GDPR: Freely Given, Specific, Informed and Unambiguous Consent

“Our company deals with the processing of employee data by including a provision in contracts of employment consenting to such processing. I have heard that this may no longer be permitted when the new EU General Data Protection Regulation (“GDPR”) is introduced. How do I handle it?”

The General Data Protection Regulation (“GDPR”) comes into force across the EU on the 25^th May 2018. 

The introduction of the GDPR will result in a significant overhaul of the existing European Data Protection regime as the GDPR will repeal and replace the current Data Protection Directive (94/46/EC), which forms the basis for the current Irish legislative framework, being the Data Protection Acts, 1988 and 2003.

The GDPR presents a significant challenge to all divisions of modern business, not least the human resources function. Many employers process personal data of employees on the basis of their consent, utilising clauses in employment contracts or policies where an employee consents to wide-ranging use of their data, including for example overseas transfers of data or workplace monitoring.

Freely Given, Specific, Informed and Unambiguous Consent

The use of consent as a catch-all basis for processing employee data will be subject to significant restriction under the GDPR.

The GDPR defines consent as “freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her.” As such, in order for consent to constitute a legitimate ground for processing employee data, the following must be complied with:

• Freely Given: Consent must be voluntary, and cannot be made dependent on, for example, the signing of an employment contract. An employee must have a genuine free choice and be able to refuse or withdraw consent without suffering any detriment.
• Specific: Blanket consent, or consent wording that is too general to enable employees to know what is planned, is not valid consent. Moreover, when the consent is given through a declaration that also regulates other matters, the consent to the processing of data has to be clearly distinguishable from other matters to be valid.
• Informed: Sufficient information will need to be given to an individual for them to understand what they are consenting to and the extent and purposes of the processing. If individuals are asked to sign a declaration of consent then it must be provided in an “intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.”
• Unambiguous: A general catch all phrase in an employment contract is not enough, nor is a default opted-in check box.
• Clear Affirmative Action: Silence, acquiescence, or merely ticking a box will not constitute valid consent. The consent itself must be a positive indication of agreement by the employee to the processing in question.

In addition, the GDPR requires that organisations are able to demonstrate ongoing compliance with data protection obligations, such that employers will need to be able to establish that consent was given, and that consent was compliant with the requirements of the GDPR. The procedure obtaining consent will need to be clear and unambiguous and employers will need to have an easily accessible audit trail.

What if I Still Want to Rely on Consent?

Consent will remain a legitimate ground for processing employee date under the GDPR. In reality however reliance on consent will likely only be feasible in very specific limited circumstances, and if the processing goes beyond standard HR operations, for example obtaining permission to send health records to an occupational health adviser.

Employers should also be aware that individuals will have greater rights where data is processed on the basis of consent, e.g. the right to data portability, whereby an employee can require an organisation to give them back a copy of the personal data they previously provided in a machine-readable format, attaches to data processed by consent (and also where data is processed on the basis of performing a contract) but not to data processed on the basis of legitimate interest or in the public interest.

In addition, consent given by an employee can equally be withdrawn. In such circumstances, it may well be preferable to look at the alternative grounds available for processing data under the GDPR, with grounds a. to c. below having most relevance in an employment context:

1. Where processing is necessary for the performance of the employee’s employment contract
2. Where processing is necessary for compliance with a legal obligation.
3. Where processing is necessary for the purposes of legitimate interests pursued by the employer or a third party, except where such interests are overridden by the interests, rights or freedoms of the employee.
4. Where processing is necessary to protect the vital interests of the employee of another person;
5. Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the employer.

Next Steps

It is important that employers conduct a data protection audit to ensure that not just the HR function, but the entire organisation, is ready for the new regime as soon as it comes into force in May 2018.

A logical starting point in terms of HR data would be to establish what employee data is processed, why and for how long. Once this exercise is complete, then assess which of the legitimate grounds for processing set out above will apply to each of the organisation’s processing activities in place of clauses seeking to obtain blanket consent from employees to process their data.

------------------------------------------------------------

This article was published as part of Legal-Island's Irish Employment Law Hub, which holds over 2,500 in-depth articles, case law reviews, templates and checklists which are relied upon by over 1,300 HR and employment law professionals in Ireland.

With weekly articles written by expert employment lawyers and HR thought-leaders, you can be sure of relevant and reliable employment law articles, case law reviews and topical updates specific to Irish law.

With subscriptions starting from only €295 per annum, it's a resource that will save you time and stress, and if you've got a pressing issue you'll get 15 minutes of advice from Linda Hynes, Senior Associate at Leman Solicitors. Sign up now or get your 30-day free trial now.