Other than consent, what legal grounds will there be for processing personal data under the General Data Protection Regulation (GDPR)?

Article 6 of the General Data Protection Regulation (GDPR) states that processing of personal data will be lawful only if at least one of the following conditions applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • processing is necessary to protect the vital interests of the data subject or of another person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (this condition does not apply to processing carried out by public authorities in the performance of their tasks).

Employers must identify which of the legal grounds for processing apply in relation to each purpose for which they process employee data and must inform employees of this when they collect employee data.

It will be difficult for employers to obtain consent from employees that meets the requirements of the GDPR. This is because the imbalance of power in the employment relationship means that employee consent is unlikely to be freely given, as required by the GDPR. Further, consent can be withdrawn at any time under the GDPR, so employers should generally ensure that they have another legal basis for processing.

In the employment context, the most relevant legal bases for processing data under the GDPR are likely to be that it is necessary for the performance of a contract, for compliance with a legal obligation, or for the purposes of the employer's legitimate interests. For example, the processing of personal data by the employer for the purposes of paying the employee will be necessary for the performance of the employment contract, and the processing of data about absence for the purposes of paying statutory sick pay will be necessary for compliance with a legal obligation. If the employer also processes absence data for the separate purpose of analysing absence rates, for example, it would need to show that it also has a legal basis for this. This could be that it is necessary for the purposes of its legitimate interests.

If an employer relies on the legitimate interests ground to process personal data, it must specify the particular legitimate interest for which the processing is necessary. Depending on the nature of the data and the processing activity, processing could be necessary for the management of the employment relationship in general; or the legitimate interest pursued could be more specific, eg carrying out a disciplinary investigation. The employer must be able to show that the legitimate interest on which it relies is not outweighed by the rights of the employee.

The GDPR will come into effect on 25 May 2018.