10 October 2024

Can an employer process an employee's private contact data?

When an employee has been absent for a long period of time, or in other circumstances where an employer is having difficulties contacting an employee via official means of communication, HR departments often wonder whether they can use an employee's private contact data. Some more cautious employers introduce employee questionnaires requesting a private e-mail address or telephone number, or collect this data from employees in a different way. How does the issue of obtaining private contact data look from a data protection law perspective?

Are private contact data included in the catalogue of data that an employer can request?

Many HR departments would still gladly collect a wide range of their employees’ personal data 'just in case'. However, the provisions of the Labour Code specifically state what type of personal data an employer may request from an employee. Requesting an employee to provide data outside of this catalogue, particularly at the employment stage, may, therefore, constitute a breach of the applicable legislation.

Employees’ private contact data are absent from the data specified in the Labour Code that an employer can request.  An employer does indeed have the right to request contact data, but only at the recruitment stage, when it is the candidate who decides what kind of contact data they will give the employer to enable contact during such recruitment. The employer no longer has such a right at the employment stage.

Does this mean that an employer cannot process an employee's private contact data at all?

No. Processing will generally be permissible if the employee freely consents to the processing of such personal data. This is confirmed by the Data Protection Authority, which points out: 'In order for an employer to process, for professional purposes, an employee’s contact data that it obtained during the recruitment process, such as, e.g., a private e-mail address or a private mobile phone number, it must obtain the employee's consent to do so (in writing, specifying the terms of contact). The authority took a similar position in its September 2023 newsletter.

When deciding to collect employees’ consent to process their private contact data, employers should bear in mind that:

  • it should be clear from the request for consent that the giving of consent is voluntary (this is particularly important in employer-employee relationships where the balance between the parties has been disrupted),
  • the request for consent should be presented in a way that makes it clearly distinguishable from the other issues and should be written in clear and simple language,
  • the employee has the right to withdraw consent at any time and should be informed about this before consent is given,
  • the consent should clearly specify the purpose for which the private data are to be used. If the purposes/circumstances are to be different (e.g. emergency contacts, during a pandemic, contact during a long-term absence), collecting separate consents for each purpose of use is recommended. A general guideline in this respect is that the less precise the consent is, the higher will be the risk of it being challenged.

Furthermore, the employer should bear in mind that, under the GDPR, it must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. Therefore, the withdrawal of consent should be duly documented in order to demonstrate that the person has given consent on a specific date and with a specific content.

Information obligation concerning the processing of an employee's private contact data

One of the main data protection provisions is the so-called transparency principle, which obliges all data controllers to ensure that data subjects are sufficiently informed about the intended processing of their personal data in accordance with the requirements of Article 13 GDPR.

In principle, the employer should, therefore, provide its employees with information about the processing of their private contact data when collecting consent. This information should include the aforementioned information on the purpose, basis and duration of the intended processing of personal data (if the employer has previously provided the employee with a broad information clause on the processing of personal data for employment purposes, it will be permissible to provide, in addition, only information specific to that specific processing).

What if the employee refuses or withdraws consent?

The Labour Code makes it clear that the lack of consent or the withdrawal of consent cannot be the basis for unfavourable treatment of the employee and cannot cause any negative consequences for the employee. In particular, it cannot constitute a reason justifying termination of the employment contract or its termination without notice by the employer. The employer should, therefore, not induce consent. Nor should it harass an employee in any way for failing to give or withdraw consent, or aggravate the employee's employment situation.

Withdrawing consent should, in principle, result in the deletion of the employee's private contact data by the employer to the extent that the employee has withdrawn consent. Importantly, the withdrawal of consent does not affect the lawfulness of the processing based on consent that the employer carried out before withdrawing consent.

Is consent the only permissible basis for processing private contact data?

The processing of an employee's private contact data will also be permissible when this is necessary for the exercise of a right or the fulfilment of an obligation under a legal provision, e.g. in connection with an obligation to enter into an agreement to operate employee equity plans with a selected financial institution. The question of the appropriate legal basis for the processing will require a separate analysis in situations where the employee's private contact data were to be used for purposes other than the contact purpose.

What does this mean in practice?

Employers are often confronted with the problem of using an employee's private contact data only after the employee has already been on sick leave for a long period of time or when contact with the employee is otherwise difficult. In such situation, if the employer has not made sure to collect the relevant consents from the employee at an earlier stage and has not documented this, it may not be possible to use the employee's private contact data without risk under data protection law. Therefore, it is advisable to prepare for such a circumstance beforehand and to prepare appropriate questionnaires asking employees for their consent to use their private contact data.

***

In the context of the processing of personal data in relation to employment, it is worth mentioning that employers should monitor the website of the Office for the Protection of Personal Data, which has announced the start of work on updating the guide entitled "Personal data protection in the workplace – a guide for employers". We will keep you updated on the progress of this work.

Karolina Romanowska, Łukasz Rutkowski