Processing sensitive employee data
Special-category (sensitive) employee data - racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health or sex life - needs an Article 9 exception. Explicit consent is the first listed exception but should again be a last resort, and in some states cannot even lift the prohibition. The key workplace exception is Article 9(2)(b): processing needed to carry out obligations and rights under employment, social security and social protection law, where authorised by EU/member state law or a collective agreement.
- Sensitive categories include racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health or sex life - interpreted broadly.
- Explicit consent is the first Article 9 exception but should be a last resort; in some member states consent cannot lift the prohibition.
- The main route is Article 9(2)(b): obligations/rights under employment, social security and social protection law, authorised by EU/member state law or a collective agreement.
- Sensitive data may also be processed to establish, exercise or defend legal claims (e.g. an unfair-dismissal claim).
| Example | Approach |
|---|---|
| Poland (Labour Code) | Sets out exactly what data an employer may ask of an employee or candidate |
| Portugal | Historically required DPA authorisation to process sensitive employee data |
| Italy (Garante) | Issued authorisations allowing processing of sensitive data without consent for specific employment-related tasks |
| COVID-19 (EDPB statement) | Employers can collect/process employee health data relying on bases other than consent |
For employment, the central exception is processing necessary to carry out obligations and exercise rights under employment, social security and social protection law - but only where authorised by EU or member state law or a collective agreement.