In order to comply with the data processing principles, every data controller must identify a lawful basis under article 6 of the GDPR for their processing activities. There are six prescribed lawful grounds for processing:
- The data subject has given their consent;
- The processing is necessary for the purposes of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation;
- The processing is necessary in order to protect the vital interests of the data subject or another natural person;
- The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or freedoms of the data subject).
As an employer, it is likely that you will rely on more than one of the above when processing your employees’ data. It’s important to consider each processing activity separately and identify the most suitable lawful basis for that activity, rather than try to identify a ‘catch all’ ground to cover everything.
Whilst consent may seem like a convenient option, in practice it’s unlikely to be suitable in an employer-employee relationship. In order to be valid, consent must be freely given, specific, informed and unambiguous. It must be a genuine choice which the data subject has the option to revoke without consequence at any time. It is difficult to satisfy the requirement for valid consent in employer-employee relationships because of the imbalance of power between the parties and the presumption that the employee will feel under pressure to give consent. There will also be some data which the controller must have in order to employ an individual and so consent for the processing of that data will not be a genuine choice.
The Greek supervisory authority ruled that PwC were incorrectly relying on consent as their lawful ground for processing their employees’ data when there were more suitable alternatives. In particular, the Greek supervisory authority cited the following as more appropriate grounds for employers:
- The performance of the employment contract which both the controller and the employees are subject to;
- Compliance with any legal obligations imposed on the controller under the relevant employment laws of that jurisdiction; and
- For the purposes of the controller’s legitimate interests in ensuring good management of the company and their employees.
What does this mean for you or your business?
Whilst the decision was made by a supervisory authority in the EU, it should still be considered a warning to employers in the UK to evaluate their own data processing activities.
What do you need to be doing now?
All data controllers should take stock of the grounds they are currently relying on for processing employee data and ensure these grounds are appropriate. If not, consider whether you need to amend your employment contracts, privacy notice and/or data protection policy.