Many organizations post names and passport photos of employees on the organization’s website. Sometimes only the members of the board of directors, but smaller organizations sometimes publish the entire team, with name and surname, function and sometimes even e-mail address. When compiling the records of processing, organizations run into the question whether this web publishing is allowed and what the lawful basis is. This article summarizes some considerations.
First of all, it must be determined what the basis is for publishing this personal information and passport photos. Can there be a legitimate interest (in accordance with article 6.1.f. of the GDPR)? In determining whether there is a legitimate interest, it must be established whether this legitimate interest outweighs the interests and rights of the person concerned, the employee (s) in question. In 2014, WP29 provided a detailed explanation of whether there is a legitimate interest.
In most cases, the organization will not be able to prove a legitimate interest. After all, publishing information and photos of employees is usually intended to give the organization a ‘face’. Customers get a picture of ‘who is’ the organization. Who will pick up the phone. An organization profiles itself in this way, it’s about marketing. Sometimes even the ‘business dog’ gets a place in this ‘picture gallery’.
Problem with consent
In all these cases, therefore, ‘consent’ (article 6.1.a from the GDPR) is the only lawful basis. But here is a problem. The consent must be ‘freely given’ (see article 4.11). This is explained in recital 42 as follows: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment“. Recital 43 also states: “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller (…) “. Although this ‘imbalance’ is worked out for public authorities in this recital, it is clear that the ‘mismatch’ is also assumed in the employer / employee relationship. This is evident from the WP29 Opinion 2/2017 about data processing at work.
A few statements from this report:
- “It is important to state that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent—such as the necessity to process the data for their legitimate interest”. (p. 4)
- “for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees (Art 7(a)) due to the nature of the relationship between employer and employee”. (p. 6)
- “(..) employees are not in a position, given the imbalance of power, to give free consent to the processing of their personal data by their employer, and if the data processing is not proportional, the employer does not have a legal ground.” (p. 21)
- “Employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer”. (p. 23)
From this publication it becomes clear that the authors repeatedly point out the imbalance between employers and employees when it comes to the validity of consent as the basis for legality.
Now what? Delete all passport photos? Below I give my considerations. In case of doubt, it is wise to always contact the Supervisory Authority or to consult a lawyer.
Removing is the safe option. You can leave the dog, which is not covered by the GDPR.
If you choose to keep the passport photos, consider the following points:
- What risks may be associated with publishing this information for those involved? Employees of a graphic design agency are less likely to be exposed to risks than employees of a helpdesk for child abuse. Involve the employees in this evaluation and document that this assessment has been carried out (think about the accountability requirement of the GDPR);
- Make sure that the declaration for consent makes it very clear that the consent is voluntary and that there is no consequence if no consent is given. The wording of the statement is important!
- Decouple the consent procedurally from signing other documents, such as the employment contract. There should not be the suggestion that this document should also be signed ‘like the others’.
- Consider whether social pressure to give consent can be perceived by the employee. This could be the case, for example, if ‘always everyone’ signs, then the first person who does not sign is ‘the black sheep’. Perhaps it is an idea to not publish at least one person in any case. Then there is a precedent and that makes it very clear that consent is not mandatory.
You think it’s exaggerated? Not if you read and weigh the (official) publications. It is clear that with the GDPR the protection of (personal) data really must be a topic on the agenda of organizations. Ignoring is no longer an option.
I am very curious how other organizations deal with this. Experiences, additions, other opinions or comments are welcome!