In an example of the difficulties of relying on data protection consent in an employment context, an employer in Greece has been fined €150,000 by the Hellenic Data Protection Authority (HDPA) for incorrectly purporting to rely on consent as its basis for processing employees' personal data under General Data Protection Regulation (GDPR).
In this instance, a complaint was made to the HDPA that employees were being required to provide consent to the processing of their personal data. The complaint held that this violated the principle of the GDPR that consent for the use of personal data must be freely given and capable of being withheld or withdrawn. This can be particularly difficult in respect of employees where consent cannot usually be regarded as freely given due to the imbalance of power between the two parties.
The HDPA found that the employees were being given the false impression that the employer was processing their data on the basis of ‘consent’ when, in fact, the processing was based on one or more of various other lawful grounds, including those that justify processing where it is necessary:
- To enter or carry out the employment contract (for example, processing certain data to pay an employee);
- For the employer to comply with a legal obligation (for example, providing employee data to HMRC); and
- For the employer’s legitimate interests (or those of a relevant third party) unless these are outweighed by the individual’s rights, freedoms or interests.
The HDPA therefore deemed that the employer’s approach was in violation of the principle of fairness and transparency, as it had not made it clear to its employees that these were the grounds on which it was relying to process their personal data. It was also in violation of the principle of accountability because its internal data protection documentation was not accurate.
The employer has been given just 3 months to rectify their internal documentation and procedures, as well as a fine of €150,000
This decision is a very important reminder that:
- Consent is rarely the most appropriate legal basis for processing employee data.
- Even if the processing is lawful on other grounds (as it often will be), these must be clearly set out in the relevant privacy documentation (such as the employee privacy notice) for the processing to be ‘fair’.
- The principle of accountability requires internal records of processing to be maintained and remain accurate as to the legal basis relied upon.
We can assist you in preparing or updating all of your GDPR-related documentation, including an employee privacy notice – please do get in touch if you would like to discuss how we can help.