The Greek data protection authority (“DPA”) recently announced a €150,000 fine against a company that required its employees “to provide consent to the processing of their personal data.”[1] According to the DPA, as the “[c]onsent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties,”[2] by asking for consent the employer had failed to identify the correct legal basis for processing which in turn caused the employer to issue an incorrect privacy notice to its employees (i.e., the privacy notice identified consent as the basis for processing instead of a basis approved by the DPA).  While the amount of the fine fell well below the 4% of annual turnover maximum penalty theoretically permitted under the GDPR, its size has sent shockwaves through the human resource community as it represents one of the largest fines issued in the context of employment data.  The overall message from the DPA was unmistakable – employers should stop asking their employees to broadly consent to a company’s privacy practices.

While technically the DPA’s holding only applies to data that is subject to Greek labor and employment laws, the DPA’s viewpoint is likely consistent with that of many supervisory authorities in the other Member States.  In terms of understanding the larger context, the GDPR states that a company may process personal data so long as one (or more) of the following six situations applies:[3]

  1. A data subject has provided consent;
  2. The processing is necessary to perform a contract;
  3. The processing is necessary to comply with a legal obligation;
  4. The processing is necessary to protect the vital interests of a person;
  5. The processing is necessary for the performance of a task carried out in the public interest; or
  6. The processing is necessary for a legitimate interest pursued by a controller (e.g., an employer) or a third party.

Most European Union Member States have been skeptical about whether an employee’s consent can be effective given the imbalance of power in the employment relationship.  Put differently, many European Union Member States question whether a consent obtained by an employer is freely given and, therefore, effective.  The Article 29 Working Party – an independent advisory body to the European Commission on data protection matters that predated the European Data Protection Board – further explained:

An imbalance of power. . .occurs in the employment context.  Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, [the Article 29 Working Party] deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1a)) due to the nature of the relationship between employer and employee.[4]

The net result is that under the GDPR in the “majority” of employment situations a company may not be permitted to base processing upon consent.  Instead the Greek DPA suggested that most human resource data processing should be based on either the performance of the employment contract, compliance with a legal obligation to which the employer is subject, or the legitimate interest of the employer.

It should be noted that the DPA stopped short of saying that no employment-related processing could be based upon consent.  While consent is viewed skeptically in the employment context, it is not ineffective in every situation.  Consent may be effective and used as a basis for processing where an employer can show that there is relatively little imbalance of power between the employer and the employee, or if a reasonable employee would understand that there would be no adverse impact if consent were withheld.  For example, there would be a strong argument that consent would be effective in the following situations:

  • Consent obtained from a CEO, or from other senior executives, may be effective as there may be far less of an “imbalance of power” between a senior executive and a company. However another legal basis, rather than consent, should be relied upon if possible.
  • Consent obtained from employees for the collection of mundane information such as their food preferences (e.g., vegan, vegetarian, etc.) would be effective as an employee is unlikely to believe that they would be at risk of reprisal if they decided not to offer such a preference.
  • Consent obtained from employees for the collection of information relating to a social activity (e.g., collecting an employee’s name in order to be entered into an office raffle) would be effective as an employee is unlikely to believe that they would be at risk of reprisal if they decided not to participate in the activity.

In response to the DPA enforcement human resource managers should consider taking the following actions:

  1. Review your data inventory or record of processing and verify that most Human Resource data is not being processed based upon consent.
  2. Review your privacy notice to verify that it does not state or imply that consent is the primary basis upon which data is processed.
  3. Review any forms or documents provided to employees for signature to verify that they do not state or imply that personal data  is processed based upon consent.
[1]               Summary of Hellenic DPA’s Decision No. 26/2019 available at https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.

[2]               Summary of Hellenic DPA’s Decision No. 26/2019 available at https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.

[3]               GDPR, Article 6(1)(a)-(f).

[4]               Article 29 Working Party, WP 259: Guidelines on Consent Under Regulation 2016/679 at 8 (28 Nov. 2017).

 

Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address employee privacy laws. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.