The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
Consent is one of the core rights of data subjects under Korea’s Personal Information Protection Act (PIPA), and individuals have the right to choose whether to consent and elect the scope of the consent relating to the processing of their personal information. Employers are allowed to collect personal information without consent in the following cases:
In principle, employers are not allowed to process sensitive information, including: ideology, beliefs, admission to/withdrawal from trade/political parties, political beliefs, health, sexual life or, other personal information that is likely to threaten the privacy of the employee. However, sensitive information may be processed in cases where:
When obtaining consent or modifying the purpose of collecting data, employers should inform employees of the:
Consent can be obtained via writing (electronic, fax or paper), telephone, email, the internet or similar manner. Where consent is used, each item that would require consent should be separated so that an individual is able to choose which items to consent to. The mere act of informing individuals of the personal data collection will not suffice. The individuals must be advised of the items above and must provide their explicit consent to the collection of personal information.
Under the PIPA, employers are not required to obtain the consent of employees when outsourcing the processing of personal information. Similarly, consent is not required if the processing of personal information is outsourced to a foreign entity, but employers must include information on the specific tasks to be outsourced and the name(s) of the outsourced processor(s) in their privacy policy, so that such information is readily available to employees. Employees must be notified when data is being transferred out of Korea and/or when personal information is being collected from third parties.
HR Best Practices: Even if consent is not required, make sure to properly inform employees and applicants prior to data collection. Although consent in writing is not required, as a best practice obtain employee consent in writing in case it is ever questioned in court.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.
