Privacy considerations in employment contracts

Publish date:

Data protection authorities are not only looking at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

The recent fine imposed by the Hellenic Data Protection Authority on PwC for General Data Protection Regulation (GDPR) violations brings to light the need for careful considerations of privacy in employment contracts.

As a lawful basis, consent is the most obvious choice. However, as the PwC case points out, the choice of consent is a weak crutch to lean on. For consent to be a valid, GDPR requires it to be free, specific, informed, and unambiguous. In employment contracts, consent by existing or potential employees is hardly likely to be freely given.

In this case, PwC had requested its employees to sign a “Statement of Acceptance of Terms of Personal Data,” which included clauses requiring staff to give their consent:

  • To expressly and unconditionally permit the company to register and use personal information
  • To the disclosure of such personal information to third parties in the pursuit of its business interests
  • To initiate further monitoring with the use of cameras, etc.

The Hellenic Data Protection Authority raised questions on the compliance with Article 5 (1) (Principles relating to the processing of personal data), which requires lawfulness, fairness, and transparency.

Criteria for the selection of lawfulness of processing – as stated in Article 6 (1) – was also enquired into by the Hellenic Data Protection Authority, which concluded that the lawful basis for processing was incorrectly determined by the consulting company.

The record of processing activity maintained by the controller should include a lawful basis for the processing and justification for the choice of such a lawful basis. The use of consent as a lawful basis must be made after a careful consideration of the facts. In employment contracts, relying only on consent is detrimental to the interests of the employer.

The amount of the fine is not significant, given the size of the organization. What is more important is the message that it communicates – data protection authorities are getting their act together to not only look at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

To find out how Capgemini’s GDPR services can help your organization stay on top of your data protection and compliance initiatives, contact Geetha Jayaraman.

Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.

Related Posts

Business Services (global)

Digital twins and business process transformation

Lee Beardmore
Date icon May 31, 2022

Digital twins are not only able to transform the efficiency of current business processes,...

Business Services (global)

Automating the customer journey

Kishor Wikhe
Date icon February 14, 2020

Intelligent automation is an unprecedented disrupter that is leading to the development of...

Business Services (global)

Three simple steps to successful order-to-cash automation

Caroline Schneider
Date icon January 30, 2020

Automatically ingesting customer portal and website data into your O2C process enables you to...