Introduction
With its decision of 9 November 2020 (72/2020), the Litigation Chamber of the Data Protection Authority (DPA) provided welcome clarifications concerning the validity of employee consent (Article 4.11 and Recital 43 of the EU General Data Protection Regulation (GDPR)). The Litigation Chamber also gave practical guidelines concerning the purpose limitation principle (Article 5(1)(b) of the GDPR).
In the case at hand, the DPA decided that:
- the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the GDPR were fulfilled; and
- the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
Facts
A hospital was processing personal data of employees relating to their affiliation with a trade union (B) (at that time, the sole trade union represented in the hospital). The processing was based on a verbal agreement between the hospital and the trade union and its purpose was to allow the hospital to deduct trade union fees from employee salaries. In addition to this verbal agreement with trade union B, each employee received a form allowing them to give their consent for the abovementioned processing.
Years later, a second trade union (A) was represented in the hospital. Trade union A invoked that the system was unlawful. In addition, one of the employees affiliated with trade union A filed a complaint before the DPA invoking notably that the processing of personal data was infringing the GDPR.
The DPA examined the processing regarding the facts for which it has jurisdiction, which means for the processing carried out since the applicability of the GDPR (25 May 2018).
Conditions for valid employee consent
In accordance with Article 9.1 of the GDPR, trade union affiliation being a special category of personal data for which the processing is in principle prohibited, the DPA checked if the derogation for processing based on explicit consent (Article 9.2 of the GDPR) could apply. Pursuant to Article 4.11 of the GDPR, to be valid, the consent must be:
- freely given;
- specific;
- informed; and
- unambiguous.
The decision is instructive in its answer regarding the free character of consent. Indeed, the difficulty was to assess whether, in the context of employment, the consent was freely given despite the clear imbalance existing between employees and employers (Recital 43 of the GDPR). On this point and in the same line of several
guidelines of the European Data Protection Board (EDPB) and Article 29 Working Party relating to the notion of consent, the DPA concluded that the consent had been freely given. The DPA came to this conclusion since the form by which employees could give their consent had been limited to the specific purpose of the hospital's deduction of the affiliation fees for the trade union and this processing provided no advantage to the hospital as an employer. In other words, the employees had a true freedom of choice without any advantageous or disadvantageous consequences for them.
The DPA also concluded that the consent was specific because the sole purpose was clearly stated in the form and that the consent was explicit (and thus also unambiguous) since the consent was obtained in a mandate signed by the employees for a specific purpose. However, the DPA concluded that the consent had not been
informed since the mandate allowing the collection of the consent did not mention the right to withdraw the consent (see also Guidelines 05/2020 of the EDPB, Point 64). This is a welcome reminder to always mention this right, since it appears in practice that this information is not always given by controllers to data subjects when trying to obtain their consent.
Purpose limitation principle
After having reviewed the consent, the DPA examined if the purpose limitation principle as prescribed by Article 5(1)(b) had been respected. According to this article, the personal data must be collected for specified, explicit and legitimate purposes. The DPA concluded that the data had been collected for specified and legitimate purposes. However, the DPA found that the purpose of the processing was not explicit. In order to be explicit, the purpose of the processing must be clear (transparent and predictable) not only for the employees from whom consent is asked, but also for all of the controller's employees and all other stakeholders (eg, the data protection officer, the processor and the DPA).
In the present case, this requirement was particularly important in consideration of the fact that:
- trade union data is a special category of personal data; and
- Article 24.1 of the GDPR obliges the controller to implement appropriate technical and organisational measures to ensure and be capable of demonstrating that processing is performed in accordance with the GDPR, "taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons".
For these reasons, the DPA concluded that the hospital should at least have documented the processing in a written agreement with the trade union, if not in other additional written documents.
No penalty, but publication of decision
Considering the various mitigating circumstances, the DPA decided not to penalise the hospital. However, since the clarifications were considered of importance, the DPA decided to publish the decision without identification of the parties.
For further information on this topic please contact Paul Van den Bulck by telephone (+32 2 629 4239) or email (pvandenbulck@akd.eu).
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
this blog was posted on the ILO-website
Introduction
With its decision of 9 November 2020 (72/2020), the Litigation Chamber of the Data Protection Authority (DPA) provided welcome clarifications concerning the validity of employee consent (Article 4.11 and Recital 43 of the EU General Data Protection Regulation (GDPR)). The Litigation Chamber also gave practical guidelines concerning the purpose limitation principle (Article 5(1)(b) of the GDPR).
In the case at hand, the DPA decided that:
- the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the GDPR were fulfilled; and
- the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
Facts
A hospital was processing personal data of employees relating to their affiliation with a trade union (B) (at that time, the sole trade union represented in the hospital). The processing was based on a verbal agreement between the hospital and the trade union and its purpose was to allow the hospital to deduct trade union fees from employee salaries. In addition to this verbal agreement with trade union B, each employee received a form allowing them to give their consent for the abovementioned processing.
Years later, a second trade union (A) was represented in the hospital. Trade union A invoked that the system was unlawful. In addition, one of the employees affiliated with trade union A filed a complaint before the DPA invoking notably that the processing of personal data was infringing the GDPR.
The DPA examined the processing regarding the facts for which it has jurisdiction, which means for the processing carried out since the applicability of the GDPR (25 May 2018).
Conditions for valid employee consent
In accordance with Article 9.1 of the GDPR, trade union affiliation being a special category of personal data for which the processing is in principle prohibited, the DPA checked if the derogation for processing based on explicit consent (Article 9.2 of the GDPR) could apply. Pursuant to Article 4.11 of the GDPR, to be valid, the consent must be:
- freely given;
- specific;
- informed; and
- unambiguous.
The decision is instructive in its answer regarding the free character of consent. Indeed, the difficulty was to assess whether, in the context of employment, the consent was freely given despite the clear imbalance existing between employees and employers (Recital 43 of the GDPR). On this point and in the same line of several
guidelines of the European Data Protection Board (EDPB) and Article 29 Working Party relating to the notion of consent, the DPA concluded that the consent had been freely given. The DPA came to this conclusion since the form by which employees could give their consent had been limited to the specific purpose of the hospital's deduction of the affiliation fees for the trade union and this processing provided no advantage to the hospital as an employer. In other words, the employees had a true freedom of choice without any advantageous or disadvantageous consequences for them.
The DPA also concluded that the consent was specific because the sole purpose was clearly stated in the form and that the consent was explicit (and thus also unambiguous) since the consent was obtained in a mandate signed by the employees for a specific purpose. However, the DPA concluded that the consent had not been
informed since the mandate allowing the collection of the consent did not mention the right to withdraw the consent (see also Guidelines 05/2020 of the EDPB, Point 64). This is a welcome reminder to always mention this right, since it appears in practice that this information is not always given by controllers to data subjects when trying to obtain their consent.
Purpose limitation principle
After having reviewed the consent, the DPA examined if the purpose limitation principle as prescribed by Article 5(1)(b) had been respected. According to this article, the personal data must be collected for specified, explicit and legitimate purposes. The DPA concluded that the data had been collected for specified and legitimate purposes. However, the DPA found that the purpose of the processing was not explicit. In order to be explicit, the purpose of the processing must be clear (transparent and predictable) not only for the employees from whom consent is asked, but also for all of the controller's employees and all other stakeholders (eg, the data protection officer, the processor and the DPA).
In the present case, this requirement was particularly important in consideration of the fact that:
- trade union data is a special category of personal data; and
- Article 24.1 of the GDPR obliges the controller to implement appropriate technical and organisational measures to ensure and be capable of demonstrating that processing is performed in accordance with the GDPR, "taking into account the nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons".
For these reasons, the DPA concluded that the hospital should at least have documented the processing in a written agreement with the trade union, if not in other additional written documents.
No penalty, but publication of decision
Considering the various mitigating circumstances, the DPA decided not to penalise the hospital. However, since the clarifications were considered of importance, the DPA decided to publish the decision without identification of the parties.
For further information on this topic please contact Paul Van den Bulck by telephone (+32 2 629 4239) or email (pvandenbulck@akd.eu).
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
this blog was posted on the ILO-website