Processing personal data and consent in the employment context – what are the issues?
07 August 2019
The Hellenic Data Protection Authority has imposed a €150,000 fine against an employer which had inappropriately relied on consent as the lawful basis for processing employee data. This decision is an important reminder for employers and data controllers on the limitations of using consent as a valid basis for processing employee data in the post- 25 May 2018 EU General Data Protection Regulation (“GDPR”) landscape.
Background
Before the introduction of the GDPR, many employers relied on employee consent to justify all their workforce data-processing activities (for example, by including a clause in the employment contact at the outset of the relationship). However, under the GDPR, consent must be actively and freely given to be a valid basis for data processing and so this historic approach is problematic. The GDPR incorporates the long-held view of the European regulators that consent to processing in the context of a contractual employment relationship cannot be considered as freely given, due to the clear imbalance between the parties.
The Hellenic Data Protection Authority’s decision
After receiving a complaint that an employer in Greece had relied on consent as the lawful basis for processing its employees’ personal data, the Hellenic Data Protection Authority (the “Authority”) initiated an investigation.
The employer in this case had given employees the impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which they had not been informed. The Authority decided that the processing was in fact covered by other lawful bases for processing data (performance of a contract, compliance with a legal obligation) and, because consent can only be relied on when no other lawful bases for processing data are available, the Authority found that the employers’ reliance on consent as the basis for processing was inappropriate and a violation of the principle of lawfulness, fairness and transparency.
The Authority exercised its corrective powers under the GDPR to issue an order requiring the employer to bring its processing in compliance with the GDPR within three months. However, the Authority did not consider that the corrective order was sufficient, and so it also issued a fine of €150,000 (approximately 0.36 % of the employer’s turnover).
Implications
This decision is an important reminder to employers that relying on consent for processing employee data should be avoided as far as possible in the employment context. In almost all circumstances, employers will (and should) be able to find other lawful bases for processing employee data (for example, performance of a contract to which a data subject is party, a legal obligation, or a legitimate interest).
The decision also emphasises the point that employers and data controllers in general must demonstrate accountability in their data protection compliance. The Authority pointed out that the employer had effectively transferred its compliance obligations to its employees by requiring them to sign a statement whereby they acknowledged that the processing was related to the employment relationship and organisation of work and that it was relevant and appropriate to process their data in that context. The employer had also not been able to refer to any internal documentation to demonstrate how it came to choose the lawful basis for processing the data.
Finally, the decision is a reminder to data controllers of the challenges in switching between the different lawful bases for processing data – going from one processing condition to another will often be seen as unfair to individuals, and data controllers could be in breach of their accountability and transparency obligations if they do not get this right.
Further information on the issue of consent under the GDPR can be found in our Inbrief here.