Do EU employers have to obtain consent from employees before processing their personal information?
Consent can be a tricky yet tempting option for HR professionals. The concept of getting 10,000+ employees to agree to have their data tracked seems improbable at best. However, once you get employees to affirmatively check the “yes” box, it appears to be indisputable proof that the employee agreed to the collection. Well, it turns out this is a common misconception.
Here are 3 key questions to ask before using consent as part of your HR data collection practices:
1. Is consent actually required to process an employee’s data?
The General Data Protection Regulation makes it clear that while consent is required in some cases, in principle, you don’t need consent in the employment context as long as the data is strictly used for HR purposes. This is a good thing for HR teams.
Under the GDPR, there are three key justifications for processing employee information that will likely be more appropriate (and much easier for HR teams to comply with) than consent. This includes processing data:
- if it’s necessary for the performance of a contract; or,
- to comply with your legal obligations; or,
- when it’s necessary for the legitimate interests of the data controller (i.e. employer), unless that is overridden by the interests or fundamental rights of the individual.
2. Is the collection purpose reasonable and what processes should I follow when consent is not used?
When assessing whether you are allowed to collect certain employee information, start from the legal basis or contractual requirement. You can use consent in certain instances, but mere consent is not bullet-proof. Note that the GDPR does not require any specific method—the requirement is to be able to prove and justify the legitimacy of the processing of each piece of collected data.
After formalizing the underlying reason for processing data, most employers follow the best practice of informing employees with a formal notice/acknowledgment prior to collecting new information.
For example, when you are collecting data to process payroll, document the information required to pay employees. Then, provide employees with the policy explaining why that information is being collected and clearly explain that this data will only be used for processing payroll. Finally, if applicable, have employees acknowledge receipt of the payroll policy.
3. If consent is needed and the purpose is reasonable, will employees be able to freely agree or refuse the processing?
In some cases, consent may be a better fit. However, before relying on consent, consider whether employees are able to freely object to having their data collected. For example, if an employee refuses to provide requested information that is necessary to process their paycheck, they won’t be able to be paid. This direct consequence (not being paid) invalidates consent as a legal basis for processing this information.
Remember that the general requirement for consent to be valid is that it should be freely given, and freely given means that there should not be any adverse consequences on the employee’s situation if the person refuses to give consent. In addition, individuals must also be given the right to withdraw consent at any time.
If you are currently using blanket consent in any of your HR data practices, it’s time to take a closer look. Make sure you can prove that consent has in fact been freely given and that the refusal of the collection would have no impact on an individual’s employment.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.