The GDPR provides six lawful bases under which an organisation may process personal data. It defines the bases on which data may be processed in new ways and explicitly identifies the rights that employees have to object to certain bases of processing.

Consent Article 6(1)(a)
  • Consent under GDPR must be freely given, informed, and affirmative.
  • Data subjects must have the right to withdraw their consent at any time and in an easy manner and must be informed of this right before consent is obtained.
  • Relying on consent in the employment context is "problematic" due to the imbalance of power between the parties and the concern that such consent is not given voluntarily.
Legitimate Interests Article 6(1)(f)
  • Data subjects must be informed of the particular legitimate interest on which the controller is relying and of the right to object to legitimate interest based processing.
  • Any objection will be weighed against the controller's own legitimate interests (e.g. the right to conduct a business).
Contractual Necessity Article 6(1)(b)
  • Personal data may be processed when necessary for the performance of the contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract.
  • Such processing must be necessary (as opposed to merely desirable) to perform the contract – i.e. matters of pay in the employment context.
Legal Obligations Article 6(1)(c)
  • Personal data may be processed where it is necessary to comply with legal obligations imposed on an employer (e.g. a requirement to keep statutory employee records).
  • Special categories of personal data may be processed where it is necessary for the purposes of exercising/performing any rights or obligations of an employer/employee in connection with employment or social welfare law.
Vital Interests Article 6(1)(d)
  • Personal data may be processed on the basis that it is in the vital interests of the subject or another natural person.
  • This should only be used as a basis where the processing cannot be manifestly based on another legal basis.
Public Interests Article 6(1)(e)
  • It is lawful to process personal data where necessary for the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller.
  • Member States may adopt specific rules specifying where this may be appropriate.
  • This lawful basis may be available to public bodies in the performance of their statutory functions.


Currently, many employers process personal data on the basis that an employee has consented to such processing due to the presence of a clause in their employment contract. After the implementation of GDPR, employers will no longer be able to rely on consent that is "bundled" into a contract in this way.

As relying on consent as a basis for processing in the context of an employment relationship is problematic, employers should avoid relying on this ground except where it truly is appropriate and the withdrawal of such consent will not cause issues for the employer – for example, in the use of staff photographs for recruitment/PR materials, a specific consent should be sought. In addition, employers should seek a specific consent as a lawful basis in respect of processing that is ancillary to the contract of employment (examples include for participation in a work related club/society and for voluntary work-related schemes).


Instead of relying on contractual clauses, employers should provide employees with a Privacy Notice. This approach allows an employer to comply with its obligation to provide certain pieces of information at the time when personal data is collected (i.e. at the commencement of the employment relationship). It also allows an employer to tailor its approach - for example, job candidates should be provided with a slightly different form of Privacy Notice than employees.

A Privacy Notice should contain all of the information outlined in Article 13 of the GDPR, which includes controller information, information about the purposes and legal bases for processing data. It should confirm the proposed recipients of the data and provide information regarding the arrangements for the storage, transfer and retention of data. A Privacy Notice should also provide information on the rights of employees in relation to their data and information on automated decision making processes.


Employers regularly have to process data which reveals sensitive information about employees, such as their racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, and health information. This type of information, together with other specified data types, falls within the definition of "Special Categories of Personal Data."

The processing of this type of data is generally prohibited unless it falls within the exceptions prescribed by the GDPR and the Data Protection Bill 2018. Key exceptions in the employment context include where it is necessary for the performance of any right or obligation which is conferred or imposed by law in connection with employment and social welfare law, or where it is necessary and proportionate for the purposes of health insurance related policies and pension arrangements and for the purpose of assessing the working capacity of an employee.

However, an employer must take "suitable and specific measures" when processing this type of data. This will depend on the data being processed, but could include limiting access to the data, imposing strict time limits for the erasure of the data and ensuring these limits are observed, providing specific training for individuals processing this data, or taking technical measures to secure the data (such as pseudonymisation, encryption, verification mechanisms).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.