I have a specific query about the use of HR systems e.g. paying them, next of kin, sick leave etc.. Brought to you by . If an employee refuses to comply with a reasonable management request to share their itinerary data with their employer, they could be subject to disciplinary action, depending on the particular circumstances and how the employer has handled similar refusals in the past. Theoretically, a personâs consent is indefinite, though there might be situations in which it becomes clear that consent is no longer valid or reasonable, or violates some principle of data processing. Employees are informed of their right to withdraw consent at any time and that there are simply ways of withdrawing consent; Separate consents are obtained for each processing operations; Consent is not relied upon where there is a clear imbalance of power. Donât use pre-ticked boxes or any other method of default consent. This Note provides an overview of the GDPR's principles relating to personal data processing and the requirements and justifications for processing employee personal data. Refresh your consents if they donât meet the GDPR standard. Consent must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. 6 GDPR Lawfulness of processing Art. Required fields are marked *. In the employment context, it has long been acknowledged that there is such an imbalance between ⦠Consent requires a positive opt-in. However, this may not be available in the circumstances described. If this is the case and consent needs to be given freely, then if the don’t accept to using that system could we refuse the application or add an option to say no I don’t agree and I withdraw? It involves a lot of elements that need to be satisfied for consent to be GDPR ⦠Some of the data may also need to be processed to comply with an employerâs legal obligation to take reasonable steps to ensure the health and safety of its employees. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and youâd be advised to seek it only if none ⦠Interesting article. You ask for someone's consent, they understand the question and the implications, and they make a genuine choice . The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. employees should be made aware of the use of mystery shoppers on occasion, mystery shoppers should only be used infrequently (as constant monitoring would not be justifiable) and no action should be taken regarding employee performance without following proper process and giving the employee an opportunity to respond to any evidence obtained by a mystery shopper. Accordingly, by relying on the âlegitimate interestsâ legal basis, an employer can reduce its compliance obligations vis-à -vis its employees. Every cloud does in fact have a silver lining! What do you recommend regarding email accounts and content of an ex-employee? Reconsider the use of clauses in employment contracts which seek to obtain broad consent from the employee to process their data. We are moving to one of these shortly. In an employment context, it has long been acknowledged that there is such an imbalance between employer and employee. This Note also discusses the GDPR⦠Also as part of its action plan on advertising targeting, and…, Associate Director, Would we need to ask the recipient to consent to sending a reward to their home address if they were a remote worker or would this fall under being necessary? Where consent is relied on, beware – an employee can retract it at any time and individuals have greater rights where data is processed on the basis of consent. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. The OCV member firms are all separate legal entities and have no authority to obligate or bind each other or OCV with regard to third parties. 1) Do we need to get explicit consent from the employee that they’re willing to use their mobile number? The current Data Protection Act 1998 (DPA) intended for data protection consent clauses in contracts of employment to be a product of choice: employees should be able to agree or disagree without repercussions. UK. If/how would this apply in the scenario where a company needs to capture data about an employee’s business trips, for tracking (a) corporate travel spend and (b) itinerary location for duty of care/risk management purposes? Conduct a data mapping exercise to establish what data is processed, why and for how long. Again, we cannot be using two systems for processing employees if consent is needed and not given. Luke Irwin 25th August 2017. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. Climate change poses a significant challenge to our planet, our personal lives and our businesses. Express consent is what "consent" means under the GDPR. Would this be a legitimate interest or would it be covered by their consent? Can you explain how consent will impact on mystery shopping activity that is carried out by a third party on behalf on an employer? In summary, it is likely that employers will turn to âlegitimate interestsâ to process employee data under the GDPR. To ensure that such processing is valid, employers will need to conduct proportionality tests to establish that: (i) all personal data collected are necessary; (ii) the processing outweighs the general privacy rights that employees have in the workplace; and (iii) measures have been taken to ensure that infringements of employeesâ right to private life and secrecy of communications are limited to the minimum necessary. The GDPR requires you to have a lawful basis for processing. However, care should be taken to minimise the impact on employees who are being monitored in this way, e.g. Generally speaking, consent in an employment context is not considered freely given due to the imbalance of power between the employer and employee. However, in reality the legal basis to which most commercial employers are likely to turn is âlegitimate interestsâ, that is, that their legitimate interests in processing employeesâ personal data outweigh the general privacy rights of employees. GDPR and âconsentâ in employment contracts. Processing an employeeâs business travel data for the purposes you describe is in the employerâs âlegitimate interestsâ i.e. Employee ⦠Relying on consent is by no means an easy option for processing personal data. We’re not unique in allowing our employees to use their personal mobile phones to call clients and company contacts. The GDPR sets out strict requirements for valid consent to processing: Employers will need to make changes in light of these new requirements: There is scope under the GDPR for some specific employment related deviations. Where consent remains necessary to process personal data (and it will still be necessary in some cases), consider including any consent provisions in a separate declaration which is not intrinsically linked to the employee’s acceptance of employment. In such cases, the legal basis is known as Consent, requiring us to obtain written approval to be allowed to store or publish the data. Ensure that the information you provide when you seek to obtain consent is consistent with your privacy notices (which should explain to employees, amongst other things, the legal ground(s) processing which are being relied upon).  To take another example: employers are required by law to process sickness absence data to facilitate the payment of statutory sick pay and there are other legal obligations on which employers can rely to legitimise some of their processing of employeesâ personal data. Employers can also process personal data based on the vital interests of the employee. It allows us to pick up urgent requests asap that would have otherwise been left until the colleague returns to the office.  Employers will therefore need to conduct a proportionality test to consider whether all personal data collected are necessary, whether the processing outweighs the general privacy rights that employees have in the workplace and what measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary. Consent must be freely given, informed, specific and unambiguous. This could be in an employment contract or in a standalone privacy notice. For example, for remote workers, the company purchases a product required for work, and has it delivered to the employees home address (with their consent) and thus shares the contact details with the supplier / delivery company? they saved their tax documents on a company share or computer need to be managed? Currently, many companies rely on their employeesâ consent to process their personal data and short consents are often included in employment contracts for that purpose. The benefits of this approach are obvious: rather than having to determine which legal basis (from a number of potential legal bases for the processing of employee data) applies to each category of employeesâ personal data, an employer can simply rely on an all-encompassing consent (see Practice note, Employer obligations under the Data Protection Act 1998: Schedule 2 conditions). 7 GDPR â Conditions for consent 3) We obviously can’t control what our clients/contacts do with our employee’s numbers. You should take steps to ensure that your monitoring goes no further than necessary to pick up urgent emails and that any personal emails are not reviewed. A key factor is that under GDPR, and earlier data protection legislation, consent has to be freely given. Can you explain how this relates to using home addresses to send a reward to an employee? *This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation. You would still process the data without consent To find out more, please click here. 2. New Zealand's Unsolicited Electronic Messages Act 2007 spam law recognizes both express and implied consent. Finally, employers should be aware that their choice of legal basis may also affect employeesâ rights and their obligations to employees.  Under the GDPR, employeesâ rights regarding their personal data are expanded and strengthened; for example, there are new rights to data portability and to be forgotten (see Practice note, Data subject rights under the GDPR). However, the former right only applies to data processed by consent and the latter right only applies, amongst other things, when consent is withdrawn. Those clauses will fall foul of the requirement that consent be freely given, due to the imbalance of negotiating power; they are also not distinguishable from other matters. Instead of re-inventing consent, it shores up any areas ⦠This will require a refocus of HR attention onto other justifications or legal grounds for processing permitted by the GDPR (see below). We use cookies to provide more personalized services to you on this website. 7 GDPR Conditions for consent Art. Emailing Payslips, Employee Consent & GDPR Recommendations. The declaration must be detailed, specific and explicit as to its purpose and should be tailored to each business. When you read about Osborne Clarke on this site, we are either referring to our international organisation, Osborne Clarke Verein (OCV), or one of its member firms. The vast majority of businesses operate in and benefit from the urban environment. Check your consent practices and your existing consents. Consent and the role it plays in processing isn't new, and the GDPR uses the same definition and role outlined in the Data Protection Act and other policies. if I’ve understood your article, is it correct that employers will like use ‘legitimate interests’ as the lawful basis for processing employee/worker information rather than having to attribute a lawful basis for each piece of employee data eg processing salary and bank information for the performance of the contract or processing salary in accordance with HMRC rules on the basis of legal obligation? This is not an official EU Commission or Government resource. Share this content. However, there have already been a number of challenges to such an approach. For example, as far back as 2001, the Article 29 Working Party, in its Opinion 8/2001 (on the processing of personal data in the employment context, WP48, 13 September 2001), indicated that consent would only be viable where employees have a genuine free choice and are subsequently able to withdraw their consent without detriment. Since then, some data protection authorities have rejected consent as a basis for the processing of employee personal data, and the Information Commissionerâs Office took a similarly strict approach in its consultation on its draft guidance on consent earlier this year, holding that the consent basis is very likely to be inappropriate in an employment context (see Legal update, ICO consults on GDPR consent guidance). Even where an employer is actually able to rely on consent, the fact that employees can withdraw their consent at any time means that employers will need to structure centralised HR processing practices to accommodate such withdrawals. This is potentially very wide in scope and will no doubt assume much greater prominence under the GDPR. Does this also apply to monitoring a colleague’s emails during their absence either due to illness or annual leave? Rather than rely on consent, you can rely on âlegitimate interestsâ, i.e. 49 GDPR ⦠So what steps should employers take now to comply with the GDPR? First of all, companies need to review their template employee documentation such as employment contracts and any free-standing employee data processing consents. Employers who rely upon an employee or prospective employee’s consent to data processing in their employment contracts must take note: the requirements on obtaining consent from individuals to their data being processed are much more stringent under the new GDPR regime. The Information Commissioner, the enforcer for data protection issues, has recently published draft guidance advising organisations that once GDPR is in force they should not use employee consent as the basis for processing if there is another lawful basis on ⦠About GDPR.EU . Register now for more insights, news and events from across Osborne Clarke. The following Practical Law resources provide guidance: Practice note, Employee Consent Under the GDPR; GDPR Privacy notice for employees, workers and contractors (UK); Video, Employee consent under the GDPR. We are currently awaiting further details of what will be in the UK’s Data Protection Bill announced in June in the Queen’s Speech, but with questions already raised as to the validity of consent under the existing DPA, employers should start preparing now for a change in their approach to consent. HR teams must start preparing now for the transition to this new regime, working alongside relevant parts of the business, including (where the business has one) the Data Protection Officer, to: 1. For example, when the person is interchangeable and not the subject of our story, known as genre images. you ask for âconsentâ to the processing as a precondition of accessing your services; or; you are in a position of power over the individual â for example, if you are a public authority or an employer processing employee data. For new hires, companies should replace the consent language in these documents by new language referencing one or more of the alternative legal bases referred to above. For existing employees, companies will need to roll out employee data processing notices which refer to these alternative legal bases. Is it ok for your work colleagues to see your sick records, days off so far? 6. Minimally, companies administering an employee survey should notify their EU employees about the data being collected and how it will be used. This is not the only change for HR under the GDPR. 4 GDPR Definitions Art. Consent forms can be particularly tough as there are many nuances to the way in which data must be ⦠This could fall within the âlegitimate interestsâ for processing employee data. We're here to help you negotiate the legal challenges you'll face as our cities change. Am I right to assume that we other applicants we would do need to rely upon consent to process their information e.g communicate via email and share applications with managers? There are, however, limits on how far employers can legitimately extend their interests. The problem with an employeeâs consent under the GDPR; Currently, many employers rely on an employeeâs consent to process their personal data and usually such consent is included in the employment contract. If you are a lawyer or work in a legal capacity, please register for a free trial to see if Practical Lawâs resources are right for your business. Another example of the limits of legitimate interests is an employer maintaining a server room in which business-sensitive data, personal data relating to employees and personal data relating to customers are stored. The employer can rely on its legitimate interests in preventing unauthorised access, loss or theft of the data when installing an access control system that records employeesâ entrance and exit details, assuming employees have been adequately informed about the processing. However, this continuous monitoring cannot be justified if these data are also used for other purposes, such as employee performance evaluation. 8 GDPR Conditions applicable to child's consent in relation to information society services Art. One of the fundamental principles of the GDPR is that a data subject, i.e., an employee must consent to the processing of personal information. Your email address will not be published. For example, we check our colleagues emails to see if a client has emailed them directly and therefore failed to include the rest of team. Under the General Data Protection Regulation (GDPR), the requirements for valid consent have been made much stricter. Consent must be freely-given, specific, informed and revocable. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. In the employment context, it has long been acknowledged that there is such an imbalance between employer and employee. This means that it will be very difficult indeed for employers to rely on consent to process employeesâ personal data under the GDPR. and your holiday records, what days you have remaining ?? Is this an example where consent and a policy to for the employees NOT to add this type of personal data, enough? Employers who rely upon an employee or prospective employeeâs consent to data processing in their employment contracts must take note: the requirements on obtaining consent from individuals to their data being processed are much more stringent under the new GDPR regime. Thanks. At first glance these requirements seem just as relevant to employee information as data gathered in virtually every other ⦠Consent can be revoked. Such clauses are often buried in long employment contracts; employees feel they cannot object due to the imbalance of power (and the simple desire not to cause a ‘nuisance”), perhaps saving their concerns for issues they perceive as more critical to them such as pay, holiday or restrictions on their activities following employment. Your email address will not be published. These new rights may well become a tactic used by employees to, for example, stall disciplinary or redundancy processes. We do not have the capacity to search that email database so we have to make a choice to either keep it under some lawful basis and for how long, or to destroy it after a period – maybe 6 months? You are correct that legitimate interests cannot apply to the processing of health data. GDPR and “consent” in employment contracts, insights, news and events from across Osborne Clarke, New guidance emerging on cross-border data transfers: an overview. One of the ways the GDPR enforces this is by requiring affirmative consent before personal information is collected and stored. However, a data subject has the right to withdraw ⦠Businesses must provide their employees with information on what happens to their data, for example sharing employeeâs personal data with a third party (payroll bureau) who processes the payroll. 2) Do we have give them any other option (such as a company provided phone) in case they don’t want to use their personal number? In some situations it may be possible to rely on the fact that the processing is necessary for the purposes of carrying out obligations or exercising rights in the field of employment law (Article 9(2)(b)). This means that employers need to seek an alternate legal ground to process employee ⦠Consent must be as easy for an individual to withdraw (at any time) as it is to give. GDPR employee consent templates Hi All Does anyone know where i might find some consent templates suitable for notifying staff of their rights under GDPR, and the company's requirements to store and process their data for normal business processes? Forward plan your internal process for communicating with employees about these changes to their employment contracts and how information will be made available to them. The europa.eu webpage concerning GDPR can be found ⦠And how would this work when using cognitive and personality testing in (pre) employment relationships? Register now for more insights, news and events from across Osborne Clarke. Where employee consent was relied upon, identify an alternative legal basis under Article 6 of the GDPR (e.g., a âlegitimate interestâ) that does not result in potential harm to employee rights. Firstly, the legitimate interests basis does not apply to processing carried out by public sector authorities in the performance of their tasks (as an alternative, they might consider whether processing on the basis of carrying out a public function justifies the processing). Mentoring Opportunities Amongst In-house Counsel. A few questions are raised in this scenario regarding GDPR: With the GDPR applying from May 2018, employers must now re-think their approach to consent clauses in employment contracts. For private sector employers, as well as being strictly necessary for a legitimate purpose, processing under this legal basis must comply with the principles of proportionality and subsidiarity. 4. Click here to read our series of briefings on GDPR for ⦠There is no “one size fits all”. However perhaps staff names, descriptions and receipt based ‘proofs’ should be removed from a report to give the employee the right to anonymity amongst their peer group at least? If you would like to discuss any issue relating to the GDPR, and how we can assist you further in preparing for the GDPR, please contact one of our specialists below, or your usual Osborne Clarke contact. It must be verifiable, shown by a clear affirmative action, and there must be a simple way to withdraw consent. i.e. Under GDPR, consent must be freely given, specific, informed and unambiguous. If you are relying on “legitimate interests” to process personnel information, do you have to refer to that reliance within any new contracts of employment? Will you please comment on how data that is personal in nature, that is introduced by the employee; e.g. All well in theory, but the reality has been somewhat different. Right now there’s probably at least one area of your business facing transformative change driven by technology or digital risk. Seems harsh but we process all applications this way for efficiency and recording. Under the GDPR (General Data Protection Regulation), knowing how and when you need to seek consent can be tricky.. Your contracts may still include clauses referring to your employee privacy policy (without asking employees to “agree” to it), and a clause governing those employees’ own use of personal data in the course of their employment (for example, when handling other employees’ data or customer data). A Practice Note providing an overview of the EU General Data Protection Regulation (GDPR) requirements when relying on employee consent to process personal data. Consent means offering individuals real choice and ⦠Privacy policies can still be referred to in ⦠As a result, the processing of any sensitive data in the employment context is tricky, given that explicit consent is not available. Would your advice differ if that employee had taken the company to an employment tribunal. 9 GDPR Processing of special categories of personal data Art. For further information, see Practice notes, EU General Data Protection Regulation: implications for employers,and Employee consent under the GDPR. 22 GDPR Automated individual decision-making, including profiling Art. the objective of the mystery shopping will be to help improve employee performance (i.e. Accordingly, even if an employee did not consent to the processing of this information, the company can rely on an alternative legal basis for processing, although it should take steps to ensure that the processing goes no further than necessary to achieve the stated purposes. That broad consent will not be valid. The GDPR does not indicate a shelf life for consent. If so, do you have a link? In reality, it will be extremely difficult for employers to rely on consent to process employeesâ personal data.