A recent decision of the Hellenic Data Protection Agency (HDPA), the Greek equivalent of the Information Commissioner’s Office (ICO) confirms that employers who seek to rely on employee consent as the basis for processing employee data risk being in breach of the GDPR, and potentially liable to fines and enforcement action.
Personal data must be processed in accordance with one or more of the conditions for processing, and in line with the data protection principles, including transparency, fairness and accountability. Although consent is one of several potential processing conditions, it is problematic for employers, because where there is an imbalance of power between the data controller (employer) and data subject (employee), consent may not be able to be freely given, and might cause difficulties if withdrawn. Employers, however, can rely on other legitimate conditions for processing employee data, such as it being necessary for the performance of the employment contract, being processed in compliance with legal obligations, and/or being necessary for the legitimate interests of the data controller (in the private sector: slightly different rules apply for public authorities). The ICO has already made its position clear on this front and since the inception of the GDPR employers have been advised not to use consent as the basis for processing employee data.
In this case, PWC was held to have breached its GDPR obligations and received a fine of €150,000. It relied on employee consent in order to process employee data, and asked employees to sign an agreement to this effect. Although PWC could have processed the data lawfully, on the grounds suggested above, it was held to have given employees a false impression as to the basis of processing their data, and violated the principles of accountability and transparency.
Employers should check what information is given to employees about the basis for processing their data and update their privacy notices and employment contracts and/or handbooks to reflect the true reasons for processing, if consent is relied on, either solely or as a “sweep up” reason.
Finally – a brief update on time limits for responding to data subject access requests. The ICO has clarified that the ‘one month’ for responding to a request should be counted from the date of receipt of the request, rather than the following day (which had previously been its position): eg a request made on 3 September needs to be responded to by 3 October. Ideally requests should be dealt with as expeditiously as possible, but employers should be aware that there is now slightly less time to comply.