27th April 2018

HR Issues – GDPR Guidance Note 2 – Employment contract wording and consent

It is highly likely that you have within your employment contract a clause about data protection.  Typically organisations seek consent from employees to agree with this clause.

With the new General Data Protection Regulation due to come in force on 25th May 2018 we know that consent should be freely given; explicit; informed and unambiguous. If you know that you are processing a special category of data the consent must also be explicit. You can no longer rely upon a blanket data protection clause. Instead the consent needs to be separate, making specifically clear to the employee what consent they are giving to the data processing such as permission for a health report or mortgage application. You also need to make clear that this consent can be removed at any point.

In terms of ‘freely given’ the view is that in the employment relationship the power lies with the employer such as with a job offer.  If consent is relied upon and refused or not provided this may lead to an unworkable situation.  Our advice is therefore, that it is best to rely upon other lawful reasons for processing other than consent.

In terms of the employment contract we advise that your current data protection clauses are replaced by the following:

  • You shall comply with all relevant data protection legislation and/or any [org name] policy regarding data protection when processing personal data in the course of employment including personal data relating to any employee, supplier [insert any others] or agent of the [org name].
  • In order to manage your contract of employment and for related purposes, such as updating and enhancing our records, analysis for management purposes and statutory returns, legal and regulatory compliance and crime prevention, you have supplied us with your personal data and we can therefore process, use and disclose personal data about you as is necessary in compliance with data protection legislation. Some data may be supplied to external suppliers who administer employee benefits, solely for the purpose of providing those benefits to you.
  • [org name] may make such information available to those who provide products or services to the [org name] (such as advisers and payroll administrators), regulatory authorities, potential or future employers, governmental or quasi-governmental organisations.
  • [org name] expects you to inform the appropriate personnel of changes to your personal data in a timely manner.

Similarly any such data protection boxes should be removed from employee documents such as the application form.

Other employment policies and procedures (such as Subject Access Request and Privacy Policy / Fair Processing Notices for Employees) should be updated to reflect employees’ rights and your duties as an employer.

Clients have asked whether it is necessary to issue updated contracts to existing employees.  Obviously, this is an organisational decision but given the contract was correct at the time of issue it is fine to continue with the current contract but to update when you process other changes (and certainly update for any new contract issued after 25th May 2018).  We advise that as part of your employee awareness communication an email is sent to all employees notifying them of the change and refer to the privacy notice / employee fair processing notice.

If you need support in preparing for GDPR compliance please contact us.

27th April 2018