Employers - How Do You Manage Your Employees' Personal Data?
As we have mentioned in previous articles, the GDPR has changed the way companies process data. Compared to previous legislation, the GDPR sets higher standards for the protection of personal data and puts an emphasis on company transparency and accountability.
As such, mishandling data has become more financially dangerous than ever before and no one under the GDPR’s scope is safe from potential fines or sanctions – especially not employers. The tables have turned in this post-GDPR world as the power is stripped from the employers in favour of employees, the owners of their personal data. Article 88 of the GDPR gives member states the power to create and implement stricter laws in order to ensure the protection of the rights and freedoms of employees’ personal data particularly regarding recruitment, contracts, obligations, management, planning and organisation, equality, diversity, property, health and safety and termination.
Why do employees need added protection under the GDPR?
First and foremost, it is important to understand what constitutes “data processing” – Processing is simply an umbrella term which includes collecting, recording, organizing, storing, using, disclosing or disseminating personal data.
The reason why data processing is so important In the context of employment is because employers have a unique access to their employees’ information that others data processors may not usually have such as their national insurance numbers, bank and pay details, health insurance information, medical history, background checks, drug test information, personal records, family information, etc. Not to mention their access to personal data dubbed as “sensitive” or “special category” under the GDPR which includes information relating to a person’s origins, race, political stance, belief systems, trade union membership, health, sex life, sexual orientation, genetic and biomedical data.
Hence, given employers’ access to this sensitive data, member states have the power to create and implement stricter rules under the aforementioned Article 88 of the GDPR.
So, when can employers process employee data?
Under Article 6(1) of the GDPR employers can only process data if one or many of the following applies:
The employee (the data subject) has given his consent to the employer (the data processor) to process his or her personal data for one or more specific purposes.
The processing of employee data is required for the performance of the employment contract
The processing is required for the employer to comply to their legal obligations
The processing is required to protect the employee’s vital interests
The processing is necessary for public interest or the exercise of an official authority
The processing is necessary for legitimate interests of the employer or a third party, except where such interests are overridden by the fundamental rights and freedoms of the employee.
Furthermore, pursuant to Article 9 of the GDPR, an employer is prohibited to process special categories of data unless:
The employee has given explicit consent to the employer
The processing is carried out in legitimate activities with appropriate safeguards and certain conditions
The processing relates to data that the employee has made public
Where the processing is necessary for:
(i) the employer to fulfill specific rights and obligations;
(ii) the protection of the employee or another natural person where the employee is incapable of giving consent;
(iii) establishing, exercising or defending legal claims;
(iv) reasons of substantial public interest, including areas related to public health;
(v) purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, provision or management of health or social care; or
(vi) historical, scientific, research or statistical purposes.
Employee consent
In situations where employers use employee consent to lawfully process their data, certain requirements must be fulfilled under the GDPR.
It is worth noting that given the nature of the employee-employer relationship, it might be difficult for an employer to show that the employee has provided consent in accordance with the strict GDPR requirements, and the fact that consent may be so easily withdrawn may mean that it is not the most appropriate ground for employers to rely upon.
Nonetheless, for consent to be valid, from employees or other data subjects, the following conditions need to be met, which we outline below along with our comments:
Specific
As mentioned above, one of the GDPR’S main focus is to increase transparency in the world of data processing.
To that end, Article 6(1)a) of the GDPR explains that for data processing to be lawful, the employee (data subject) must consent to the processing of their personal data for one or more specific purposes.
In order to comply with the article mentioned above, employers should allow employees to specifically opt-in to each separate data processing operation rather than the outdated all encompassing consent clause.
Informed
To fulfill their obligation under Recital 42 of the GDPR, employers need to at the very least inform their employees on the identity of the data controller as well as the purpose of the data processing. It is also good practice on behalf of the employers to inform employees on the type of personal data that will be collected and used, their right to withdraw consent, etc. Furthermore, it should be noted that this information shall be presented to employees in clear and direct language – failure to do so could potentially void their consent.
Freely given
Pursuant to Article 7(4) of the GDPR, consent, in order to be valid, must be given freely.
This means that the employee (data subject) must have a real choice and be in a position of control and must not fear negative consequences (for example disciplinary processes or even dismissal) if he or she chooses to not consent to the data processing.
In addition, as mentioned above, employees must give their consent, separately, for each data processing operation.
Right to withdrawal
Article 7(3) of the GDPR also outlines another key component of consent – the employee’s ability to withdraw their consent without justification and whenever they so choose.
Employers must inform their employees of this right and how to exercise it, all before the data processing even begins. When an employee withdraws their consent, which should be as easy as the process to give consent, the employer must halt all processing activities pertaining to the employee in question. All processing activities done before consent was withdrawn remain lawful, however.
Unambiguous
Consent must be unambiguous according to Article 4(11) of the GDPR. This means that consent cannot be given by way of silence, inactivity or even pre-filled forms. Rather, for consent to be valid it must be done, verbally, in writing (including electronical), by ticking a box on a web page, selecting yes or no, etc. Essentially, the way a data subject gives consent may depend entirely on the circumstances. One thing remains true, however – consent requires a clear affirmative act that proves the data subjects’ consent to the data processing activities. Whilst it is possible to rely on verbal consent, we would always recommend that this is recorded somewhere so the the employer can produce a paper trail if it ever needs to justify its practices and in order to comply with the GDPR’s accountability principle.
Explicit
Certain kinds of data and processing activities also require specific consent.
Processing sensitive personal data (Article 9 of the GDPR), international data transfers (Article 49 of the GDPR) as well as decision making based solely on automated personal data processing (Article 22 of the GDPR) all fall into this category. In such cases, employees must give their explicit consent in writing by filling out an online form, by drafting an email, providing a document bearing their signature, electronic signatures (where authorized for Labour law purposes - this can vary from one jurisdiction to another), etc.
Best practice
In sum, employers that rely on employee consent for their data processing activities must set forth certain practices to comply with the GDPR and ensure a more pleasant employer/employee relationship. To this end, we would always advise keeping records of data processing activities and using consent tracking tools - even in situations where this is not a strict obligation under the GDPR.
As mentioned above, employees must consent to each data processing activity separately and, before such processing begins, their employer must inform them of their right to withdraw their consent at any time.
Employers must also be able to demonstrate their employees consent if its validity is put in question. Therefore, the implementation of a registry which collects and stores employee consent to data processing activities would be a wise decision.
As we have stated above, given the inherent imbalance of power between an employer and its employee, it is usually hard for employers to evidence that the above requirements for valid consent have been fulfilled - perhaps an employee gave consent simply for fear of not being employed or for fear of reprisals from his/her employer.
In that case, such consent cannot be said to be freely given. Accordingly, it is usually better for employers to seek to rely on one of the other lawful bases for processing personal data, rather than relying on an employee’s consent.
If you have any questions surrounding the GDPR and employee/employer relationships, please do not hesitate to contact us!
Article by Justin Boileau @ Gerrish Legal, August 2019