GDPR will have a significant effect on the employer-employee relationship when it comes into effect on 25th May 2018.
Many employers have a “Data Protection” clause in their current contracts of employment regarding consent to process personal data. It has the effect that by signing the contract the employee is giving explicit consent to the employer processing their personal and sensitive personal data. This remains valid until 25th May 2018.
However, from the 25th May 2018, GDPR will have a significant impact and contracts will need to be changed or alternatively amendment letters will need to be issued to staff, as well as a GDPR policy and Privacy Notice, among others, from 25th May onwards.
After GDPR, there must be valid reasons for processing employee’s data and consent will have to be obtained in a clearly distinguishable way, separate to the employment contract. It is unlikely that consent being obtained through a contract of employment will be acceptable, as the employer is in a relationship of power over the employee at that time.
Most people are thinking therefore they will need to obtain the employee’s consent through a separate form. However, what if the employee doesn’t give their consent or what if they withdraw it later? It could become a nightmare.
Therefore, it may be that an employer would choose to rely on the other alternatives to consent, of which there are 5. These include, where the processing is necessary for compliance with a legal obligation to which the employer is subject, such as the range of employment and other relevant legislation. It could be that the processing is necessary for the performance of the contract with the employee, or the processing is necessary for the legitimate interests of the employer or a third party.
Therefore, it may be that an employer would choose to rely on the other alternatives to consent, such as, where the processing is necessary for undertaking the legal rights and obligations of the employer and employee as authorised by employment or other laws or based on collective agreements, or other basis’.
If consent is relied upon, it must be clear, specific and unambiguous. That in itself is fine, but what if it is withdrawn? Thus, employers should consider using the legal basis they have for processing the data in the first instance.
In this context, the current Data Protection clause would be removed from the contract of employment, and replaced by a GDPR clause. That is for new contracts from 25th May onwards. For existing employees, it is too cumbersome to change all their contracts, so, we recommend that from 25th May onwards, amendments letters should be issued to all existing staff to explain that the employer no longer relies on the Data Protection clause in the current contract, and to inform them about GDPR arrangements.
The employer would map out what personal information they are processing, what is the legal basis for processing this data, and inform employees of same, and provide employees with a GDPR policy, a Privacy Notice with basic training or information and communications on GDPR.
The employees own obligations regarding GDPR also needs to be part of that communications process also. This in turn has an impact of the disciplinary policies of the employer which will need to be updated.
How Can We Help
We provide employers with support and advice, by phone, email and face-to-face, for all employment law and HR matters.