Employees’ data and GDPR requirements: What you need to know about the consent

25 May 2018

Why is the consent so important when it comes to employees’ personal data? What is its role beyond being a basic rule in data processing and being able to ensure the use of special categories of personal data?

Data processing based on the consent according to the GDPR requirements means providing the employees with the power to truly choose, having long-term control over how you use the data you have obtained permission for, and at the same time make sure your organisation is transparent and accountable.

Please find out the novelties brought by the GDPR regarding the employees’ consent and particularly which are the main changes that you need to apply in order to align yourself with the new requirements.

What does GDPR bring about in terms of consent?

Having a clear procedure for getting employees’ consent helps you establish a trust based employee-employer relationship. Otherwise, relying on invalid consent could destroy the quality of your relationships, your reputation as an employer, and could bring you fines of substantial value.

The GDPR establishes high standards for consent, and you need to know how to apply it in practice for your mechanisms in order to get it from your employees.

  • GDPR clearly stipulates that you need an unambiguous consent and that it involves a clear affirmative action.
  • The consent must be separate from other terms and conditions. No precondition should exist for signing an agreement, receiving a service, etc.
  • GDPR specifically prohibits pre-ticked opt-in boxes.
  • Granular consent is required for distinct processing operations.
  • You are required to keep clear records to demonstrate the consent.
  • GDPR offers the right to withdraw consent, and you must inform your employees about this right and give them simple ways to benefit from it at any time.
  • As an employer or an organisation in a position of power, it will be much harder for you to get valid consent.

So, you need to revise the mechanisms used to get the consent at present and identify the changes needed to meet the GDPR requirements.


Changes in the HR department mechanisms in obtaining the consent

Getting a valid consent for personal data processing is more difficult as an employer because there is an imbalance of power in the employer-employee relationship. With the GDPR requirements, you’ll need to change the mechanism by which you get this consent from your company’s employees. Here are the key points:


The requests for consent must be separated from other terms and conditions. The consent must not be a precondition for signing a contract or service unless it is absolutely necessary.

Active opt-in

Pre-ticked opt-in boxes are invalid, so active options are needed to choose.


As an employer, you must provide with granular options for consent for different types of processing.


You need to name the persons or even third parties who will rely on the consent received.


You will need to keep records to demonstrate that you have received the individual consent, including details of what your employees have been told and how they have given their consent.

Easy to withdraw

You need to communicate to your employees about their right to withdraw their consent, so you need to create simple and effective mechanisms to achieve this goal.

Balanced relationships

The consent is not given freely if there is an imbalance between you and your employees, so you must always have an alternative legislative basis to motivate your need to process certain data.


Of course, the employer’s consent to the processing of personal data is only part of the GDPR’s novelties. The mechanisms for obtaining consent must be seen in direct connection with other principles of legal data processing.

In complying with GDPR requirements, software technology plays an essential role and makes alignment much easier to meet the new requirements.

A Sincron HR Software type solution will be moulded according to your own domestic policies, it will help you make public and explicit your policy of terms and conditions, it will help you get and manage the required granular level consents and implement your own policies derived from every right of the candidates and employees – such as data erasure policy and respect for the right to be forgotten, access to logs and information traceability, or data migration policy, and not only – all of which having particular functionalities.”

Learn how an HR software can help you legally and safely manage the personal data of your employees and applicants.