News and developments

Confirmed: Employers Should Not Use Consent as a Legal Basis for Processing Employee Personal Data

On 8 June 2017, the Article 29 Data Protection Working Party ("WP29") adopted Opinion 2/2017 on data processing at work ("the Opinion") ​[1]. This authoritative document complements previous WP29 publications on similar issues ​​​​​[2]. The Opinion now takes into account new technologies that affect the processing of employees' personal data at work. Moreover, the Opinion takes into account both the Data Protection Directive (Directive 95/46/EC) that is still in force at time of writing – transposed into Maltese legislation via the present Data Protection Act[3]​​​​​​​​​​​​​​​​​​​​ – as well as the EU General Data Protection Regulation ("GDPR") that will enter into force on 25 May 2018. The GDPR will repeal and replace Directive 95/46/EC and the Maltese Data Protection Act ("DPA") on such date.

The WP29's Opinion on processing of personal data at work provides several guidelines and practical examples relating to how employee personal data can and should be processed by employers. This article focuses on one main issue discussed in the Opinion, namely, the issue of consent in the employment context. In Malta, this issue has always been somewhat of a grey area. Due to the relationship between employers and employees, it can be argued that employees are very rarely in the position to withhold consent for certain types of processing without this potentially having a detrimental effect of some kind on their employment status. Moreover, under the DPA, consent is presently defined as being "any freely given, specific andinformedindication of the wishes of the data subject by which he signifies his agreement to personal data relating to him being processed" [emphasis added by us]. For consent to be valid, it must also be revocable.

Therefore, it may very likely be the case that the consent provided by employees may not, in fact, be 'freely given' and would therefore be invalid even in terms of general principles of Maltese civil law. It follows that relying solely on employee consent may place employers in the situation where they may be processing employee personal data in an unlawful manner. To our knowledge, this specific point has never been tested by the Maltese courts and neither has there been any authoritative interpretation published in Malta.

The WP29's Opinion confirms that "…for the majority of the cases of employees' data processing, the legal basis of that processing cannot and should not be the consent of the employees, so a different legal basis is required" [emphasis added by us]. This means that by way of anticipation to the coming into force of the GDPR in May 2018 but also to avoid any legal obstacles in terms of the present law, it is advisable for Maltese employers (as data controllers) to avoid using consent as the legal basis for processing their employees' personal data. Under both the DPA and the GDPR, personal data basically refers to any information that may directly or indirectly lead to the identity of a natural person.

It follows that alternative legal groundsfor processing employee personal data must be identified and applied by employers. Under the DPA (and the incoming GDPR) ​[4] , employers may only process employee personal data, without consent, if:

  • processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject (the GDPR adds "…or of another natural person" (for example, the data subject's children).
  • processing is necessary for the performance of an activity that is carried out:
  1. in the public interest or 
  2. in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed;
  • processing is necessary for a purpose that concerns a legitimate interest of the controller, or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.The ways in which the legal grounds above may be invoked by employers to process (non-sensitive) personal data, without consent, depend on the circumstances of each case. It is therefore advisable for employers to seek legal advice before relying on any such ground for processing personal data of their employees. 

For the sake of completeness, it should be pointed out that if the personal data in question amount to sensitive personal data (i.e. personal data that reveals the employee's race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life) the grounds for processing such data without the employee's explicit consent are more restrictive. The main grounds ​​​​[5] are generally as follows:

  • If the employee has made the data public (under the GDPR the data subject must manifestly make the personal data public for this exception to apply); or<
  • If appropriate safeguards are adopted and the processing is necessary in order that:
  1. the employer will be able to comply with his duties or exercise his rights under any law >regulating the conditions of employment (the GDPR adds "and laws relating to social security and social protection" clarifying when employers may process sensitive personal data without needing the employee's consent); or
  2. thevital interests of the data subjector of some other person will be able to be protected and the data subject is physically or legally incapable of giving his consent; or
  3. legal claimswill be able to be established, exercised or defended.

The GDPR also adds"reasons of substantial public interest" as a ground for processing sensitive personal data (based on a proportionate law) but it remains to be seen how this will be interpreted and applied in practice.

Once again it should be noted that employers should seek legal advice before relying on any such grounds. Employers should exercise particular caution when processing the sensitive personal data of their employees.

Apart from the legal basis for processing employee personal data in the first place, employers must comply with all their other data protection obligations under the DPA and the incoming GDPR. For example, employers must keep their employees clearly and fully informed of the processing of their personal data (including any monitoring practices that may be in place). Also, employers must ensure that they have all the necessary technical and organisational measures in place to ensure the security of any such processing.

For more information on the GDPR and for access to our related articles on the matter as well as GDPR resources, please visit our recently launched mini-site www.gdprmalta.com that is dedicated to the GDPR. Among other things, visitors may download (free of charge) our guidelines relating to the GDPR. Unless you have already done so, we also invite you to subscribe to our GDPR mailing list so that you will receive our legal updates about the GDPR and related issues.

Footnotes

  • [1]  Data Processing at Work.pdf
  • [2]  Opinion 8/2001 on the processing of personal data in the employment context (WP48) and the 2002 Working Document on the Surveillance of Electronic Communications in the Workplace (WP55).
  • [3]  Chapter 440 of the Laws of Malta.
  • [4] Article 9 of the DPA and Article 6 of the GDPR.
  • [5]  Article 12 and 13 of the DPA and Article 9 of the GDPR.