Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43).

In the employment context, consent is deemed to be problematic. An actual or perceived imbalance of power between the employee/applicant and employer make it difficult to prove that the consent was freely given and therefore valid.

Employees should be confident that their refusal of consent will not have a negative impact on their current or future employment. For an employer to be confident in the use of consent as a legal base, consent should be limited to operations that are neutral for both parties, such as when offering nonmandatory perks that an employee may feel free to refuse or discontinue (corporate discount programs), birthday celebrations at the workplace, photos on the company’s public website or social media pages, etc.

Other conditions for valid consent are that it must be specific and clearly defined. Asking to consent to company policies, such as a code of conduct or acceptable use policy will fall foul of these requirements. By the same token, the employee consent cannot be part of the employment contract. Instead of asking for consent to internal policies, employers should ask for these to be acknowledged or accepted.

There are, however, some exceptions where consent may be suitable in the employment context, examples of which are described here.

Before employment starts

Most of the data collected from job candidates will use GDPR Article 6.1. (b) as the legal base and the applicant’s consent is not necessary. In some EU jurisdictions, employment or labor legislations state exactly what type of data can be collected for recruitment purposes.

Any additional information that the employer may want to collect with their application questionnaires or interview questions but is not strictly necessary (like questions about current salary) may be based on consent, provided that collecting such additional data does not contravene applicable legislation.

Questions on sexual orientation and ethnicity will require consent — answers to these would reveal information that belongs to the special data category. As long as answers to these questions remain voluntary, it is a subject of discussion whether an employer advertising as open to diversity prompts job candidates to reveal such information.

In Ireland, under the Data Protection Act 2018, recruitment software that fully automates recruitment decision-making can be used only when based on the explicit consent of the candidate.

Oftentimes, such consent is also required in the U.K. unless such automated decision-making is authorized by law. Other European jurisdictions may require providing the candidate with an option to request human intervention in the selection process.

Retention of recruitment records

In principle, all data collected from unsuccessful candidates should be deleted at the end of the recruitment process, as the original purpose for which the data was collected has been achieved.

Some jurisdictions allow the retention of unsuccessful candidate data for a maximum period for reasons such as responses to complaints or future job opportunities. In such cases, the data storage will be based on either legitimate interest or consent. Consent for any additional data storage should be gathered at a specified time during the recruitment process.

Consent in employee monitoring

In most European jurisdictions, employee consent is not required for monitoring work-related activities that occur at the workplace during working time or for device monitoring on company-owned devices. This applies to CCTV monitoring and recordings of professional calls for the purpose of training and quality assurance. Such monitoring is based either on legal obligation or on legitimate interest. Employees will also have to be sufficiently informed of the monitoring taking place via specific notifications, signs, internal policies, etc. Employers will often need to assess and ensure that such monitoring is proportional and not intrusive. Data protection impact assessments, legitimate interest assessments or other data privacy assessments might be required before deploying new monitoring controls. As always, exceptions apply: For example, in Germany, the employee must be asked to consent to device monitoring in situations where the employer allows for private use of company-owned devices. In almost all circumstances, consent will be required for device monitoring under bring-your-own-device use. In some European jurisdictions, consent might have to be secured from unions or works councils on behalf of employees.

Consent for biometrics, health and criminal data

Employers who want to use facial recognition or fingerprints as methods for two-factor authentication for time and attendance will rarely be able to rely on legal obligation or legitimate interest if other less intrusive methods could be used. The use of biometrics at the workplace often requires employee consent. For such consent to be freely given, the employees would need to be given an option to choose other, more traditional methods of identification without negative consequences. However, in some jurisdictions, such as Poland, employers are not allowed to use biometrics for time and attendance purposes.

The processing of health data in the employment context meets with many regulatory obstacles. Often, such data can be processed on the condition that it was volunteered by the employee and not requested by the employer. Should an employer want to use the health data that was volunteered for other purposes, such use should be made known to the employee and a separate consent should be sought. This does not apply to COVID-19-related data, which is often regulated by national authorities.

Private entities will also find it difficult to justify processing of criminal data as they will often lack the authority to access and make a decision upon such data. Explicit consent given by employees would be unlikely to be seen as freely given. Exceptions might apply for some industries and jobs where criminal background checks are allowed or required by law. Examples of this would be in the banking sector, work with children or vulnerable adults, etc.

Photo by LYCS Architecture on Unsplash