The GDPR has been in force for just over a year and we are now starting to see evidence of Data Protection Authorities across the EU issuing fines for non-compliance. Most recently, the Greek Data Protection Authority (“DPA”) fined PwC €150,000 for incorrectly relying on “consent” as a legal basis for processing the personal data of its employees. This fine shows that it is vital for employers to understand when it is appropriate (and when it is not appropriate) to rely on consent for employee data in order to avoid the scrutiny of the regulator and possibly hefty fines, bad press but, most importantly, to protect their employees’ rights under the GDPR.
Consent as a legal basis
There are six legal bases for processing personal data, of which consent is only one (not, as some may think, the top/best processing condition in all circumstances). No one condition is better than the other, however one may be more appropriate compared to another depending on the circumstances.
Consent was a lawful basis for processing under the previous UK Data Protection Act 1998 and remains so under the GDPR and UK Data Protection Act 2018. However, the threshold for valid consent has been enhanced significantly and now includes additional requirements which will mean that the debate as to whether an employer could, or rather should, use consent as its legal basis has been brought to an end.
Why is consent problematic for employers?
Employers have often relied on consent to process data in the context of the employment relationship. Under GDPR, consent must be both freely given and as easy to withdraw as it was to give. This means that, at any point, an employee can withdraw their consent, leaving the employer to find another legal basis upon which to justify the processing of personal data, or unable to continue that processing activity. In fact, where the employee withdraws consent and the employer could/would rely on an alternative legal basis for the processing, consent was not an appropriate legal basis to rely on in the first place.
In order for consent to be considered to be freely given, it “should not provide a valid ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller” (i.e. the employee/employer relationship) according to guidance from the ICO. The Greek DPA decision has confirmed that consent in the context of the employment relationship cannot be deemed to be freely given due to the obvious imbalance between the parties, and therefore most uses of consent in the employment context will be unlawful.
In the employment scenario, most template employment contracts have standard data protection consent clauses bundled up in the employment contract itself. That itself presents a couple of issues: how does an employee withdraw their consent to the processing in that context? With great difficulty! And, realistically, how freely was the consent given if it was a condition of employment? The Greek DPA has followed the GDPR guidance and found that such consent is not valid.
What should employers do?
Employers should take note of the other legal bases upon which they can process personal data, such as those highlighted in the Greek DPA decision:
- for the performance of employment contracts;
- for compliance with a legal obligation to which the controller is subject; and
- for the smooth and effective operation of the company, as its legitimate interest.
It is clear to see that consent is proving to be a tricky basis for employers to rely on in relation to processing of employee data, and the general consensus is that it should not be relied upon unless necessary and in circumstances where no other basis can be relied upon.
How can we help?
MacRoberts can provide tailored GDPR training (both online and face to face) for your business with a focus on the employment relationship, which will be particularly beneficial for managers those working in HR.
We also offer a fixed fee employment document package to ensure your business is compliant with GDPR and your employees’ rights are protected.
For further information, please contact our Data Protection & Cyber Security team.
This article was co-written by Megan Lukins.