Most employment contracts include a standard clause which says that the individual consents to you processing their personnel data. Do these clauses survive GDPR and, if not, what do you say instead?
We have already addressed consent and the GDPR in week 9 of our countdown. Consent can still be a valid basis for data processing. However what causes problems with these historic employment contract clauses is that they try to legitimise an enormous amount of data processing without much information and in circumstances where the employee isn’t really able to refuse (at least in most circumstances). Under the GDPR, consent is supposed to be freely given, informed, unambiguous and unbundled from other terms and conditions.
The Information Commissioner’s guidance tells us that “Freely given consent will … be very difficult to obtain in the context of a relationship where there is an imbalance of power- particularly for … employers”.
That means one perfectly sensible approach is to decide that such provisions are no longer of any value post-GDPR, and to just remove them from the employment contract altogether. It would be good practice to still include something which requires your new employee to adhere to data protection principles or your policy, but as consent in such a document is of such limited value it could be removed.
If consent is to be obtained for any particular piece of processing (such as obtaining an occupational health report or using their photo for marketing purposes), then consent can be freely obtained at that time separately (without their having a risk of adverse sanction) and addressed specifically to the thing you want them to agree to.
However there is an alternative view which says that there is no down-side to including a provision in the contract which addresses data protection and obtains consent to the (possibly limited extent) that you are able to do so.
Such a clause could:
- acknowledge that the you will hold and process personal data about the employee (including special categories of personal data);
- identify the purposes for which you might do so, such as the administration, management and operation of employment (including payment of wages and maintenance of attendance, performance and conduct records);
- spell out the legitimate reasons (other than consent) which you will be relying upon to process the data (usually: performance of the contract; comply with legal obligations; and/or for the purposes of legitimate interests pursued by you);
- include consent to such processing to the extent the employee is able to do so; and
- acknowledge that the consent can be withdrawn by notifying you.
Only time will tell whether such provisions become the norm or whether these clauses will disappear altogether, but for now you are likely to need to at least slightly vary your contractual provisions, if you decide not to remove them altogether.
Don’t forget that your new recruit should also be given a privacy notice, as we explored in week 10.