Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship. There are more prescriptive requirements for obtaining consent under the European General Data Protection Regulation, including the ability to withdraw their consent at any time.
The legitimate interest of employers can sometimes be invoked as a legal ground for processing personal data, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. A proportionality test should be conducted in order to consider whether all data collected is truly necessary, and measures must be taken to keep personal data processing limited to the minimum necessary.
Under Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz, or “BDSG”), employers are allowed to process personal data “for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and staff council" (Sub-chapter 2, Sec. 26-1).
Sensitive personal data may also be processed without consent for employment purposes to comply with legal obligations relating to labor law, social security and social protection law (except in cases where the employee has an overriding legitimate interest). When processing sensitive personal data without the employee’s consent, employers should document the data that is being processed along with the reason why the employer’s interests outweigh the interests of the employees.
Employers may use consent in certain cases, but the dependence of the employee will be considered when assessing whether the consent was freely given. One potentially beneficial area for employers is that “[c]onsent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests.”
When consent is used, employees must be informed as to why their personal information is being processed and notified that they have the right to withdraw consent at a later time. These details must be provided in text form (in most cases) to employees and the consent must be given in writing.
HR Best Practices: As consent on its own might not be enough to justify lawful processing of employee personal data, other processes should be documented and implemented. Consider legitimate requirements, such as processing bank account numbers for purposes of payment or processing personal data for health insurance. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.