Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship. There are more prescriptive requirements for obtaining consent under the European General Data Protection Regulation, including the ability to withdraw consent at any time.
The legitimate interest of employers can sometimes be invoked as a legal ground for processing personal data, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. A proportionality test should be conducted in order to consider whether all data collected is truly necessary, and measures must be taken to keep personal data processing limited to the minimum necessary.
Clear communications should be provided to employees, informing them how their personal data is being processed. Where possible, such as in the event of monitoring technologies, employees should be given the option to prevent their data from being captured. Where employees are expected to use online applications which process personal data, they should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder.
Automated Data Processing and Employee Monitoring
Under Romania’s Law no. 190/2018 (Art. 5), employers can process personal data using electronic monitoring or video surveillance in the workplace in order to achieve legitimate interests pursued by the employer only if:
- the legitimate interests pursued by the employer are duly justified and prevail over the interests or rights and freedoms of the data subjects (i.e., the employee);
- the employer has provided employees with mandatory, complete and explicit information about the monitoring;
- the employer has consulted the trade union or, if appropriate, employee representatives before implementing the monitoring systems;
- other less intrusive ways to achieve the goal pursued by the employer previously have been proven ineffective; and,
- the retention period of personal data is proportionate to the purpose, and is no longer than 30 days, except when expressly provided for by law or in duly justified cases.
In addition, under Law no. 190/2018 (Art. 3), the processing of genetic, biometric or health data for the purpose of automated decision-making or profiling is allowed with the explicit consent of the employee (or other data subject) or, if the data is processed under specific legal provisions, as long as appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the individual. Note that as employee consent is often not considered valid under the GDPR due to the unequal relationship between the employer and employee, employers should use caution before processing genetic, biometric or health information on the basis of an employee or job applicant’s consent.
Prior to processing large scale personal employee data, a data protection impact assessment should be completed. Decision no. 174 of the 18th of October 2018, issued by the Supervisory Authority, on the list of type of processing operations which are subject to a data protection impact assessment (Art. 1) incudes any large scale processing of personal data of vulnerable individuals (such as children) and/or employees through automatic means of systematic monitoring and/or recording of behavior.
HR Best Practices: As consent on its own might not be enough to justify lawful processing of employee personal data, other processes should be documented and implemented. Consider legitimate requirements, such as processing bank account numbers for purposes of payment, or, processing personal data for health insurance. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.