The GDPR states that you must have a valid lawful basis in order to process your employees’ and job applicants’ personal data.
There are six lawful bases available:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
At least one of these bases must apply before you process personal data and it must be correctly applied. If not, it will be a breach of the GDPR rendering you liable to a fine.
In an employment context, consent can only be used as a legal basis to process personal data in very exceptional and limited circumstances. Consent must be freely given under the GDPR and it has been recognised by an EU Working Party that there is an imbalance of power in the employee/employer relationship. This means that valid consent cannot generally be given by an employee.
The Information Commissioners Office has confirmed that it follows this reasoning and employers in the UK should not automatically rely on consent to process their employees’ personal data.
What to do
Instead, one of the other grounds should be used. This will depend on the circumstances and the nature of the personal data that’s being processed, but employers are most likely to use contract, legal obligation and/or legitimate interests.
You must inform employees and job applicants in advance what basis you intend to rely on in order to process their personal data. This should be set out in a clear privacy notice.
Where consent is permitted to be used, employees are free to change their minds.
Further information about consent is available on the ICO’s website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
Check that you have the correct data privacy notice templates in place as there are subtle differences between an employee and a job applicant.
For further information, please email firstname.lastname@example.org
(Source: Indicator FL Memo Ltd Sept 19)