1. Do not rely on Consent as the basis for processing employee personal data

The definition of consent has been updated in the GDPR and must be ‘freely given, specific, informed and unambiguous’ (Article 4(11) GDPR). Article 7 and Recital 43 of the GDPR go into further detail of what is (and more importantly what is not) deemed to be freely given. The balance between the controller and the data subject must be a factor as well as whether the performance of a contract is conditional on consent. Ultimately, this means that consent can rarely be considered ‘freely given’ in the employment context, as an employee has no alternative but to consent. There are some limited exceptions to this concept, but as a general rule of thumb reliance on consent as the basis for processing employee data should be a generally avoided.

2. Do rely on the other lawful processing grounds as the basis for processing employee personal data

Under art 6 of the GDPR, a data controller must have a lawful basis for processing personal data.

Such grounds include:

  • consent (not appropriate in an employment context)
  • necessary for the performance of a contract;
  • compliance with a legal obligation;
  • protection of the vital interest of a data subject or another person;
  • necessary for the performance of a task carried out in the public interest; and
  • legitimate interest.

Note : For processing special categories of personal data, there must be a lawful basis under Art 6 and additionally under art 9.

3. Distinguish between what is useful and what is lawful

Before considering the lawful basis to be relied upon, as outlined above an employer should carefully consider if it actually requires the type of personal data that it collects. It may be that the information is useful but if there is no strict reason for collecting that type of information, or amount of information, it should not be requested or retained by an employer.

4. Processing of Personal Data for reasons other then which it was originally collected

Section 41 of the Data Protection Act 2018 permits the processing of personal data and special categories of personal data for reasons other than for the purpose for which it was collected, where necessary and proportionate for the purpose of investigating or prosecuting criminal offences, or providing legal advice or legal proceedings. This is helpful when information about an employee is retained and used in the context of an employment claim.

5. Data Subjects Rights

Data subjects (employees in an employment context) have a suite of rights under the GDPR. These rights are outlined in Articles 15 to 22 and include:

  • the right of access to information on the processing of their personal data and a copy of their personal data;
  • the right to rectification of any inaccuracies in their personal data;
  • the right to erasure of their personal data;
  • the right to restriction of processing;
  • the right to request that a copy of their personal data is sent to a third party;
  • the right to object to the processing of the personal data; and
  • the right to object to and request information on automated decision-making.

These rights are not without limit, however. In particular, from an employment law perspective, Sections 59 to 61 of the Act restrict the data subject rights (outlined above) to the extent such restrictions are necessary and proportionate

  • for the prevention, detection and investigation and prosecution of criminal offences and execution of criminal penalties (s 60(3)(a)(ii));
  • in contemplation of or for the establishment, exercise, or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings (s 60(3)(a)(iv));
  • for the enforcement of civil claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim (s 60(3)(a)(v)); or
  • where the personal data relating to the data subject consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information.

Note: Legally privileged material is specifically exempted from these rights under s 162 of the Act.

If you would like to learn more about the obligations of an Employer under the GDPR please contact dcunningham@cunninghamsolicitors.ie

The content of this article is provided for information purposes only and does not constitute legal or other advice.