If there were any doubts under existing data protection law that employers cannot rely on consent to process personal data relating to employees, those doubts have now been laid to rest. The Regulation seems to envisage that there will always be a clear imbalance between the data subject and the controller in the employment context. Consequently, employers will need to justify processing of employee data on grounds other than consent. In many cases, this position is likely to mean that, unless the data processing is required by law (e.g. processing of sickness data to administer sick pay benefit), employers will need to rely on the so-called ‘legitimate interests’ criterion for the processing of employee personal data, namely that the processing is necessary for the legitimate interests pursued by the employer except where such interests are overridden by the interests or fundamental rights and freedoms of the employee which require protection of personal data.
In addition, employers will be required to specify the relevant legitimate interests pursued by them in the data protection notices that they provide to employees. If employers wish to process personal data for purposes other than those for which employment data was collected (as specified in the relevant data protection notices), they will have limited compliance options. The Regulation makes clear that, where the purpose of further processing is not compatible with the one for which the personal data has been collected, employers will not be able to justify the processing by reference to the legitimate interests criterion.
Given that consent is also unlikely to be an option, the Regulation presents a serious difficulty for employers since there are a number of scenarios in which employers may wish to use personal data in a way that is not compatible with the purposes for which it was collected. An important test of compatibility is whether the employer intends to use or disclose the employee data in a way in which employees would expect it to be used and disclosed.
So, for example, if employees have been told via an ‘acceptable use policy’ that monitoring is undertaken for a particular purpose, in general, it is likely to be unfair to use the information for another unexpected purpose. Simply getting employees to sign up to a new acceptable use policy may not get employers where they need to be since the new Regulation makes clear that such consent will not be valid. Neither will it be possible to rely on the legitimate interests criterion.
Consequently, it will be more important than ever to ensure that employers get their data protection notices/acceptable use policies right at the outset. In practice, the temptation for employers will be to draft very wide data protection notices to try to anticipate processing activities that they may wish to carry out in the future. In order to achieve compliance however, the challenge will be to get the balance right between a data protection notice that is comprehensive and one that is meaningful.