Are there changes to the rules on obtaining consent to process personal data under the General Data Protection Regulation?

Yes, the General Data Protection Regulation (2016/679 EU) (GDPR) significantly restricts the use of consent as a justification for processing employee personal data.

Under the GDPR, consent must be freely given, specific, informed and unambiguous. It must be given by a statement or clear affirmative action. If consent is given through a written declaration, the request for consent must be clearly distinguishable from other matters and easy to understand. The individual has the right to withdraw their consent at any time.

For employers, the GDPR requirements mean that generic consents (for example, those contained in the body of an employment contract) will not be a valid legal basis to justify processing employee personal data.

Further, the recitals to the GDPR make clear that consent will not be valid if there is an imbalance in the relationship between the individual and the organisation collecting the data, as the consent will not be "freely given". In its GDPR consent guidance, the Information Commission's Office (ICO) has stated that the imbalance in the employment relationship will make it difficult to obtain valid consent and that employers should avoid relying on consent as a justification for processing employee personal data.

Employers will need to ensure that they have a valid legal basis for collecting employee personal data (ie processing is necessary to perform the employment contract, to comply with a legal obligation or for the legitimate interests of the employer). They should rely on consent as the legal basis for processing only if the employees have a genuine choice about whether or not to provide it and will suffer no consequences if they choose not to.