2 minute read
the personal data of employees?
The GDPR allows Member States to specify rules for personal data processing in the employment context. Member States are entitled to adopt rules concerning e.g. employees’ consent, the recruitment process, and the implementation of employment contracts.250
SUGGESTION
Advertisement
Considering that a Member State’s rules governing personal data processing in the employment context may differ, SMEs are recommended to consult the national implementing rules of the GDPR and the guidance issued by their DPA.
4.1. What are the possible legal bases for processing the personal data of employees?
Similar to other processing operations, to process the personal data of their employees, SMEs need a legal basis.251 In general, the use consent for the processing of personal data in the employment context is not appropriate for this purpose: the economic and power imbalance between employer and employees make it difficult for employees to provide consent that would be considered ‘free’.252 Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw consent without detriment.253
250 Article 88 GDPR and Recital 155. 251 See 2.4 What are the possible legal bases for personal data processing? 252 Footnote 30, 330. 253 Article 29 Working Party, ‘Opinion on the processing of personal data in the employment context’ (2001) https://ec.europa.eu/justice/article-29/ documentation/opinion-recommendation/files/2001/wp48sum_en.pdf 2.
The more appropriate legal bases could be:
» the performance of a contract to which the employee is party.
EXAMPLE
The employer must meet obligations under the employment contract, such as pay the employee.254
» the compliance with a legal obligation to which the employer is subject.
EXAMPLES
There are situations where the employer must communicate personal data of the employee for social security, welfare, or tax purposes. Another example of this could be a situation, where the employer is legally obliged to obtain a certificate of good conduct of (prospective) employees, or check their qualifications.
» the legitimate interest of the employer, insofar it is not overridden by the interests or fundamental rights and freedoms of a data subject.
EXAMPLES
A recruiter browses a publicly available database (e.g. LinkedIn or similar) and contacts a person to offer a job interview. An estate agent communicates to a client the contact details of one of their workers to schedule an appointment.
254 Article 29 Working Party, ‘Opinion 2/2017 on data processing at work’ (23 June 2017) https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_ id=610169 7.
