• news-banner

    Expert Insights

Processing employee data under the GDPR

The new EU Data Protection Regulation (GDPR) will take effect in the UK from 25 May. Key changes include a wider definition of personal data, a “right to be forgotten” in some circumstances, tighter rules on the issue of consent and significant fines of 4% of worldwide turnover, or 20 million Euros (whichever is the greater). With potential penalties at such a high level this is not something that any organisation can afford to ignore.

In a series of Insights we will look at some of the key areas for HR, focusing here on the legal basis that employers can seek to rely on when processing employee data, and the difficulties that may arise.

The legal basis for processing

One of the principles underpinning the GDPR is that personal data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”.  To meet this, it is essential that organisations consider why they are processing the data and what lawful basis they can rely on.  In the employment context, the potential bases are likely to be:

  • that the data subject has given consent
  • processing is necessary for the performance of the employment contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Of these options, consent may appear the obvious choice for employers, but there are some difficulties with this in the employment context, which we look at below.

Consent – the problems and the pitfalls

Historically, many organisations have relied on general consent clauses contained in employment contracts as the basis for processing employee data. The Information Commissioners Office (ICO) have always thought this to be problematic as an employee entering into an employment contract is rarely on an equal footing with the employer, and so has no real choice, meaning the consent is not freely given.

Under the GDPR things get even trickier. There is a new, tighter, definition of consent, which is: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. There is also a requirement that it must be as easy to withdraw the consent as it was to give it and that employees be notified of this right, meaning that any existing consents are unlikely to meet these requirements.

The ICO has indicated in draft guidance that freely given consent in the employment context will be difficult to establish as an employer is in a position of power. The guidance states that where there is an imbalance of power, there is a lack of real choice for the employee and as such “it follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing”.

Some organisations may think that the answer is to get consent, but then rely on another basis if the “consent” is successfully challenged, but the ICO have made clear they intend to discourage this type of behaviour. The draft guidance states that if you would still process the data on a different basis even if consent were refused, or withdrawn then seeking consent in the first place is “misleading and inherently unfair” as it presents the individual with a false choice and only the “illusion” of control and may lead to an employer being sanctioned. You need to identify the most appropriate lawful basis from the start.

So, what will be the most appropriate lawful basis?

In the case of ordinary personal data, it seems likely that an employer will be able to rely on the processing being necessary for the performance of the employment contract. This would enable processing of data for day to day activities such as payroll, benefits and certain disciplinary issues.  For processing outside of the everyday, specific consent will be required, and this can be withdrawn at any time.

There are additional hurdles in relation to “special categories of personal data” which is a similar, but slightly broader, version of what is currently known as “sensitive personal data”. This will cover information relating to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information and data relating to sex life and sexual orientation.

Some of this can be processed on the basis that it is necessary for carrying out obligations in the employment field, so would cover, for example, processing health information to comply with disability discrimination obligations and to administer sickness benefits. For other things, specific consent will be needed on a one off basis. The consent needs to be in a separate document, clear as to what processing is taking place and must also include information about withdrawing consent at any time. Consent will need to be obtained on each occasion processing takes place.

What should employers do?

Employers should be reviewing their current policies in relation to processing. For those employers relying on general consents contained in the employment contract to process ordinary personal data, a new approach will be needed. One of the other lawful bases should be relied on – most commonly this is likely to be that the processing is necessary for the performance of the contract.

Where consent is required, ensure that this is contained in a separate, clear document and that the right to withdraw that consent is clear.

Our thinking

  • Doing business in the UAE & Israel

    William Reichert

    Events

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Charles Russell Speechlys expands commercial offering with the appointment of Rebecca Steer

    Rebecca Steer

    News

  • The Times quotes Gareth Mills on the CMA’s preliminary approval of the Activision Blizzard-Microsoft deal

    Gareth Mills

    In the Press

  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Silicon quotes Gareth Mills on the UK consumer lawsuit against Google

    Gareth Mills

    In the Press

  • Bloomberg and The Washington Post quote Richard Davies on multiclub ownership in world sports

    Richard Davies

    In the Press

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • UAE and the Grey List: Brief Update

    Karl Masi

    Insights

  • A Summer of Sport - Top 5 Legal Considerations

    Anna Sowerby

    Insights

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • The Express quotes Gareth Mills on the CMA’s report on competition in the groceries sector

    Gareth Mills

    In the Press

  • Reuters quotes Gareth Mills on the CMA’s deadline extension of the Microsoft Activision Blizzard deal

    Gareth Mills

    In the Press

  • Will the downturn in the Paris region property market lead property companies to turn to ad hoc proceedings, as they did in the 1990s?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Law.com International quotes Simon Ridpath on the use of AI in the legal sector

    Simon Ridpath

    In the Press

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • Raconteur quotes Caroline Swain on misleading pricing practices

    Caroline Swain

    In the Press

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • PE Hub quotes Richard Davies on private equity interest in football and sports

    Richard Davies

    In the Press

  • Payment Expert quotes Janine Regan on the record £1bn fine against Meta over EU data protection violations

    Janine Regan

    In the Press

  • The Guardian quotes Gareth Mills on Microsoft lodging an appeal against the CMA’s decision to block its Activision Blizzard deal

    Gareth Mills

    In the Press

  • The Times quotes Gareth Mills on the EU’s approval of the Microsoft-Activision deal

    Gareth Mills

    In the Press

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

  • UKTN quotes Gareth Mills on the CMA's review of the UK AI market

    Gareth Mills

    In the Press

  • Saudi Center for Commercial Arbitration publishes new Arbitration Rules

    Peter Smith

    Quick Reads

  • The Financial Times quotes Nick White on risks to content creators promoting counterfeits

    Nick White

    In the Press

  • The Daily Telegraph quotes Nick White on AI and 'workplace displacement'

    Nick White

    In the Press

  • Charles Russell Speechlys achieves record success in The Legal 500 2023 EMEA directory

    Patrick Gearon FCIArb

    News

  • WhatsAppGate - Should businesses be reviewing their social media policies?

    Anna Rogers

    Quick Reads

  • Missed deadline for registering on the overseas entity register

    Sarah Morley

    Quick Reads

  • Dubai announces its plan to streamline the enforcement of civil judgments and arbitral awards

    Peter Smith

    Quick Reads

  • Sign of the times - the British record football transfer which very nearly didn't happen

    Pei Li Kew

    Quick Reads

  • No love (island) lost for the #muffboss – #ad is great but don’t forget the other ad rules

    Caroline Swain

    Quick Reads

  • Is it really against the law to share your Netflix password?

    Quick Reads

  • Commercial service charges: "pay now, argue later"!

    Samuel Lear

    Quick Reads

  • Omnichannel innovation essential in the face of outlet decline

    Caroline Swain

    Quick Reads

  • Brand owners now required to police influencers

    Katie Bewick

    Quick Reads

  • Ten Years Since The 2012 Saudi Arbitration Law: Where Are We Now?

    Peter Smith

    Quick Reads

  • Strike a Pose - Usain Bolt files legendary victory celebration as a trademark

    Henry Cuthbert

    Quick Reads

Back to top