Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship. There are more prescriptive requirements for obtaining consent under the General Data Protection Regulation, including the ability to withdraw consent at any time.
The legitimate interest of employers can sometimes be invoked as a legal ground for processing personal data, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. A proportionality test should be conducted in order to consider whether all data collected is truly necessary, and measures must be taken to keep personal data processing limited to the minimum necessary.
Clear communications should be provided to employees, informing them how their personal data is being processed. Where possible, such as in the event of monitoring technologies, employees should be given the option to prevent their data from being captured.
Where employees are expected to use online applications which process personal data, they should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder.
Greek Law 4624/2019, which implemented the GDPR in the country, outlined when processing of personal data is permitted in the context of employment for certain purposes, including:
- when necessary for the performance or execution of the employment contract;
- with the employee’s freely given consent, taking into account the circumstances of the consent and the employee contract. Consent should be provided in writing or electronically and, must be clearly distinguished from the employment contract. The employee should be informed electronically or in writing of the purpose of the processing and the right to withdraw consent;
- processing sensitive personal data (ex. health data) when necessary to exercise rights or fulfill a legal obligation under labor laws or social security laws, and the legitimate interest of the data subject (i.e., the employee) doesn’t override the purpose of the processing. Explicit consent must be obtained when processing special categories of personal data;
- on the basis of collective agreements.
Processing personal data via CCTV systems is only permitted in workplaces if necessary for the protection of persons and goods. Employees must be informed of the installation and operation of CCTV systems in writing (written or electronic notice).
Note that under Law 4624/2019, the above applies to employees with any employment relationship, work or service contract regardless of the contract’s validity as well as job applicants.
HR Best Practices: As consent on its own might not be enough to justify lawful processing of employee personal data, other processes should be documented and implemented. Consider legitimate requirements, such as processing bank account numbers for purposes of payment, or, processing personal data for health insurance. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.