Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation, with or without the data subject consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In general, the processing of personal data in Switzerland does not require a justification by law, consent, or overriding interest unless it leads to an unlawful data breach.
Pursuant to Swiss Data Protection Law, processing personal data may be justified by consent, law or overriding interests. Where consent is required, it must be given freely, informed and expressly.
As a general rule, the processing of personal data must be transparent. Therefore, the collection of personal data and in particular the purpose of its processing must be evident to the data subject. Data collection in relation to employment law is allowed to the extent that the collected, stored and processed personal data concerns the employee or potential employee’s suitability for his or her job. Or, the data is necessary for the performance of the employment contract.
The employee can be informed either orally or by written notice. It is recommended that the information is given prior to the initial processing. The information must include details on the data controller, the purpose of the processing and, where applicable, the categories of data recipients.
Furthermore, employers may require substantial health data from employees during the beginning of an employment relationship to enroll in social security and sick pay insurance. There is no general legal obligation for the processing of such health data. However, to the extent that medical/health information is necessary for the performance of the employment contract, such medical/health data may be processed without further obligations.
HR Best Practices: In case the processing includes sensitive personal data and/or personality profiles (which is often the case as regards to employees), there is a duty of active information unless the law requires the processing. Information can be given orally or by written notice. Written notice is highly recommended.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.