GDPR versus Employers: Time to reconsider consent as a lawful basis to collect personal data?

In light of the GDPR’s stringent requirements for consent, HR departments will need to review the legal basis for processing employee data under employment contracts based on consent. The GDPR heightened the requirements for using consent as a legal basis, making this method risky and burdensome. The GDPR requires that consent must be: (1) freely given, (2) specific, (3) informed, and (4) unambiguous. In the employment context, it is unlikely that an employee can respond “freely” to a request for consent from his/her employer.

 

Blanket consent policies in employment contracts are no longer adequate to process employee data. The employer must identify an alternative legal basis (e.g., a “legitimate interest”) for both new and existing employment contracts. Further, HR must draft new employment contracts and rely on an alternative legal basis to process employee data to avoid sanctions and fines.

 

The GDPR will impose severe fines on employers that process employee data with no lawful basis of up to EUR 20,0000,000.00 or 4% of the total annual worldwide turnover. To put this in perspective, the Supervisory Authorities, only hours after the GDPR came into effect, filed complaints against Facebook, Google, Instagram, and WhatsApp with fines reaching a staggering EUR 9.3 billion in total. Employers must become GDPR compliant before the Supervisory Authority makes landfall at your organization.

 

Let us help you with this hurdle to GDPR compliance. Get in touch!