How safe is the “consent” requirement of GDPR when processing personal data on employees?

Andrew Masters

Partner & Head of Employment

View bio

March 5, 2018

Categories Employment LawGDPR

As the European Union’s General Data protection Regulation (“GDPR”) looms ever closer with its deadline for implementation on 25th May 2018, there is a sense of panic as employers and HR scramble to get up to speed with its 173 paragraphed recital and 97 Articles; that is along with all the other things they already have to do.

Furley Page Employment Team will be covering the GDPR as one of the update topics in more depth in our forthcoming employment law seminar on 19th April 2018. In the meantime, in a series of blogs, we will touch on the main areas to focus on in preparation for the 25th May.

Here we look specifically at one particular gremlin which crops up, not infrequently, in the employment contract; that being a generic clause in which employees consent to the processing of their personal data by their employer.

Is it safe to rely on such clauses for the processing of all personal data on employees?

Not anymore.

Clauses of this nature have come under fire and are unlikely to be fit for purpose after 25th May.  Employers are actively encouraged to look to other lawful grounds for the processing of HR data and not to rely on the consent clause.

What is wrong with a consent clause?

Under the GDPR, consent must be “freely given, specific, informed and unambiguous”. This will be indicated by “a statement or by a clear affirmation”.

The UK’s Information Commissioner’s Office (ICO), in its ‘Consultation: GDPR Consent Guidance’ advises organisations not to use the ‘consent’ criteria in situations where the organisation would still process the data on a different lawful basis. It states:

“You should always choose the lawful basis that most closely reflects the true nature of your relationship with an individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, you should consider the alternatives.”

Consent will not be appropriate if there is a clear imbalance of power and this is usually the case in an employment relationship. Employees do not normally have a genuine choice.

Put another way, ‘consent’, as a basis for processing should do what it says on the tin; and be used only when people have a real choice in whether or not their data is processed. In an employment relationship there is little point in asking for consent in processing details on salary, bonuses or benefits, because an employer has to do this for the relationship to work.

Employers should not despair. They will find that most legitimate HR activities relating to the processing of personal data are already covered by Article 6 (1) GDPR which sets out six lawful bases, consent being one of them. The other five are:

  • For the performance of an employment contract.
  • For compliance with the employer’s legal obligations.
  • To protect the employee’s vital interests.
  • For carrying out public functions.
  • For the legitimate interests of the employer or any third party to whom the employer discloses the personal data, if the employee’s fundamental rights and freedoms do not override those interests.

At each stage of the HR process from the receipt of an application to the offer of a job, the processing of terms and conditions, payroll data, details of benefits, performance appraisals, lawful monitoring, through to termination and an exit interview, there is a legitimate reason, compliant with Article 6 GDPR for the processing of such information.

Employers should also be aware that where they rely on ‘consent’ for the processing of data, the data subject gains additional rights such as the right to erasure (also known as ‘the right to be forgotten’). If an employee or any other data subject has given genuine consent to the processing of their data, they also have the right to remove this consent at any time and request that the data is immediately destroyed. Further circumstances in which an employee can request deletion of data include where it is no longer necessary for the purpose for which it was collected.

What should change, if anything?

What employers should ideally be doing is looking at the HR data they process, and asking themselves what the reason is for the processing of such data and whether it falls into one of the categories listed in Article 6.

We would recommend data mapping with thought given as to what data is held at each stage of the employment cycle; the reason it is needed; where it is held; how it is processed; and for how long it.

Effectively this is what GDPR requires, a more proactive approach to data processing, one which is transparent and fair.

Where an employer is using special category data (aka sensitive personal data) explicit consent to legitimise the processing is more likely to be needed, unless one of the specific conditions set out in Article 9 (2) applies. This data includes information on a subject’s racial or ethnic origin; their political opinions; religious beliefs; trade union membership; health; sex life or sexual orientation; genetic or biometric data.

Of course this blog is not to suggest that employers can no longer rely on a consent clause, rather if they do, it needs to be fit for purpose, specific to a situation, and it should be freely given.

For further information contact an employment law specialist in our legal team on 01227 763939.