On 8 June 2017, the Article 29 Working Party adopted Opinion 2/2017 on data processing at work (`the Opinion`) . This authoritative document complements previous WP29 publications on similar topics . The opinion now takes into account new technologies that affect the processing of workers` personal data in the workplace. In addition, the opinion takes into account both the Data Protection Directive (Directive 95/46/EC), which is still in force at the time of writing and which has been transposed into Maltese law via this Data Protection Act , and the EU General Data Protection Regulation (“GDPR”), which will come into force on May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and the Maltese Data Protection Act (“DPA”) at that time. The WP29 Opinion on the processing of personal data in the workplace provides several guidelines and practical examples on how employees` personal data can and should be processed by employers. This article focuses on a key issue addressed in the notice, namely the issue of consent in the employment context. In Malta, this issue has always been a grey area. Because of the relationship between employers and employees, it can be argued that employees are very rarely able to withhold consent for certain types of treatment without potentially affecting their employment status.
In addition, under the DPA, consent is currently defined as “any voluntary, specific and informed expression of the data subject`s wishes expressing consent to the processing of personal data” [emphasis added]. For consent to be valid, it must also be revocable. Therefore, it may be very likely that the consent given by the employees is not in fact given `voluntarily` and would therefore also be invalid under the general principles of Maltese civil law. It follows that relying solely on the employee`s consent may enable employers to process employees` personal data unlawfully. To our knowledge, this specific point has never been considered by the Maltese courts and no authoritative interpretation has been published in Malta. Two other elements must be taken into account when choosing the legal basis: The draft guidance states that consent expires when a child reaches the age of digital consent (16 or younger under the GDPR, according to the national transposition law). The final guidelines state that children`s consent can be confirmed, modified and revoked once they reach the age of consent. In practice, this means that parental consent to the processing of personal data given before the age of digital consent remains a valid ground for processing, provided that the child does not act after reaching the age of consent.
One of the four criteria for the validity of consent is voluntary consent. WP29 states that consent cannot be considered voluntary if a controller attempts to rely on consent for a service that involves the use of personal data for additional purposes by arguing that an equivalent service is provided by another controller. WP29 rejects this approach, stating that in such a case, freedom of choice would depend on what other market participants do and whether a single data subject would consider the services of the other controller to be truly equivalent. This flawed argument would also imply an obligation for controllers to monitor market developments to ensure that consent is still valid for their data processing activities, given that a competitor may change its service at a later stage. In practice, this means that if the child does not act, consent given by a holder of parental responsibility or authorised by a holder of parental responsibility for the processing of personal data given before the age of digital consent remains a valid reason for processing. Obligations of the controller: in accordance with Article 22(3), controllers may provide safeguards to protect the rights, freedoms and legitimate interests of data subjects. The exception to the law of a Member State provided for in Article 22(b) requires that any legislation of a Member State authorising processing provides for an adequate level of protection of data subjects. The Group proposes that, in accordance with Article 22 and recital 71, minimum safeguards should provide: Express consent (as opposed to “regular consent”) is required in three cases: – Processing of special categories of personal data – Automated individual decision-making with significant legal or similar effects – Transfer of personal data to third countries (unless adequacy decision or decision It follows that alternative legal bases for the processing of employees` personal data must be identified and applied by employers. According to the FADP (and the new GDPR) , employers can only process employees` personal data without consent if: For the sake of completeness, it should be noted that if the personal data concerned are sensitive personal data (i.e. personal data revealing the racial or ethnic origin of the employee, political opinions, religious or philosophical beliefs arising from trade union membership, health or sex life) The reasons for processing this data without the express consent of the employee are more restrictive.