An employer in Greece has been fined €150,000 by the Hellenic Data Protection Authority (HDPA), the Greek equivalent of the UK’s Information Commissioner’s Office, for wrongly relying on consent as its basis for processing employees’ personal data.
Can UK employers rely on employees’ consent as the basis for processing personal data?
In the vast majority of cases, no.
The Information Commissioner advises that employers should ‘avoid relying on consent’. This is because consent must be ‘freely given’, and this is unlikely given the imbalance of power between employers and employees.
If we can’t rely on consent, on what basis can we process employees’ personal data?
Employers can justify processing employees’ personal data on various grounds, including that processing is necessary:
- To enter or carry out the employment contract (for example, processing certain data to pay an employee).
- For the employer to comply with a legal obligation (for example, providing employee data to HMRC).
- For the employer’s legitimate interests (or those of a relevant third party) unless these are outweighed by the individual’s rights, freedoms or interests.
What did the Greek employer do wrong?
A complaint was made to the HDPA that employees were being required to provide consent to the processing of their personal data.
The HDPA found that the employees were being given the false impression that the employer was processing their data on the basis of ‘consent’ when, in fact, the processing was based on the grounds noted above. The employer’s failure to inform employees of the correct legal basis for processing each type of personal data violated the data protection principle of ‘transparency’.
As well as imposing a fine, the HDPA gave the employer three months to bring the processing operations of its employees’ personal data in line with GDPR.
Should we ask for employees’ consent anyway?
No. Asking for consent when there is another lawful ground for processing will be misleading and, as highlighted by this case, could breach GDPR.
As such, employers should not routinely include data protection consents in employment contracts, or in application forms for new job applicants. Instead, they should identify the most appropriate ground for processing and inform employees of this via a privacy notice.