Ch 14.2 - Legal basis
Legal basis for processing employee personal data
Employers usually rely on one of four grounds: consent, necessity for the employment contract, compliance with a legal obligation, or legitimate interests. A contract clause saying the employee 'agrees' the employer can use their data should not be treated as consent - bundled into a contract it is invalid. Notices in a handbook or privacy notification usually explain the real detail.
| Basis | Typical employment example | Watch-out |
|---|---|---|
| Consent | Rarely a good fit | Imbalance of power makes valid consent hard; treat as last resort |
| Employment contract necessity | Paying salary needs name + bank details | Only covers what is genuinely necessary to perform the contract |
| Legal obligation | Reporting salaries to tax authorities | Must be EU or member state law, not a foreign or self-imposed rule |
| Legitimate interests | Migrating payroll data to a new system | Public authorities can't use it for their public tasks; needs a balancing test |
The contract-clause trap
A clause in the employment contract saying the employee 'agrees' to data use is not valid consent - bundled within a contract it fails the 'freely given' test. Direct employees instead to a handbook or privacy notification.
Key terms - quick answers
What is “Consent”?
A freely given, specific, informed and unambiguous indication of the employee's wishes - hard to achieve validly at work.
What is “Employment contract”?
Lawful basis under Article 6(1)(b) where processing is necessary to perform the contract (e.g. paying salary).
What is “Legal obligation”?
Lawful basis under Article 6(1)(c) where EU or member state law requires the processing (e.g. reporting salaries to tax authorities).
What is “Legitimate interests”?
Lawful basis under Article 6(1)(f); requires a balancing test and is generally unavailable to public authorities acting in their public tasks.