By decision of 9 November 2020 (n°72/2020), the Litigation Chamber of the Belgian Data Protection Authority (the "BDPA"), gave very welcome clarifications concerning the issue of the validity of the consent of employees (Art. 4.11 and recital 43 of the GDPR). The Litigation Chamber also gave practical guidelines concerning the "purpose limitation" principle (art. 5(1) (b) GDPR).
In the case at stake, the BDPA decided in particular that:
- The free consent of employees was possible and could be valid if all other conditions of article 4.11 of the GDPR were fulfilled; and
- The data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
The facts under scrutiny
A hospital was processing personal data of employees related to their affiliation to a trade union "B" (at that time the sole trade union represented in the hospital). The processing was based on a verbal agreement between the hospital and the trade union and its purpose was to allow the hospital to deduct trade union fees from the employees' salary . In addition to this verbal agreement with the trade union "B", each employee received a form allowing him/her to give his/her consent for the above-mentioned processing.
Years later, a second trade union "A" was represented in the hospital. This trade union "A" invoked that the system was unlawful. In addition, one of the employees affiliated to trade union "A" filed a complaint before the BDPA invoking notably that the processing of personal data was infringing the GDPR.
The BDPA examined the processing regarding the facts for which it has jurisdiction, which means for the processing carried out since the applicability of the GDPR (25 May 2018).
The conditions for a valid employees' consent
In accordance with Article 9.1 of the GDPR, trade union affiliation being a special category of personal data for which the processing is in principle prohibited, the BDPA checked if the derogation for processing based on explicit consent (Art. 9.2 GDPR) could apply. Pursuant to article 4.11 of the GDPR to be valid, the consent needs to be :
- Freely given;
- Informed; and
The decision is very instructive in its answer regarding the free character of the consent. Indeed, the difficulty was to assess if, in the context of employment, the consent was freely given despite the clear imbalance existing between an employee and an employer (recital 43 of the GDPR). On this point and in the same line of several guidelines of the EDPB and WP29 relating to the notion of consent, the BDPA came to the conclusion that the consent was freely given. The BDPA came to this conclusion since the form by which the employee could give his/her consent was limited to the specific purpose of the deduction by the hospital of the affiliation fees for the trade union and this processing did not give any advantage to the hospital as an employer. In other words, the employees had a true freedom of choice without any advantageous or un-advantageous consequence for them. The BDPA also concludes that the consent was specific because the sole purpose was clearly stated in the form and that the consent was explicit (and thus also unambiguous) since the consent was obtained in a mandate signed by the employees for a specific purpose. However, The BDPA concluded that the consent was not informed since the mandate allowing the collection of the consent did not mention the right to withdraw the consent (see also Guidelines 05/2020 of the EDPB, point 64). This is a welcome reminder to always mention this right, since it appears in practice that this information is not always given by controllers to data subjects when trying to obtain their consent.
The purpose limitation principle
After having reviewed the consent, the BDPA examined if the purpose limitation principle as prescribed by article 5(1)(b) had been respected. According to this article, the personal data must be collected for (1) specified, (2) explicit and (3) legitimate purposes. The BDPA concluded that the data was collected for specified and legitimate purposes. However, the BDPA found that the purpose of the processing was not explicit. In order to be explicit, the purpose of the processing must be clear (transparent and predictable) not only for the employees from whom the consent is asked, but also for all the other employees of the controller, all other stakeholders (the data protection officer, the processor, the BDPA, etc.).
In the present case, this requirement was particularly important in consideration of (1) the fact that the trade union data is a special category of personal data and (2) that article 24.1 of the GDPR obliges the controller to implement appropriate technical and organisational measures to ensure and to be capable of demonstrating that processing is performed in accordance with the GDPR, "taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons". For these reasons, the BDPA concluded that the hospital should at least have documented the processing in a written agreement with the trade union, if not in other additional written documents.
No sanction, but publication of the decision
Considering the various mitigating circumstances, the BDPA decided not to sanction the hospital. However, since the clarifications were considered of importance, the BDPA decided to publish the decision without identification of the parties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.