Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation, with or without the data subject consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In general, the processing of personal data in Switzerland does not require a specific justification by law, consent, or overriding interest unless it leads to an unlawful data breach.
Pursuant to Swiss Data Protection Law, processing personal data may be justified by consent, law or overriding interests. Where consent is required, it must be given freely and informed. In relation to employment law, data collection is permitted when necessary for the performance of an employment contract. In addition, the collection/storing/processing of personal data is allowed when it relates to the employee or job applicant’s suitability for the role.
Sensitive Personal Information
When processing sensitive personal information or personality profiles, employers must receive the employee’s express consent and the employee must be informed of the processing. Sensitive personal information includes data relating to: racial origin, trade union membership, health information, religious/ideological/political activities, the “intimate sphere” (such as sexual life), social security measures, and, administrative/criminal procedures/sanctions.
Sensitive personal data can be disclosed to a third-party with: the employee’s consent; an overriding public/private interest; or, when a provision of a Swiss law requires or permits the processing. The employee must be expressly informed about the sensitive personal data processing, and registration with the Federal Data Protection and Information Commissioner (FDPIC) may be required.
As a general rule, the processing of personal data must be transparent. Therefore, the collection of personal data and in particular the purpose of its processing must be evident to the data subject. In cases where processing is not transparent to the employee (or job applicant) based on the circumstances, the employee (or job applicant) must be informed of the processing.
As a best practice, a written employee privacy notice is recommended prior to the data processing, but employees can be notified orally or in writing. The notice should include details on the data controller, the purpose of the processing and, where applicable, the categories of data.
Employers may require substantial health data from employees during the beginning of an employment relationship to enroll in social security and sick pay insurance. There is no general legal obligation for the processing of such health data. However, to the extent that medical/health information is necessary for the performance of the employment contract, such medical/health data may be processed without further obligations.
When possible, health data should only be collected/processed directly by the party requiring the information and should not involve the employer as an intermediary. For example, insurance providers and pension schemes are obligated to request data directly from employees.
HR Best Practices: In case the processing includes sensitive personal data and/or personality profiles (which is often the case as regards to employees), there is a duty of active information unless the law requires the processing. Information can be given orally or by written notice. Written notice is highly recommended.
It’s likely that the updated Swiss Federal Act on Data Protection will include an active obligation to inform individuals when personal data is being processed.