Tricky areas of GDPR compliance


The Data Protection Act 2018 has a specific, separate public interest condition that employers can rely on to monitor diversity. Many employers are only looking at the Article 9(2)(b) exemption for ...

Read More Ruth Christy, Blake Morgan
Add a comment

During the course of the employment relationship employers will process a wide range of employees’ personal data, including special categories

The General Data Protection Regulation (GDPR) has fundamentally changed the way companies process their employees’ personal data. For example, to satisfy the heightened transparency requirements under Articles 13 and 14 of the GDPR, HR professionals have been busy drafting or revising employee privacy notices explaining what personal data they collect, for what purposes, on what legal bases, with whom that data will be shared (and whether such sharing involves any overseas transfers), how long the data will be kept and employees’ rights over their data.

During the course of the employment relationship employers will process a wide range of employees’ personal data, including special categories. For example, employers collect health information about their employees to monitor sickness absence and pay statutory (and enhanced) sick pay. Employers may also collect diversity data such as ethnicity, age, sexuality and disabled status as part of their equal opportunities monitoring programmes. One area where the GDPR has had a particularly significant impact is the availability of consent as a legal basis for processing personal data. The GDPR makes clear that employee consent will only be a valid legal basis in very exceptional circumstances, given the imbalance of power in the employment relationship. This is unlikely to present any real issues when processing non-special category personal data as employers can generally justify their processing of such data on another legal ground under Article 6, e.g. that it is either required by the employment contract or by law, or that it is in the employer’s legitimate interests to process the data and those interests outweigh the interests of employees.

When processing special categories of personal data, however, employers have to be able to rely on two legal bases, one under Article 6 and one under Article 9. Although the former is, as noted above, unlikely to be problematic, satisfying Article 9 is likely to be trickier as the Article 9 grounds for processing are very specific and fairly limited. The only legal basis that could cover the standard processing of health information and diversity information undertaken by most employers is that the processing is “necessary for the purposes of carrying out the obligations and exercising specific rights of the [employer] or of the [employee] in the field of employment and social security and social protection law, in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the [employee]” (Article 9(2)(b)).

Employers have an obligation to administer statutory sick pay in accordance with the rules of the statutory scheme that requires employers to be satisfied that the sickness is genuine, and collecting fit notes is an obvious way of satisfying this requirement. Similarly, employers have a legal obligation not to discriminate against employees on any of the protected grounds in the Equality Act 2010, and monitoring employees’ diversity is another obvious way of seeking to meet that requirement. Therefore Article 9(2)(b) is likely to be sufficiently flexible to cover most of the standard ways employers process special categories of data.

The other limbs of Article 9(2), although not as helpful, should not be entirely forgotten as some may be relevant in certain very specific circumstances. For example, the disclosure of health information about an unconscious employee to a paramedic or other emergency healthcare professional could be justified as being “necessary to protect the vital interests of the [employee] or of another natural person where the [employee] is physically or legally incapable of giving consent” (Article 9(2)(c)). The provision of health information to an occupational health advisor could be permitted under Article 9(2)(h) (“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee…[and]…medical diagnosis". Also an employer might be able to rely in some circumstances on the fact that diversity information has been “manifestly made public by the [employee]” (Article 9(2)(e)) when itself processing such data.

In conclusion, the unavailability of consent as a legal basis for processing special categories of personal data has made employers’ lives more difficult, but not impossible. Some careful thought about what data is being processed together with a consideration of the available grounds discussed above should enable employers to carry on processing such data in compliance with the GDPR.

Ann Bevitt is a partner at law firm Cooley


The Data Protection Act 2018 has a specific, separate public interest condition that employers can rely on to monitor diversity. Many employers are only looking at the Article 9(2)(b) exemption for special categories of data but in the DPA 2018 this is worded as "obligations or rights which are imposed or conferred by law". Employers will have to consider whether this applies to the type of special category data they are processing (and of course you might have more rights/obligations as regards employees than you do in relation to workers or contractors). One particular area of difficulty is information about criminal convictions where in the past employers have asked job applicants across the board, whether they or not they have the legal right conferred by law, or legal obligation, to ask that question. This will have to be revisited to ensure a valid condition can be relied on. There are a number of substantial public interest conditions in Part 2 of Schedule 1 of the Data Protection Act 2018 that may come into play if the employer cannot point to a legal right or obligation to process the information. Employers should also not forget the requirement under the DPA 2018 for an Appropriate Policy Document setting out the Special Category information they are processing, the condition relied on, and the safeguards they have put in place for this particularly sensitive information.


This looks ok for the collection of diversity data when an individual is an employee, but what concerns me is when they are not an employee, but are an external candidate for a job. Most organisations are collecting diversity data at this stage. What is the view for this. Is there a valid special condition?

Change the CAPTCHA codeSpeak the CAPTCHA code

All comments are moderated and may take a while to appear.