If your organization pays employees in the European Union (EU), then you will undoubtedly process their personal data. Under the current European Commission’s Directive 95/46/EC, the processing of EU personal data is only lawful if the processing is carried out based on one of six conditions. One of these conditions is that the data subject (or employee) has “unambiguously given his [or her] consent.”
Because of a data subject’s ability to create a blanket approval for the processing of his or her data under the current Directive, most data controllers seek the individual’s consent whenever their data needs processing. Expressly communicating with the data subject also helps satisfy another requirement of the Directive—namely, the need to provide the data subject with specific information at the point of collection. This information includes the identity of the controller, the purpose for the processing, the recipients of the data, and notification of the existence of the rights of access and the right to rectify the data concerning the subject.
This seems straightforward, but the matter of an employer obtaining consent from an employee has been the subject of much debate. For a number of years now, the European Commission has advised that consent in these situations cannot be considered to be freely given due to the imbalance of power between the parties. While the Directive itself is silent on the matter, the Commission’s position has prompted regulators in each EU member state to issue guidance indicating that employers should not place sole reliance on data consent clauses in employment contracts.
Read the full blog article.
Qualified as a lawyer, Stuart Buglass started his career as a fast track graduate trainee with Lloyds-TSB bank, undertaking assignments in legal, marketing, and finance. He later went on to specialize in employment law and HR at Lloyds-TSB, attaining his CIPD qualification and operating in a number of leadership roles prior to joining Radius (formerly Nair & Co.) in 2001.