Written by

The Data Protection Agency recently revised its guidelines on data protection in employment relationships on the basis of, among other things, collection of input from a wide range of stakeholders and consultations by the Ministry of Justice as well as recent decisions by the Agency. Some of the changes and clarifications are described below.

Consent as legal basis for processing
As a new element, it is stated in the revised guidelines that consent in employment relationships will rarely meet the condition of validity of being freely given due to the unequal relationship which typically exists between an employer and employee. Even though it cannot be excluded that the processing of personal data in an employment relationship can take place on the basis of the employee’s consent, the employer must consider whether consent is an appropriate basis for processing. This also applies to recruitment processes.

Employment references
The guidelines now specify when the data protection rules apply in the context of exchanging employment references. Electronic exchange of references will automatically be covered by the rules, while verbal exchange of references will generally only be covered if the information is or will be stored electronically.

With regard to the collection of references, this means that the data protection rules apply if the information is registered electronically, or if the information is intended to be registered electronically.

As mentioned above, consent can no longer, at least in principle, constitute a legal basis for the collection or disclosure of references.

When obtaining references, the legal basis will instead have to be found in article 6(1)(e) of the GDPR concerning exercise of official authority by public employers, or the “balancing of interests” rule in article 6(1)(f) by private employers. The legal basis for processing in relation to disclosure of references will, for public as well as private employers, be the balancing of interests under article 6(1)(f).

As a novelty, it is also stated in the revised guidelines that – as a general rule – special categories of personal data can no longer be disclosed when references are exchanged.

The guidelines further specify that hiring employers – in order to ensure predictability and transparency – should inform candidates that references will be collected, from whom and when, and ensure that the candidates agree to this. The employer providing the reference can, as a general rule, assume that the candidate agrees to the reference being obtained.

Criminal records
Employers’ right to collect criminal records and statements of no previous convictions in respect of children (”børneattester”) is described in detail in the revised guidelines. Among other things, it is clarified that it will not be in accordance with the data protection rules to collect criminal records of candidates as a matter of standard, as it depends on a specific assessment in the individual employment situation or in connection with recruitment for a specific job category whether the collection will be objective and proportionate.

It is specified that the recruitment process must be sufficiently advanced so as to consider the candidate for the position.

It is also stated in the guidelines that employers may collect criminal records of employees on an ongoing basis. This is essentially the same right as when obtaining criminal records of candidates. However, employers can always obtain criminal records or statements of no previous convictions in respect of children if so required by law.

Employee photos etc.
According to the revised guidelines, employee photos may be published based on the balancing of interests in article 6(1)(e) (for public employers) or article 6(1)(f) (for private employers) of the GDPR when it is necessary for the purposes of the position or the work functions to be performed by the employee.

In other situations, the employer must ensure that the employee agrees – in the form of consent – to the publication of photos or videos featuring them. However, in case of videos that are costly to produce, such as marketing videos, the employer will not be able to base the processing of personal data on consent.

Information on the employee’s name, areas of work, contact details and products of professional content, such as webinars, can, however, be published by the employer based on article 6(1)(e) or (f).

Norrbom Vinding notes

• that it is advisable for employers to review their data protection policies etc. in order to ensure that the contents, including the legal bases for processing, are in accordance with the revised guidelines of the Data Protection Agency.

The content of the above is not, and should not be a substitute for legal advice.