PWC has been fined €150,000 by the Greek Data Protection Authority (‘GDPA’) (the Greek equivalent of the ICO) for GDPR breaches in connection with the processing of employee data. In particular, the GDPA found PWC was incorrectly using consent as the legal basis for processing employee data.
Prior to the GDPR coming into force in May 2018, consent was widely considered the appropriate legal basis for employers to use when processing employee data. Data Protection clauses in employment contracts would frequently refer to the employee consenting to the processing of their personal data (and special category data) by the employer, for the purposes of administering their employment. Post-GDPR however, it is clear that the higher standards required to ensure consent is valid, mean that consent can no longer be an appropriate legal basis for processing activities of this nature. Indeed, the ICO’s guidance on consent specifically refers to the relationship between an employer and an employee as being an example of when consent should not be used as the legal basis for processing.
WHAT IS THE STANDARD OF CONSENT UNDER THE GDPR?
Consent under the GDPR requires a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
WHY IS CONSENT NO LONGER THE APPROPRIATE LEGAL BASIS FOR PROCESSING IN AN EMPLOYMENT RELATIONSHIP?
The ICO’s guidance on the use of consent makes it clear that consent should not be used where there is an imbalance in the relationship between the data controller (i.e. the employer) and the data subject (i.e. the employee). The relationship between an employer and employees is given as a specific example of where such an imbalance exists. Employees may feel compelled to give consent to the processing of their personal data for fear that refusing to do so could lead to the withdrawal of an employment offer or the termination of their employment.
In the PWC case, the GDPA has confirmed that the consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.
The fact that consent must be capable of being withdrawn at any time by the data subject raises further issues in the employment context, where the employer must be able to process the personal data of its employees in order to administer their employment. If consent is the legal basis being relied upon and it is withdrawn, where does the employer go then?
In this case, the GDPA highlighted the fact that PWC gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed.
WHAT LEGAL BASIS SHOULD BE USED IN THE EMPLOYMENT CONTEXT?
There are five other legal bases (under Article 6 of the GDPR) available to employers to use when processing personal data. In the context of employment those likely to be most appropriate will be:
- for the performance of the employment contract between the employer and the employee;
- for compliance with a legal obligation to which the employer is subject (e.g. providing information to HMRC);
- That processing is necessary for the purposes of the legitimate interest of the employer in order to ensure the effective operation of the organisation.
The key for employers will be ensuring that the appropriate legal basis is attached to the specific processing activity in their staff privacy notice.
Employers should also be aware that additional conditions must be satisfied when processing special category data.
WHAT YOU SHOULD DO NEXT?
A fine of this significance should act as a catalyst to employers to check that they are using the appropriate legal basis for processing their employees’ personal data, to ensure their policy documentation reflects this, and to ensure that they have informed employees, in the staff privacy notice, of the legal bases being relied upon.
Employers must ensure that they have:
- A staff privacy notice in place which clearly sets out the legal basis relied upon in relation to all processing activities undertaken in relation to employee personal data;
- Amended employment contracts to ensure consent is no longer required and that reference is made to the appropriate legal bases relied upon (possibly with a link to the staff privacy notice); and
- Ensuring the necessary policy documentation is in place as required by the Data Protection Act 2018 in relation to the processing of special category personal data e.g. an organisation wide Data Protection Policy which deals with the processing of employee special category data.
The Employment and Information Law Teams at Geldards will be able to assist you with all of these compliance aspects. If you have any queries, please contact Lowri Phillips at firstname.lastname@example.org.