When Employee Consent Is The Start Of The Problem, Not The End – The GDPR Shows Some Teeth
The Greek Data Protection Authority has imposed a 150,000 EUR fine on PriceWaterhouseCoopers Business Solutions SA for – get this – asking their employees’ consent to process their personal data. It may strike you as counterintuitive (and going against everything your mother ever told you) that asking consent could get you into trouble, but where personal data are concerned, so it would appear to be.
As you know, each data processing activity has to have a legal basis. The principles of lawful, fair and transparent processing of personal data under the GDPR require that consent only be used as a legal basis only where the other legal bases do not apply.
The case at hand involved the processing of employees’ personal data. In most cases, this type of processing by an employer does not require consent, as there are other bases available:
the performance of the (employment) contract: in order to employ an employee, you will inevitably be required to process some of his personal data;
compliance with a legal obligation: e.g. as an employer, you will be required to register your employees with the local social security service or supply their earnings data to the tax authorities, etc.;
the employer’s legitimate interest, where the smooth and effective operation of the company requires processing of employee data regardless of whether consent is given.
Consent will only be the appropriate basis is a very limited number of cases, such as when you wish to process your employee’s biometric data (using fingerprint identification to have access to the premises, for example). In this respect, the Greek DPA reminds us of the fact that consent of employees usually cannot be regarded as genuinely freely given – a requirement for valid consent – due to the imbalance between the parties. In our view however, the GDPR has introduced some leniency to accept valid employee consent in certain circumstances, provided that Member State law or collective agreements allow it.
Why is this decision interesting for employers in Europe?
Other obligatory mentions which are often forgotten are the retention period for the data (or the criteria used to determine such period) and the fact that your employee has the right to lodge a complaint with the supervisory authority.
In practice we see that employers are sometimes reassured by the fact that “somewhere in the employment contract / employee handbook” there is a data protection clause, but quite often, this clause is not up to date and does not meet the requirements of the GDPR. You might think also that the chances of any of your staff taking up the point, are negligible. You might be right, but it only takes one disgruntled member of staff to seek advice, or, as here, for the DPA to start the inquiry off its own back. Is it really worth that risk for the sake of an hour going back over your GDPR documentation?
This story may be a gentle reminder to check your policy, before the DPA does it for you ….