A warning to employers on the use of consent to process employee’s personal data
The Hellenic Data Protection Authority (the Greek equivalent to the ICO) has fined an employer €150,000, as it was found that the employer was incorrectly using consent as the legal basis for processing employee personal data
Employees were under the impression that their data was being processed on the basis of ‘consent’, when processing was actually carried out under a different legal basis. It was found that the employer’s failure to notify employees of the correct legal basis for processing personal data was in breach of the data protection principle of ‘transparency’.
In order to rely on consent as the legal basis for processing personal data, consent must be ‘freely given’. The ICO advises employers to avoid relying on consent, as there is likely to be an imbalance of power between employer and employee. For example, it is unlikely that an employee will deny their employer consent to processing their personal data without experiencing the fear or real risk of adverse consequences (e.g. withdrawal of an employment offer or the termination of their employment). This means that consent is unlikely to be freely given.
This case should act as a catalyst for employers to check that they are using the appropriate legal basis for processing their employees’ personal data.
For more information on this update, please contact Natalie Ingram, or you can give us a call on 0345 070 6000.