Can an employee’s personal data be processed based on consent?

When the General Data Protection Regulation (GDPR) came into force, companies made an effort to meet their data protection obligations to customers, however, employees should not be overlooked either. In order to process personal data, the employer must determine the purpose of the processing and the legal basis for processing the data.

As the employee is generally the weaker party in the employment relationship, it is not appropriate to use the employee’s consent as a basis for processing.

Namely, the GDPR stipulates that consent must be given freely and that consent cannot be considered to have been given voluntarily in a situation where one party is dependent or significantly weaker. In addition, consent in an employment relationship cannot be revoked easily.

One month ago, the Greek Data Protection Authority fined PWC Business Solutions in the amount of 150,000 EUR for using consent as a basis for processing employees’ personal data. The Authority considered this basis inappropriate and misleading for the staff.

In addition, such conduct was found to be contrary to the principle of transparency deriving from the GDPR, and the obligation to inform employees was also infringed. Nor was the company able to demonstrate to the Authority that they had previously assessed the determination of an appropriate legal basis.

In employment relationships, the main legal basis for the processing of personal data is the performance of a contract or a legal obligation. Personal data necessary for the performance of the employment contract is processed on the basis of the performance of the contract, e.g. salary data. The law obliges the employer to provide the state with the employee’s personal data for social and health insurance, and according to the Employment Contracts Act, employment contracts must be retained for 10 years.

An employer may also process personal data on the basis of legitimate interest if the employer has a compelling interest in collecting personal data and the collection of such data does not significantly violate the individual’s rights, e.g. the use of security cameras in the workplace.

It should be borne in mind that collecting personal data must be kept to a minimum, i.e. to the extent necessary to fulfill an employment contract, a legal obligation, or a legitimate interest. For example, there is no reason for an employer to collect data on an employee’s marital status or hobbies.

Employee consent may be appropriate in situations of an organizational nature, such as the processing of the data of employees’ children for a Christmas party or the use of employee photos on social media.

In order to comply with data protection requirements, the employer must prepare the conditions for data protection processing, e.g. as part of the rules of work organization, and inform employees about the data processing. This can prevent some disputes as well as potential fines.

« Back to articles
Hedman

Our memberships:
FinanceEstonia,
Teenusmajanduse Koda,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum