“Lawful Basis for Processing” is the fourth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the icon which will highlight specific information regarding potential impact to First Advantage screening processes.
Why is a lawful basis important under GDPR?
Data Controllers (i.e. you, the customer) need to have a valid basis for processing personal data. This is important, as you may be asked about it by a candidate or employee, or the regulatory authority. As discussed in our prior article “Demonstrating Compliance under GDPR,” there are several valid bases for processing personal data under the GDPR.
The GDPR prescribes six lawful bases:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data.
Recall that in our GDPR Basics article, employers who want to run a background check on a prospective employee who is located in the EU (aka a ‘Data Subject’) will qualify as ‘Data Controllers’ under GDPR. Data Controllers must determine what their lawful basis for processing personal data is based on their unique circumstances.
Has consent changed under GDPR and is it appropriate in the employment context?
The definition of “consent” in the previous law has changed with the introduction of the GDPR from “freely given, specific and informed” to “freely given, specific, informed and unambiguous.” What does this mean in practice? The practical effect of the changes means that consent must now be given by a statement OR a clear affirmative action indicating that the Data Subject agrees to the processing of his/her personal data.
Notwithstanding this new clarification, the European Data Protection Board (EDPB), both independently and as successor to the Article 29 Working Party, has provided guidance on this topic several times both pre- and post-GDPR. Employers are cautioned that consent is not an appropriate lawful basis for use in the employment context: “Given the dependency that results from the employer/employee relationship, it is unlikely that the Data Subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal.”1 Please also consult with your HR and legal advisers as the processing of employee data may still be unlawful under local employment laws even if employees have no issue giving consent.
https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030
Which lawful basis is appropriate for background screening?
First Advantage cannot assist customers with making this decision, and strongly recommends that each customer work with its legal counsel to select the appropriate lawful basis. First Advantage sees ‘legitimate interests’ used most frequently by EU-based organisations (bullet 6 above).
In practice, most EU customers select ‘legitimate interests’ as their lawful basis for processing personal data. If your organisation chooses to rely on consent as your valid basis for processing your candidate’s data, you will need to be able to demonstrate that your candidates have affirmatively and ‘freely given’ their consent to the processing of their personal data for employment screening purposes. Data Controllers may not assume consent by the candidate as a result of their inaction or rely on pre-checked boxes or forms that do not require acknowledgment and signature by the candidate. The EDPB has opined that consent can be freely given “when it will have no adverse consequences at all whether or not [the Data Subject] give[s] consent.”
How should the Privacy Notice be handled if consent is not the appropriate lawful basis?
As a matter of transparency, Data Controllers must always provide Data Subjects with details of the lawful basis they have relied on for processing. First Advantage can provide a sample ‘privacy notice’ as an example of how a notice may be structured for background screening purposes. It is intended only as educational material / best practices guidance. The sample privacy notice is provided to customers in its entirety and if a customer desires to use this language in whole or in part, they may modify their existing forms to suit their business including inserting an appropriate lawful basis for background screening where indicated (if applicable).
If consent is not the appropriate basis for the customer’s processing of personal data (per the customer’s legal team’s analysis), then this sample privacy notice demonstrates an example of the language that can be used to inform the Data Subject of the customer’s alternative lawful basis for processing the data. The notice can be provided to the Data Subject on the First Advantage system prior to data entry.
What happens if the Data Subject withdraws their consent or objects to the processing?
Technically, withdrawal of consent may only be exercised by a Data Subject who originally gave consent to the processing in the first place. Once withdrawn, the Data Controller is no longer able to continue using the personal data. That said, it does not affect the lawfulness of the processing done before the withdrawal.
Data Subjects who have instead been presented with a privacy notice that identifies an alternative lawful basis may still attempt to stop the processing of the background check; however, this would generally be an ‘objection to processing’ and not a withdrawal of consent.
How we can help you
First Advantage will always notify you as the Data Controller if a candidate contacts us with either a ‘withdrawal of consent’ or an objection to the continued processing of the background check. We will place a hold on the processing of the case and await your instructions regarding how you wish to proceed.
Next in the GDPR Information Series…“Data Subject Rights”