Consent in imbalance of power

26.04.2018

Consent of a data subject is often used by data controllers in order to ensure lawful data processing. Still, processing on the single ground of consent may be considered unstable from legal perspective due to a number of reasons – it may be withdrawn at any time, it may be considered invalid in case it has not been given freely etc.

Certain issues appear with regards to consent, given within a situation of imbalance of power. Such cases are, amongst others, when data is being processed within an employment relationship or within the provision of services by public authorities. 

Consent in employment relationship

With regards to employment relationships, the current practice in Bulgaria includes inserting a clause with the explicit consent of the employee within the employment agreement, and thus the employer considers to be entitled to process personal data of the employee within the frames of the employment relationship. Even as per the present regulations in force, this practice raises some doubts with regards to the imbalance of powers.

With the art. 29 Working party guidelines on the requirements for valid consent under GDPR, special attention is turned to the employer-employee relationship. Namely, that in these cases the data subject would not have a realistic alternative to give his or her consent for the data processing. In this scenario it would be difficult to rely on such a consent as a legal ground for data processing. 

In the light of this, the attention of employers shall be brought to other means for lawful data processing. A viable option would be the processing to be grounded on art. 6, item 1, “b” – that the data subject is party to the employment agreement and the processing is required in this regard (payment of salary, social security etc.). In addition, certain data processing operations may be grounded on the legal obligation of the employer to maintain certain data for social security purposes – this includes processing with regards to pension and social insurance. 

Consent may still apply in certain angles of the employment relationship, for example some employers ensure additional health insurance to their employees, in which scenario giving consent from the employee would be a sufficient ground for processing in this regard.

The GDPR allows Member States to adopt delegations, which will protect the rights of the employees within an employment relationship. As at the present date Bulgaria has not adopted legal amendments with regards to the GDPR. Due to the nature of Bulgarian employment law, however, it may be reasonably expected that employees’ rights will be subject to a specific legal protection. 

Public authorities

Public authorities are often in a position of service providers for the regular citizens. In the view of this personal data is being processed for different reasons (e.g. information purposes, obtaining certificates, issuing of documents etc.). The Working party in its guidelines clearly outlines that in this scenario there is a “clear imbalance of power”, thus it is difficult to justify that consent has been freely given. 

Data processing by public authorities, based on consent is still possible in certain cases – e.g. when subscribing for an information bulletin to a local authority for receiving updates on different matters. Such a subscription may include newsletter from tax authorities regarding tax campaigns etc.

The risk of a consent, given by a data subject, to be found invalid because of not been freely given, makes it an unstable ground for data processing, which would lead data controllers to seeking alternative legal grounds for processing personal data.

 

Authors: 

  • Mitko Karushkov, Kambourov & Partners, Partner, Head of Technology, Media and Telecommunications Practice
  • Mario Arabistanov, Kambourov & Partners, Associate, Technology, Media and Telecommunications 

  

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.