The Hellenic DPA has issued an opinion regarding the appropriate legal basis for processing employee data under GDPR:
- Consent should be used as the legal basis only where the other legal bases do not apply.
- Once the initial choice has been made, it is impossible to swap to a different legal basis.
- Once a data subject withdraws consent, you may not carry on the processing of personal data under a different legal basis.
- Where the legal basis of consent is properly applied, withdrawal of consent equals an absolute prohibition on the processing of personal data.
- Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.
- If you rely on a certain legal basis you must disclose this to the data subject and must not make it appear as though another legal basis applies.
- If you have doubts concerning the lawfulness of the processing, you must remove those doubts before processing or not process.
- You must not transfer the burden of compliance to employees by having them declare appropriateness of legal basis.