The Hellenic DPA has issued an opinion regarding the appropriate legal basis for processing employee data under GDPR:

  • Consent should be used as the legal basis only where the other legal bases do not apply.
  • Once the initial choice has been made, it is impossible to swap to a different legal basis.
  • Once a data subject withdraws consent, you may not carry on the processing of personal data under a different legal basis.
  • Where the legal basis of consent is properly applied, withdrawal of consent equals an absolute prohibition on the processing of personal data.
  • Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.
  • If you rely on a certain legal basis you must disclose this to the data subject and must not make it appear as though another legal basis applies.
  • If you have doubts concerning the lawfulness of the processing, you must remove those doubts before processing or not process.
  • You must not transfer the burden of compliance to  employees by having them declare appropriateness of legal basis.

Read a full summary of the opinion.