Privacy considerations in employment contracts

Publish date:

Data protection authorities are not only looking at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

The recent fine imposed by the Hellenic Data Protection Authority on PwC for General Data Protection Regulation (GDPR) violations brings to light the need for careful considerations of privacy in employment contracts.

As a lawful basis, consent is the most obvious choice. However, as the PwC case points out, the choice of consent is a weak crutch to lean on. For consent to be a valid, GDPR requires it to be free, specific, informed, and unambiguous. In employment contracts, consent by existing or potential employees is hardly likely to be freely given.

In this case, PwC had requested its employees to sign a “Statement of Acceptance of Terms of Personal Data,” which included clauses requiring staff to give their consent:

  • To expressly and unconditionally permit the company to register and use personal information
  • To the disclosure of such personal information to third parties in the pursuit of its business interests
  • To initiate further monitoring with the use of cameras, etc.

The Hellenic Data Protection Authority raised questions on the compliance with Article 5 (1) (Principles relating to the processing of personal data), which requires lawfulness, fairness, and transparency.

Criteria for the selection of lawfulness of processing – as stated in Article 6 (1) – was also enquired into by the Hellenic Data Protection Authority, which concluded that the lawful basis for processing was incorrectly determined by the consulting company.

The record of processing activity maintained by the controller should include a lawful basis for the processing and justification for the choice of such a lawful basis. The use of consent as a lawful basis must be made after a careful consideration of the facts. In employment contracts, relying only on consent is detrimental to the interests of the employer.

The amount of the fine is not significant, given the size of the organization. What is more important is the message that it communicates – data protection authorities are getting their act together to not only look at the big ticket breaches and exposures, but also compliance with the spirit of GDPR.

To find out how Capgemini’s GDPR services can help your organization stay on top of your data protection and compliance initiatives, contact Geetha Jayaraman.

Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate digital transformation of organizations through the adoption of the right technology solutions. As an expert in cyber security, she has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.

Related Posts

Business Services (global)

A next-generation data exchange platform for KYC and supplier onboarding

Manuel Sevilla
Date icon October 22, 2019

Capgemini’s new KYC platform provides an immutable, secure, traced, and streamlined way for...

Business Services (global)

The thrill of launching a blockchain-enabled B2B platform

Damien De Chillaz
Date icon October 22, 2019

From design to build and operate, the journey to a scalable B2B platform enabled by...

Business Services (global)

Three ways blockchain is transforming order-to-cash

Caroline Schneider
Date icon October 22, 2019

Blockchain has the potential to completely disrupt activities within the order-to-cash...