The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Colombia, employers must generally obtain the employee’s authorization prior to processing personal information. Consent must be prior, express and informed. The consent to process data can be provided in writing, verbally, or through “unequivocal conduct” by the employee which would reasonably lead to the conclusion that the authorization was granted. Note that an individual’s silence does not meet the requirements to process personal data (Decree 1377 of 2013). Employers should retain the proof of the employee’s authorization.
Authorization is not needed in certain cases. Exceptions which will most likely relate to employers include when:
Employees have the right to revoke consent at any time by submitting a request to the employer. The revocation does not apply in cases where the processing is required by law or by contract.
Under Law 1581 of 2012, explicit consent must be obtained prior to processing sensitive personal data, unless the processing is required by law or necessary for the establishment/execution/defense of a right in a legal proceeding. Sensitive personal data is considered to be data which affects the privacy of the individual or which could result in discrimination if improperly used. Sensitive personal data includes information that reveals: race/ethnicity, political orientation, religious/philosophical beliefs, membership in a trade union/social/political/human rights organization, and health/sexual/biometric information. Employees must be informed that they are not required to authorize the processing of their sensitive personal data.
When requesting consent to process personal data, employees must be clearly and expressly informed:
Employers are required to maintain an information processing policy that’s accessible to employees in paper or electronic form. The policy must include:
All material changes to the policy should be promptly communicated to employees.
HR Best Practices: Before collecting personal data, ensure employees are properly informed of the data collection, and are given access to the company’s processing policy. Except in cases where consent is not required, obtain the consent of the employee prior to processing personal data and retain a copy of the authorization.