Employee “consent” under the GDPR

Currently, many companies rely on their employees’ consent to process their personal data and short consents are often included in employment contracts for that purpose.  The benefits of this approach are obvious: rather than having to determine which legal basis (from a number of potential legal bases for the processing of employee data) applies to each category of employees’ personal data, an employer can simply rely on an all-encompassing consent (see Practice note, Employer obligations under the Data Protection Act 1998: Schedule 2 conditions).

However, there have already been a number of challenges to such an approach.  For example, as far back as 2001, the Article 29 Working Party, in its Opinion 8/2001 (on the processing of personal data in the employment context, WP48, 13 September 2001), indicated that consent would only be viable where employees have a genuine free choice and are subsequently able to withdraw their consent without detriment.  Since then, some data protection authorities have rejected consent as a basis for the processing of employee personal data, and the Information Commissioner’s Office took a similarly strict approach in its consultation on its draft guidance on consent earlier this year, holding that the consent basis is very likely to be inappropriate in an employment context (see Legal update, ICO consults on GDPR consent guidance).  Even where an employer is actually able to rely on consent, the fact that employees can withdraw their consent at any time means that employers will need to structure centralised HR processing practices to accommodate such withdrawals.

Under the General Data Protection Regulation (GDPR), the requirements for valid consent have been made much stricter.  Consent must be freely-given, specific, informed and revocable.  The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid.  In the employment context, it has long been acknowledged that there is such an imbalance between employer and employee.  This means that it will be very difficult indeed for employers to rely on consent to process employees’ personal data under the GDPR.

So what should employers do instead of relying on employees’ consent to process their personal data?  As noted above, consent is only one of a number of potential legal bases for processing employees’ personal data.  Employers will therefore need to consider which alternative legal basis is appropriate for each category of employees’ personal data.  For example, employers can rely on processing being necessary for the performance of the employment contract, to cover the processing of employees’ bank account data which they require to pay employees.  To take another example: employers are required by law to process sickness absence data to facilitate the payment of statutory sick pay and there are other legal obligations on which employers can rely to legitimise some of their processing of employees’ personal data.  Employers can also process personal data based on the vital interests of the employee.

However, in reality the legal basis to which most commercial employers are likely to turn is “legitimate interests”, that is, that their legitimate interests in processing employees’ personal data outweigh the general privacy rights of employees. This is potentially very wide in scope and will no doubt assume much greater prominence under the GDPR.

There are, however, limits on how far employers can legitimately extend their interests. Firstly, the legitimate interests basis does not apply to processing carried out by public sector authorities in the performance of their tasks (as an alternative, they might consider whether processing on the basis of carrying out a public function justifies the processing). For private sector employers, as well as being strictly necessary for a legitimate purpose, processing under this legal basis must comply with the principles of proportionality and subsidiarity.  Employers will therefore need to conduct a proportionality test to consider whether all personal data collected are necessary, whether the processing outweighs the general privacy rights that employees have in the workplace and what measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary.

Processing, therefore, must not only be legitimate, but must also be necessary, proportionate and implemented in the least intrusive manner possible.

The Article 29 Working Party’s recent Opinion 2/2017 (on data processing at work, WP249, 8 June 2017) provides some helpful examples of the likely limits of this legal basis.  For example, if an employer deploys a data loss prevention tool to monitor employees’ outgoing emails automatically to prevent unauthorised transmission of proprietary data, in order to rely on legitimate interests it will need to ensure, amongst other things, that the rules that the system follows to characterise an email as a potential data breach are fully transparent to  employees and that employees are warned in advance if the tool recognises an email that is to be sent as a possible data breach, so as to give the sender the option to cancel this transmission (see Legal update, Article 29 Working Party adopts opinion on employee monitoring).

Another example of the limits of legitimate interests is an employer maintaining a server room in which business-sensitive data, personal data relating to employees and personal data relating to customers are stored.  The employer can rely on its legitimate interests in preventing unauthorised access, loss or theft of the data when installing an access control system that records employees’ entrance and exit details, assuming employees have been adequately informed about the processing.  However, this continuous monitoring cannot be justified if these data are also used for other purposes, such as employee performance evaluation.

So what steps should employers take now to comply with the GDPR?  First of all, companies need to review their template employee documentation such as employment contracts and any free-standing employee data processing consents.

For new hires, companies should replace the consent language in these documents by new language referencing one or more of the alternative legal bases referred to above.  For existing employees, companies will need to roll out employee data processing notices which refer to these alternative legal bases.

Finally, employers should be aware that their choice of legal basis may also affect employees’ rights and their obligations to employees.   Under the GDPR, employees’ rights regarding their personal data are expanded and strengthened; for example, there are new rights to data portability and to be forgotten (see Practice note, Data subject rights under the GDPR).  However, the former right only applies to data processed by consent and the latter right only applies, amongst other things, when consent is withdrawn.

Accordingly, by relying on the “legitimate interests” legal basis, an employer can reduce its compliance obligations vis-à-vis its employees.  Every cloud does in fact have a silver lining!

In summary, it is likely that employers will turn to “legitimate interests” to process employee data under the GDPR.  To ensure that such processing is valid, employers will need to conduct proportionality tests to establish that: (i) all personal data collected are necessary; (ii) the processing outweighs the general privacy rights that employees have in the workplace; and (iii) measures have been taken to ensure that infringements of employees’ right to private life and secrecy of communications are limited to the minimum necessary.

For further information, see Practice notes, EU General Data Protection Regulation: implications for employers,and Employee consent under the GDPR.

Ann Bevitt

21 thoughts on “Employee “consent” under the GDPR

  1. Does this also apply to monitoring a colleague’s emails during their absence either due to illness or annual leave? For example, we check our colleagues emails to see if a client has emailed them directly and therefore failed to include the rest of team. It allows us to pick up urgent requests asap that would have otherwise been left until the colleague returns to the office.

    1. Yes, it does apply to monitoring a colleague’s emails during their absence either due to illness or annual leave, as this will almost inevitably involve the processing of that colleague’s personal data. Rather than rely on consent, you can rely on “legitimate interests”, i.e. your interests in picking up urgent requests asap outweigh a colleague’s interests in keeping emails in his work account private. You should take steps to ensure that your monitoring goes no further than necessary to pick up urgent emails and that any personal emails are not reviewed.

  2. If/how would this apply in the scenario where a company needs to capture data about an employee’s business trips, for tracking (a) corporate travel spend and (b) itinerary location for duty of care/risk management purposes? For example, monitoring employee emails to detect travel bookings and receipts. Can an employee refuse to share their itinerary data with their company, even when the trip is for business purposes?

    1. Processing an employee’s business travel data for the purposes you describe is in the employer’s “legitimate interests” i.e. the employer’s interests in processing these data outweigh the employee’s interests in keeping this information private. Some of the data may also need to be processed to comply with an employer’s legal obligation to take reasonable steps to ensure the health and safety of its employees. Accordingly, even if an employee did not consent to the processing of this information, the company can rely on an alternative legal basis for processing, although it should take steps to ensure that the processing goes no further than necessary to achieve the stated purposes. If an employee refuses to comply with a reasonable management request to share their itinerary data with their employer, they could be subject to disciplinary action, depending on the particular circumstances and how the employer has handled similar refusals in the past.

  3. Has the governing body posted any template language to be used for New Hire consent or Ongoing Employee data processing notices? If so, do you have a link?

  4. Hi. How would this apply to sharing data with a third party? For example, for remote workers, the company purchases a product required for work, and has it delivered to the employees home address (with their consent) and thus shares the contact details with the supplier / delivery company? Would this be a legitimate interest or would it be covered by their consent? Would there be any GDPR implications for the 3rd party supplier, beyond the standard obligations? Thanks

  5. Can you explain how consent will impact on mystery shopping activity that is carried out by a third party on behalf on an employer? the objective of the mystery shopping will be to help improve employee performance (i.e. Improve the level of service that is offered to a customer). This feels as though is can be argued as a ‘legitimate interest’. However perhaps staff names, descriptions and receipt based ‘proofs’ should be removed from a report to give the employee the right to anonymity amongst their peer group at least?

    1. This could fall within the “legitimate interests” for processing employee data. However, care should be taken to minimise the impact on employees who are being monitored in this way, e.g. employees should be made aware of the use of mystery shoppers on occasion, mystery shoppers should only be used infrequently (as constant monitoring would not be justifiable) and no action should be taken regarding employee performance without following proper process and giving the employee an opportunity to respond to any evidence obtained by a mystery shopper.

  6. If you are relying on “legitimate interests” to process personnel information, do you have to refer to that reliance within any new contracts of employment?

    1. If you rely on “legitimate interests” you need to make that clear to individuals and you need to identify to those individuals the particular legitimate interests on which you rely (see Article 13(1)(d)). This could be in an employment contract or in a standalone privacy notice.

  7. if I’ve understood your article, is it correct that employers will like use ‘legitimate interests’ as the lawful basis for processing employee/worker information rather than having to attribute a lawful basis for each piece of employee data eg processing salary and bank information for the performance of the contract or processing salary in accordance with HMRC rules on the basis of legal obligation?

  8. Can you explain how this relates to using home addresses to send a reward to an employee? Would we need to ask the recipient to consent to sending a reward to their home address if they were a remote worker or would this fall under being necessary?

  9. I have a specific query about the use of HR systems e.g. applicant tracking systems and digital HR systems which allow employes to book holidays, submit expenses, do their performance reviews and update their own personal information.

    We are moving to one of these shortly. Am I right to assume that we other applicants we would do need to rely upon consent to process their information e.g communicate via email and share applications with managers? If this is the case and consent needs to be given freely, then if the don’t accept to using that system could we refuse the application or add an option to say no I don’t agree and I withdraw? Seems harsh but we process all applications this way for efficiency and recording.

    Finally when the become employees, can we rely on legitimate interests rather than consent and just advise how their data will b used e.g personal email to create their login and for communication purposes e.g policy updates? Again, we cannot be using two systems for processing employees if consent is needed and not given.


  10. And how would this work when using cognitive and personality testing in (pre) employment relationships? (= health data = special personal data, according to the WP 29). Explicit consent is the only ground to process the special personal data in this case and cannot be replaced by e.g. ‘legitimate interest’.

    1. You are correct that legitimate interests cannot apply to the processing of health data. Also applicants are, according to WP29 guidance on consent, like employees, unable to give valid consent. As a result, the processing of any sensitive data in the employment context is tricky, given that explicit consent is not available. In some situations it may be possible to rely on the fact that the processing is necessary for the purposes of carrying out obligations or exercising rights in the field of employment law (Article 9(2)(b)). However, this may not be available in the circumstances described.

  11. Will we need to obtain permission of an employees next of Kin so that we can retain name and phone number details that our employees have provided?

  12. Will you please comment on how data that is personal in nature, that is introduced by the employee; e.g. they saved their tax documents on a company share or computer need to be managed? Is this an example where consent and a policy to for the employees NOT to add this type of personal data, enough?

  13. Interesting article. I don’t think many businesses are considering the impact of GDPR on how they deal with non-user related data.

    We’re not unique in allowing our employees to use their personal mobile phones to call clients and company contacts. The employee’s personal number is obviously being displayed, saved and used by our clients/contacts.

    A few questions are raised in this scenario regarding GDPR:
    1) Do we need to get explicit consent from the employee that they’re willing to use their mobile number?
    2) Do we have give them any other option (such as a company provided phone) in case they don’t want to use their personal number?
    3) We obviously can’t control what our clients/contacts do with our employee’s numbers. Are we potentially liable though as they were acting on behalf of the company when making a call to a client who then went on to “abuse” the employee’s number?
    4) If we have to give the option to delete personal data of users and employees, how do we do this when we have no control over what clients/contacts have done with the number?

  14. What do you recommend regarding email accounts and content of an ex-employee? Would your advice differ if that employee had taken the company to an employment tribunal. We do not have the capacity to search that email database so we have to make a choice to either keep it under some lawful basis and for how long, or to destroy it after a period – maybe 6 months?

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: