The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner published a multi-part series that discussed the questions most frequently asked by clients concerning the GDPR. The following FAQ is updated with the recent decision from the Greek data protection authority to issue an administrative fine for €150k against an employer that sought the consent of its employees to processing.
While the GDPR recognizes consent as one of the six foundations upon which a company can process information, most European Union Member States are skeptical about whether an employee’s consent can be effective given the imbalance of power in the employment relationship. Put differently, many European Union Member States would question whether a consent obtained by an employer was freely given and, therefore, effective. As the Article 29 Working Party—an independent advisory body to the European Commission on data protection matters—has stated:
An imbalance of power . . . occurs in the employment context. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, [the Article 29 Working Party] deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1a)) due to the nature of the relationship between employer and employee.1
The net result is that under the GDPR, not only is a company not required to obtain the consent of their employees to data processing, in many situations, a company is not permitted to base processing upon consent.
Some supervisory authorities have brought enforcement actions against companies that have attempted to obtain the consent of employees to process data.2 For example in July of 2019, the Greek supervisory authority issued a €150,000 administrative fine against a company that required its employees “to provide consent to the processing of their personal data,” as the “[c]onsent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.”3 The supervisory authority made clear that in its opinion the processing of employment data should be based upon either the performance of the employment contract (i.e., Article 6(1)(b)), the needs of the employer to comply with a legal obligation to process data (i.e., Article 6(1)(c)), or the legitimate interest of the employer to the “smooth and effective operation of the company” (i.e., Article 6(1)(f)).4
1. Article 29 Working Party, WP 259: Guidelines on Consent Under Regulation 2016/679 at 8 (28 Nov. 2017) (emphasis added).
2. Summary of Hellenic DPA’s Decision No. 26/2019 available at https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF (stating that employees were asked to “sign a statement according to which they acknowledged that their personal data kept and processed by the company was directly related to the needs of the employment relationship . . .”
3. Summary of Hellenic DPA’s Decision No. 26/2019 available at https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.
4. Summary of Hellenic DPA’s Decision No. 26/2019 available at https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.