The GDPR provides six lawful bases under which an organisation may process personal data. It defines the bases on which data may be processed in new ways and explicitly identifies the rights that employees have to object to certain bases of processing.
|Consent Article 6(1)(a)||
|Legitimate Interests Article 6(1)(f)||
|Contractual Necessity Article 6(1)(b)||
|Legal Obligations Article 6(1)(c)||
|Vital Interests Article 6(1)(d)||
|Public Interests Article 6(1)(e)||
CAN I STILL RELY ON CONSENT?
Currently, many employers process personal data on the basis that an employee has consented to such processing due to the presence of a clause in their employment contract. After the implementation of GDPR, employers will no longer be able to rely on consent that is "bundled" into a contract in this way.
As relying on consent as a basis for processing in the context of an employment relationship is problematic, employers should avoid relying on this ground except where it truly is appropriate and the withdrawal of such consent will not cause issues for the employer – for example, in the use of staff photographs for recruitment/PR materials, a specific consent should be sought. In addition, employers should seek a specific consent as a lawful basis in respect of processing that is ancillary to the contract of employment (examples include for participation in a work related club/society and for voluntary work-related schemes).
WHAT IS A PRIVACY NOTICE AND WHAT SHOULD IT CONTAIN?
Instead of relying on contractual clauses, employers should provide employees with a Privacy Notice. This approach allows an employer to comply with its obligation to provide certain pieces of information at the time when personal data is collected (i.e. at the commencement of the employment relationship). It also allows an employer to tailor its approach - for example, job candidates should be provided with a slightly different form of Privacy Notice than employees.
A Privacy Notice should contain all of the information outlined in Article 13 of the GDPR, which includes controller information, information about the purposes and legal bases for processing data. It should confirm the proposed recipients of the data and provide information regarding the arrangements for the storage, transfer and retention of data. A Privacy Notice should also provide information on the rights of employees in relation to their data and information on automated decision making processes.
WHAT ABOUT "SPECIAL CATEGORIES OF PERSONAL DATA?"
Employers regularly have to process data which reveals sensitive information about employees, such as their racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, and health information. This type of information, together with other specified data types, falls within the definition of "Special Categories of Personal Data."
The processing of this type of data is generally prohibited unless it falls within the exceptions prescribed by the GDPR and the Data Protection Bill 2018. Key exceptions in the employment context include where it is necessary for the performance of any right or obligation which is conferred or imposed by law in connection with employment and social welfare law, or where it is necessary and proportionate for the purposes of health insurance related policies and pension arrangements and for the purpose of assessing the working capacity of an employee.
However, an employer must take "suitable and specific measures" when processing this type of data. This will depend on the data being processed, but could include limiting access to the data, imposing strict time limits for the erasure of the data and ensuring these limits are observed, providing specific training for individuals processing this data, or taking technical measures to secure the data (such as pseudonymisation, encryption, verification mechanisms).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.