On 8 June 2017, the Article 29 Data Protection Working Party ("WP29") adopted Opinion 2/2017 on data processing at work ("the Opinion") ​[1] . This authoritative document complements previous WP29 publications on similar issues ​​​​​​​​​​​​​​​[2]. The Opinion now takes into account new technologies that affect the processing of employees' personal data at work. Moreover, the Opinion takes into account both the Data Protection Directive (Directive 95/46/EC) that is still in force at time of writing – transposed into Maltese legislation via the present Data Protection Act ​​​​​​​​​[3]​​​​​​​​​​​​​​​​​​​​ – as well as the EU General Data Protection Regulation ("GDPR") that will enter into force on 25 May 2018. The GDPR will repeal and replace Directive 95/46/EC and the Maltese Data Protection Act ("DPA") on such date.

The WP29's Opinion on processing of personal data at work provides several guidelines and practical examples relating to how employee personal data can and should be processed by employers. This article focuses on one main issue discussed in the Opinion, namely, the issue of consent in the employment context. In Malta, this issue has always been somewhat of a grey area. Due to the relationship between employers and employees, it can be argued that employees are very rarely in the position to withhold consent for certain types of processing without this potentially having a detrimental effect of some kind on their employment status. Moreover, under the DPA, consent is presently defined as being "any freely given, specific and informed indication of the wishes of the data subject by which he signifies his agreement to personal data relating to him being processed" [emphasis added by us]. For consent to be valid, it must also be revocable.

Therefore, it may very likely be the case that the consent provided by employees may not, in fact, be 'freely given' and would therefore be invalid even in terms of general principles of Maltese civil law. It follows that relying solely on employee consent may place employers in the situation where they may be processing employee personal data in an unlawful manner. To our knowledge, this specific point has never been tested by the Maltese courts and neither has there been any authoritative interpretation published in Malta.

The WP29's Opinion confirms that "…for the majority of the cases of employees' data processing, the legal basis of that processing cannot and should not be the consent of the employees, so a different legal basis is required" [emphasis added by us]. This means that by way of anticipation to the coming into force of the GDPR in May 2018 but also to avoid any legal obstacles in terms of the present law, it is advisable for Maltese employers (as data controllers) to avoid using consent as the legal basis for processing their employees' personal data. Under both the DPA and the GDPR, personal data basically refers to any information that may directly or indirectly lead to the identity of a natural person.

It follows that alternative legal grounds for processing employee personal data must be identified and applied by employers. Under the DPA (and the incoming GDPR) ​[4] , employers may only process employee personal data, without consent, if:

  • ​processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject (the GDPR adds "…or of another natural person" (for example, the data subject's children).
  • processing is necessary for the performance of an activity that is carried out:
  1. in the public interest or
  2. in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed;
  • ​processing is necessary for a purpose that concerns a legitimate interest of the controller, or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.The ways in which the legal grounds above may be invoked by employers to process (non-sensitive) personal data, without consent, depend on the circumstances of each case. It is therefore advisable for employers to seek legal advice before relying on any such ground for processing personal data of their employees.

For the sake of completeness, it should be pointed out that if the personal data in question amount to sensitive personal data (i.e. personal data that reveals the employee's race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life) the grounds for processing such data without the employee's explicit consent are more restrictive. The main grounds ​​​​​​​[5] are generally as follows:

  • ​If the employee has made the data public (under the GDPR the data subject must manifestly make the personal data public for this exception to apply); or
  • If appropriate safeguards are adopted and the processing is necessary in order that:
  1. ​the employer will be able to comply with his duties or exercise his rights under any law regulating the conditions of employment (the GDPR adds "and laws relating to social security and social protection" clarifying when employers may process sensitive personal data without needing the employee's consent); or
  2. the vital interests of the data subject or of some other person will be able to be protected and the data subject is physically or legally incapable of giving his consent; or
  3. legal claims will be able to be established, exercised or defended.

The GDPR also adds "reasons of substantial public interest" as a ground for processing sensitive personal data (based on a proportionate law) but it remains to be seen how this will be interpreted and applied in practice.

Once again it should be noted that employers should seek legal advice before relying on any such grounds. Employers should exercise particular caution when processing the sensitive personal data of their employees.

Apart from the legal basis for processing employee personal data in the first place, employers must comply with all their other data protection obligations under the DPA and the incoming GDPR. For example, employers must keep their employees clearly and fully informed of the processing of their personal data (including any monitoring practices that may be in place). Also, employers must ensure that they have all the necessary technical and organisational measures in place to ensure the security of any such processing.