18/11/20

New Belgian DPA decision: employee consent sometimes works

Yes, employee consent is possible in certain circumstances – but do not assume old processing activities fully comply. That, in summary, was the position of the Belgian Data Protection Authority (BDPA) in a decision of 9 November 2020 of its Litigation Chamber following a complaint by an individual against its employer, a Belgian hospital. 

Summary of facts 

The complaint was filed by an employee affiliated with trade union “A” and it related to a mechanism put in place in 2008 by the employer: employees affiliated with another trade union, trade union “B”, could allow the employer to deduct from their salary their trade union membership fees. 

According to the employer, when it was put in place in 2008, employees were only members of trade union B. When some employees started joining trade union A, the employer offered the same possibility to trade union B – but it refused. 

In the complaint, the plaintiff alleged that this processing was unlawful and led to discrimination based on trade union membership. In its investigation, the BDPA did not find any evidence of discrimination, but it received information from the employer on how the processing in question took place, as well as a copy of the document that employees were asked to sign if they wished to make use of this possibility.

Based on this document (a form of individual, written authorisation), the BDPA observed that the legal ground claimed for the processing was (explicit) consent, although the employer did not label it as such. In terms of purpose and scope, the BDPA noted that the processing was limited to the mere deduction of trade union membership fees; the employer indicated that the data was not processed for any other purpose and the BDPA did not uncover any evidence to suggest otherwise. Other than the employee-signed document, however, none of this had been formalised in writing; everything was based on an oral agreement between the employer and the trade union. 

On 30 June 2019, during the course of the BDPA’s investigation, the employer brought an end to the decade-long processing activity. 

11 years of processing; only 1 year examined

First, the Litigation Chamber made it clear that it only had the power to take a decision in relation to the processing activity carried out since 25 May 2018, given that the GDPR (which is the basis for the BDPA’s jurisdiction) only became applicable then. The BDPA’s predecessor, the Belgian Privacy Commission, had jurisdiction prior thereto.

In other words, the first 10 years of processing fell outside of the scope of the BDPA’s jurisdiction. In theory, other forms of proceedings remain available before the courts even based on old legislation, but they are unlikely in practice.

[Want an overview of data protection litigation possibilities and risks based on today’s legislation? See our recent newsletter on data protection litigation.]

Conditions for employee consent

According to Article 9.1 of the GDPR, the processing of personal data related to trade union membership is prohibited, unless if the employee explicit consents to the processing of those personal data for one or more specified purposes. The Litigation Chamber therefore examined whether the conditions of explicit consent were fulfilled. This is particularly interesting, as the data subjects are employees. It is often difficult to ensure that employees’ consent is genuinely given freely, due to the clear imbalance between the employee and the employer (this was also envisaged by point 43 of the GDPR preamble). 

a) First, can consent be freely given by an employee to an employer? In this particular case, the Litigation Chamber decided that it was indeed so. Referring to various sources of guidance (Opinion No. 2/2017 on data processing at work of the Article 29 Working Party (WP29) and WP29’s subsequent guidelines on consent under the GDPR), the Litigation Chamber stressed that “an employee can only validly consent to data processing by his employer if the employer does not draw any advantage from the processing”. [Why refer to the WP29 guidelines on consent and not their replacement, the consent guidelines of the European Data Protection Board? The latter were adopted in May 2020, while the processing in question ended on 30 June 2019.]

In this particular case, the employer had claimed that the personal data in question was only used for the purpose of honouring the employee’s request for deduction of trade union membership fees. As there was no evidence to the contrary, the Litigation Chamber concluded that the employer did not obtain any advantage from that processing. 
As a result, it considered that this employee consent had been freely given. 

Yet consent must not only be freely given; it must also be specific, informed and unambiguous. 

b) Because it was tied to one specific purpose (limited to the mere deduction of the trade union membership fees from the salary of the employees concerned), the Litigation Chamber considered that this employee consent was specific (and that this followed also from each employee’s written mandate). 

c) In relation to the requirement of informed consent as interpreted by the WP29 in its guidelines on consent, the Litigation Chamber found failings in the employer’s approach. Based on the exhibits provided by the parties, employees did not appear to have been informed of their right to withdraw consent. In practice, it is an often overlooked requirement, and so it was too in this particular case.

d) The Litigation Chamber then held that the consent in question was indeed explicit (and thus also unambiguous, although the Litigation Chamber did not use that word in its decision), based on the signed, written form. 

In other words, this particular form of employee consent was deemed to be freely given, specific and explicit, but not (fully) informed – and the employer was in breach of Articles 9(2)(a) and 7(3) GDPR.

The importance of documentation

After examining whether the consent given was valid, the Litigation Chamber turned to an examination of the purposes of the processing – and the existence or absence of documentation.

Under the GDPR, personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (the “purpose limitation” principle under Art. 5(1)(b) GDPR).

Based on the investigation, the Litigation Chamber concluded that the personal data was collected for specified and legitimate purposes.

Referring to a WP29 opinion 03/2013 on purpose limitation (a reference permitted by the fact that “the main characteristics of the principle of purpose limitation remained identical between Directive 95/46 and the GDPR”), the Litigation Chamber considered that the “explicit” nature of a purpose did not require only that it be explicit for the relevant employee in the consent form, but also that it be made explicit (i) at other times for the employee in question but also (ii) for other employees (i.e. employees who have not given their consent).

In this respect, the Litigation Chamber deplored the fact that there were no written records in which the purpose was made explicit. The agreement between the employer and trade union “B” was apparently purely an oral agreement and never made in writing.

The Litigation Chamber then referred to on Article 24(1) GDPR, which contains a general obligation to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”, taking into account “the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”. As a result of this obligation, in combination with the sensitive nature of the personal data in question (trade union membership data), the Litigation Chamber held that specific precautions were required. In this context, said the Litigation Chamber, proceeding on the basis of a merely oral agreement with the trade union in question represented gross negligence on the employer’s part.

Finally, the Litigation Chamber held that the absence of written evidence could create uncertainty with respect to the employer’s intentions, and could even lead to questions from employees not affected by the processing (as illustrate by the context that gave rise to this complaint). According to the Litigation Chamber, the very fact that an investigation was required for clarification of the purpose was in and of itself evidence that the purpose was not explicit. Therefore, the employer was considered to be in breach of Articles 5(1)(b) and 24(1) GDPR.

Put differently, even if a processing purpose is transparent and legitimate, it is highly recommended to put the relevant arrangements in writing and describe the processing activity in a general (internal or external) privacy statement or notice, so as to inform all data subjects – even those not directly concerned. 

Result and further considerations

Although the Litigation Chamber found that the hospital was in breach of the GDPR, it decided not to impose a fine. The Litigation Chamber highlighted the following justifications for not imposing any fine:

  • after the report of the BDPA’s inspection service, the employer ended the processing activity, notably based on a recommendation of the employer’s DPO;
  • there was no deliberate intention to “find a way around” data protection rules;
  • the plaintiff was not actually concerned by the processing activity.

Moreover, despite the reference to “gross negligence”, the Litigation Chamber decided to publish the decision in redacted form (without identification of the parties). 

All in all, this decision (available in French) will be a useful reference to organisations seeking to assess whether employee consent is a possibility. The overall message, though, is to keep trying to document even specific processing activities in broader documentation, and not to limit yourself to merely a consent form. With that in mind, check whether you have any processing activities based on consent – and whether they meet the BDPA's requirements.

dotted_texture