On 9 November 2020 Belgian Data Protection Authority (“APD“) rendered a decision confirming that the employee’s consent can be a valid ground for processing under certain conditions. The decision by APD also points to the importance of including in a notice to data subjects all elements required by the GDPR.
The complainant, a hospital employee, claimed that the hospital’s withholding of trade union membership fees from the salaries of union members and the transfer of the withheld amounts to the account of the trade union constituted a violation of the GDPR. APD decided to examine whether the hospital processed the personal data, relating to union membership, with a proper legal basis and for specified, explicit and legitimate purpose.
The Inspection Service of APD investigated and found out that the hospital used the salary withholding arrangement pursuant to oral agreement with the trade union and employees’ written authorisation. The hospital ceased with the practice of salary withholding in June 2019 upon recommendation of its data protection officer. The Inspection Service confirmed in its report from the audit that the purpose of processing was to withhold membership fees from the trade union members’ salaries, and that the processing was based on consent. However, the Inspection Service deemed it questionable whether the employees’ consent was freely given, given the power imbalance in the context of employment relationship.
II. Lawfulness: employee’s consent freely given, but not informed
APD examined whether all elements of a valid consent existed in the authorization sample which the hospital provided to the Inspection Service of APD during investigation. Consent must be “free, specific, informed and unambiguous” in accordance with Article 4, paragraph 11 of the GDPR. Also, pursuant to Article 9, paragraph 2, item (a) of the GDPR, in case of processing of data related to trade union membership the consent must also be “explicit”.
The employees gave their consent in the form of a written authorization. Neither the parties nor the Inspection Service provided any evidence that the consent was flawed or given under any sort of duress.
With regard to the concern expressed by the Investigation Service, about the imbalance of power in the context of employment relationship, APD relied on European Data Protection Board’s Guidelines on consent which specify that in exceptional circumstances employees can give free consent. That is the case when it will have no adverse consequences whether the employee gives consent, or not. APD stated that consent is freely given when the employer does not draw any benefit from the processing.
In the case at hand, APD had no elements to conclude that the processing was carried out for any other purpose than salary withholding. The hospital, as the data controller, did not have any benefit from obtaining the employee’s consent, and the power imbalance between the parties did not pose a risk. The consent was given freely.
The specific nature of the consent was fulfilled by the individual authorization that each employee was asked to complete, for a single data processing linked to the withholding of membership fees.
The Guidelines on consent identify several criteria which help assess whether the consent is informed. In order to give informed consent, a person must have received the information on:
- “The controller’s identity,
- The purpose of each of the processing operations for which consent is sought,
- The (type of) data that will be collected and used,
- The existence of the right to withdraw consent,
- […] “
APD established that the first three elements appeared relatively clear in the sample of the authorization the hospital provided during the investigation. However, the fourth element, “the existence of right to withdraw consent”, was absent from the sample. Therefore, APD concluded, the consent was not given in an informed manner.
APD found that the requirement of explicitness was fulfilled by a written authorization the employees signed. The authorisation explicitly and specifically identified the data processing operation to be carried out.
III. Purpose: specified, not determined as illegitimate, but definitely not explicit
The APD examined whether the hospital acted in accordance with Article 5, paragraph 1, item (b) of the GDPR, which establishes that personal data must be collected “for specified, explicit, and legitimate purposes”.
APD concluded that the purpose of the processing (the withholding of membership fees) was specified. To corroborate that conclusion APD pointed that both the complainant and the hospital referred in the course of the proceedings to the withholding of membership fees; the hospital also provided an example of the employees’ authorization which refers to such purpose. The investigation report of the Inspection Service mentioned the same purpose.
APD explained that Article 29 Working Group’s Opinion on purpose limitation from 2013 insists on such explanation of the purpose which allows everyone to understand the purpose of data processing and to avoid misunderstandings. The Opinion also highlights that specification of the purpose in writing helps in demonstrating compliance.
According to APD, the processing was implemented on the basis “of a historic oral agreement” between the trade union and the hospital. The fact that the purpose of the processing was only described in the individual authorizations the employees gave, meant that the purpose was only made explicit when the hospital requested consent from the employee and vis-à-vis that employee. The data controller has therefore not made the purpose explicit to other employees. The lack of documentation contributed to maintaining certain ambiguity.
APD clarified the purpose of processing only after an in-depth analysis, and it was undeniable that a purpose requiring such thorough examination to be clarified could not have been taken as explicit.
The Inspection Service’s investigation report noted that legitimacy was problematic since the systematic salary withholding did not appear to be possible under the Belgian law on protection of remuneration of workers. Both the complainant and the controller declared in the proceedings that the practice would have been accepted or at least tolerated by the social inspection. APD considered itself incompetent to determine the legality of such practice and concluded that it could not establish illegitimacy of the purpose.
In the end, APD decided not to impose any measure on the hospital.
IV. Comparison with Serbia
Some countries, like Serbia, prescribe by law the employer’s obligation to withhold membership fee from the employee’s salary, upon receiving the employee’s explicit statement, and to transfer the fee to the trade union’s account. The legal basis for the data processing, in that instance, is the legal obligation on the part of the controller. Of course, even if consent is not the legal basis for the processing, the controller still has to provide privacy notice containing all elements from Article 13 of the GDPR (Article 23 of the Serbian Data Protection Act). Employer’s failure to include in the notice a reference to the data subject’s rights could still expose the employer to the risk of application of the supervisory authority’s corrective powers.