Privacy considerations in employment contracts

Publish date:

Data protection authorities are not only looking at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

The recent fine imposed by the Hellenic Data Protection Authority on PwC for General Data Protection Regulation (GDPR) violations brings to light the need for careful considerations of privacy in employment contracts.

As a lawful basis, consent is the most obvious choice. However, as the PwC case points out, the choice of consent is a weak crutch to lean on. For consent to be a valid, GDPR requires it to be free, specific, informed, and unambiguous. In employment contracts, consent by existing or potential employees is hardly likely to be freely given.

In this case, PwC had requested its employees to sign a “Statement of Acceptance of Terms of Personal Data,” which included clauses requiring staff to give their consent:

  • To expressly and unconditionally permit the company to register and use personal information
  • To the disclosure of such personal information to third parties in the pursuit of its business interests
  • To initiate further monitoring with the use of cameras, etc.

The Hellenic Data Protection Authority raised questions on the compliance with Article 5 (1) (Principles relating to the processing of personal data), which requires lawfulness, fairness, and transparency.

Criteria for the selection of lawfulness of processing – as stated in Article 6 (1) – was also enquired into by the Hellenic Data Protection Authority, which concluded that the lawful basis for processing was incorrectly determined by the consulting company.

The record of processing activity maintained by the controller should include a lawful basis for the processing and justification for the choice of such a lawful basis. The use of consent as a lawful basis must be made after a careful consideration of the facts. In employment contracts, relying only on consent is detrimental to the interests of the employer.

The amount of the fine is not significant, given the size of the organization. What is more important is the message that it communicates – data protection authorities are getting their act together to not only look at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

To find out how Capgemini’s GDPR services can help your organization stay on top of your data protection and compliance initiatives, contact Geetha Jayaraman.

Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.

Related Posts

Business Services

Reshaping the supply chain to meet modern customer demands

Jörg Junghanns
Date icon January 21, 2020

In today’s volatile commercial environment, supply chain flexibility has become paramount for...

Business Services

Why do contract management tools fail?

Mani Agarwal
Date icon January 15, 2020

The success of implementing and leveraging a contract management tool lies not just with the...

Business Services

Four reasons why your cash applications team should own the resolution of all open payments

Caroline Schneider
Date icon January 10, 2020

Industrializing the payments process within the cash applications team delivers a better...


By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.


Close cookie information