We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
11 December 2020
With its decision of 9 November 2020 (72/2020), the Litigation Chamber of the Data Protection Authority (DPA) provided welcome clarifications concerning the validity of employee consent (Article 4.11 and Recital 43 of the EU General Data Protection Regulation (GDPR)). The Litigation Chamber also gave practical guidelines concerning the purpose limitation principle (Article 5(1)(b) of the GDPR).
In the case at hand, the DPA decided that:
A hospital was processing personal data of employees relating to their affiliation with a trade union (B) (at that time, the sole trade union represented in the hospital). The processing was based on a verbal agreement between the hospital and the trade union and its purpose was to allow the hospital to deduct trade union fees from employee salaries. In addition to this verbal agreement with trade union B, each employee received a form allowing them to give their consent for the abovementioned processing.
Years later, a second trade union (A) was represented in the hospital. Trade union A invoked that the system was unlawful. In addition, one of the employees affiliated with trade union A filed a complaint before the DPA invoking notably that the processing of personal data was infringing the GDPR.
The DPA examined the processing regarding the facts for which it has jurisdiction, which means for the processing carried out since the applicability of the GDPR (25 May 2018).
In accordance with Article 9.1 of the GDPR, trade union affiliation being a special category of personal data for which the processing is in principle prohibited, the DPA checked if the derogation for processing based on explicit consent (Article 9.2 of the GDPR) could apply. Pursuant to Article 4.11 of the GDPR, to be valid, the consent must be:
The decision is instructive in its answer regarding the free character of consent. Indeed, the difficulty was to assess whether, in the context of employment, the consent was freely given despite the clear imbalance existing between employees and employers (Recital 43 of the GDPR). On this point and in the same line of several guidelines of the European Data Protection Board (EDPB) and Article 29 Working Party relating to the notion of consent, the DPA concluded that the consent had been freely given. The DPA came to this conclusion since the form by which employees could give their consent had been limited to the specific purpose of the hospital's deduction of the affiliation fees for the trade union and this processing provided no advantage to the hospital as an employer. In other words, the employees had a true freedom of choice without any advantageous or disadvantageous consequences for them.
The DPA also concluded that the consent was specific because the sole purpose was clearly stated in the form and that the consent was explicit (and thus also unambiguous) since the consent was obtained in a mandate signed by the employees for a specific purpose. However, the DPA concluded that the consent had not been informed since the mandate allowing the collection of the consent did not mention the right to withdraw the consent (see also Guidelines 05/2020 of the EDPB, Point 64). This is a welcome reminder to always mention this right, since it appears in practice that this information is not always given by controllers to data subjects when trying to obtain their consent.
After having reviewed the consent, the DPA examined if the purpose limitation principle as prescribed by Article 5(1)(b) had been respected. According to this article, the personal data must be collected for specified, explicit and legitimate purposes. The DPA concluded that the data had been collected for specified and legitimate purposes. However, the DPA found that the purpose of the processing was not explicit. In order to be explicit, the purpose of the processing must be clear (transparent and predictable) not only for the employees from whom consent is asked, but also for all of the controller's employees and all other stakeholders (eg, the data protection officer, the processor and the DPA).
In the present case, this requirement was particularly important in consideration of the fact that:
For these reasons, the DPA concluded that the hospital should at least have documented the processing in a written agreement with the trade union, if not in other additional written documents.
Considering the various mitigating circumstances, the DPA decided not to penalise the hospital. However, since the clarifications were considered of importance, the DPA decided to publish the decision without identification of the parties.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.