In light of the GDPR’s stringent requirements for consent, HR departments will need to review the legal basis for processing employee data under employment contracts based on consent. The GDPR heightened the requirements for using consent as a legal basis, making this method risky and burdensome. The GDPR requires that consent must be:
  • Freely given,
  • Specific,
  • Informed, and
  • Unambiguous

Processing Employee Data

In the employment context, it is unlikely that an employee can respond “freely” to a request for consent from his/her employer.

Blanket consent policies in employment contracts are no longer adequate to process employee data. The employer must identify an alternative legal basis (e.g., a “legitimate interest”) for both new and existing employment contracts. Further, HR must draft new employment contracts and rely on an alternative legal basis to process employee data to avoid sanctions and fines.

How does enforcement work?

The GDPR will impose severe fines on employers that process employee data with no lawful basis of up to EUR 20 million or 4% of the total annual worldwide turnover. To put this in perspective, the Supervisory Authorities, only hours after the GDPR came into effect, filed complaints against Facebook, Google, Instagram, and WhatsApp with fines reaching a staggering EUR 9.3 billion in total. Rather than accept the risk of noncompliance, let us remove that dark cloud of noncompliance and help your team achieve GDPR compliance now.

Skip to content