Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In order to collect employees’ personal data in Mexico, consent is generally required, with a few exceptions (Federal Law on the Protection of Personal Data Held by Private Parties). Consent can be provided verbally, in writing or via any technology. With the exception of sensitive personal data (which has additional requirements), tacit consent is allowed under the law when the individual is provided with a privacy notice and has the option to opt-out of the collection. Employers must also give individuals the option to opt-out of consent at a later date via the privacy notice (note: the revocation would not be retroactive). Consent to collect personal information is not necessary when:
- otherwise required by law or regulation;
- the data is publicly accessible;
- the personal data has been deidentified;
- the collection is required to fulfill an obligation between the employee (or other individual) and the employer (ex., when necessary to fulfill an employee contract); or,
- there is an emergency that could harm an individual or an individual’s assets.
The personal data that is collected must be limited to the purpose outlined in the privacy notice. If the data is being processed for a new purpose, the employer must obtain new consent from the employee.
When collecting sensitive personal data, express written consent must be obtained and the notice must specifically state that sensitive personal data is being handled. Sensitive personal data includes information that affects the most intimate sphere of the individual as well as personal information that could cause serious risk or discrimination if revealed. This includes personal information such as: race/ethnicity, health status, genetic information, religious/philosophical/moral beliefs, union affiliations, political opinion and sexual preference.
HR teams should provide individuals with a privacy notice prior to collecting personal information. Notices should include:
- the data controller’s identity and contact information;
- the purpose of the data collection;
- the options that the employee/applicant has to limit the use or disclosure of their personal information;
- how the employee can exercise the right to access, correct, request deletion, or express concerns with the data collection;
- whether data may be transferred to a third-party;
- how the employer will communicate changes in the privacy notice; and,
- whether the data collection includes sensitive data.
HR Best Practices: Limit the collection of employees’ personal data to information that is clearly outlined in employee privacy notices. When consent is used, ensure there is a way for employees to revoke their consent at a later date and that employees are notified of the revocation process.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.