Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Saudi Arabia there is no specific requirement to obtain consent from employees to collect personal data for employment purposes. That said, as a best practice employers should obtain the explicit consent of employees if the data will be shared with third parties or, if more data is being collected than what is necessary to complete employment and legal obligations. Obtaining explicit consent is a safeguard against possible actions by employees if the disclosure of employee personal information is later alleged to have caused harm.
HR Best Practices: When obtaining employee consent provide employees with clear communications including enough detail for consent to be informed (for example, categories of data that will be shared with third parties, purposes for collecting and processing personal data, etc.).