear affirmative action
- cannot be a detriment
- cannot be bundled
- cannot be a condition of a contract where not necessary to the contract
- is as easy to withdraw as it was to give
Consent will only meet the ‘freely given’ criterion where an employee has genuine or free choice and the ability to refuse or withdraw consent without detriment. As things currently stand, most employees would not feel that they can freely refuse or withdraw their consent.
This is due to the perceived imbalance of power that exists in the employer-employee relationship. For employers wishing to rely on ‘consent’ as the legal basis for processing employee personal data, European guidance has flagged this approach as “problematic”. In fact, the guidance states that employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all, whether or not the employees give consent.
Indeed, the European guidance notes that for the majority of data processing at work, the lawful basis “cannot and should not be the consent of employees”. Furthermore, GDPR makes clear that it is not permissible to rely on consent if a contract is made conditional on the consent, notwithstanding that the consent is not strictly necessary for the performance of the contract.
For these reasons, we would recommend that consent is not relied on by an employer as a basis for processing employee personal data. Trying to rely on consent against these clear restrictions will only therefore cause greater difficulties for employers in practice. For example, it will give an employee strong grounds to delay or even prevent an investigation, grievance or disciplinary process if based on monitoring that the employee had invalidly consented to.
Identify other options
Instead, employers should identify in advance another legal basis for processing employees’ personal data.
Examples of other legal bases would include where the processing is necessary for the performance of a contract between an employer and employee. This would cover use of bank account details to pay salary. Alternatively, the basis could be where the processing is necessary for the purposes of the legitimate interests pursued by the employer (except where such interests are overridden by the fundamental rights and freedoms of the employee).
In practice, this could permit monitoring of an employee’s email or internet usage at work, as the employer has a legitimate interest in ensuring it is not being used to bully or harass fellow employees. This should avoid employers operating in breach of GDPR or being prevented from taking what may seem to be otherwise necessary steps in running the organisation.
Where employers do wish to rely on consent, such as for the purpose of obtaining an occupational health report, employers should obtain separate consents outside of the contract of employment to deal with the processing of such data.
The key takeaway from this update is that employers should only rely on employee consent when processing personal data where it is absolutely necessary, and such cases should be the exception rather than the norm. All employees should instead always have a legitimate processing ground as its ‘Plan B’ .
But, how do employers deal with employees’ sensitive personal data? This raises the question of ‘Special Category’ data under GDPR, which is broadly similar to the concept of sensitive personal data under the existing rules.
A version of this article originally appeared on Matheson’s website.