As the new year has arrived, the question arises as to whether companies may send their employees New Year’s wishes to their private home address (or e-mail or telephone number) in order to appreciation for their personal commitment. And can employees’ birthdays be registered in order to surprise them with flowers or a birthday card? Sometimes, employers also communicate the private addresses of employees to colleagues for sending get-well cards when they are ill. All this is aimed at creating a pleasant and committed work atmosphere. Of course, personal data are also processed in this regard. On what legal basis should the employer base this processing?
Employers often assume that for this type of processing they can rely on the legitimate interests of the company, in particular the promotion of social cohesion in the workplace. However, a recent position of the Belgian Data Protection Authority (DPA) seems to contradict this.
The DPA recalls that the legal basis of “legitimate interests” can only be invoked to the extent that the processing is strictly necessary for a legitimate purpose. According to the authority, processing operations that are “nice to have” rather than “need to have” frustrate this necessity principle. This is also in line with the view of the European Data Protection Board that the necessity requirement should not be interpreted too broadly in the context of the legal basis of “legitimate interest”.
Although it is not an official position of the DPA, the distinction between “nice to have” and “need to have” activities seems to lead to the conclusion that circulating private addresses for the purpose of sending best wishes in principle requires the consent of the employees concerned.
According to the DPA, the fact that employees are generally considered not to be free to give their consent to their employer for the processing of their personal data does not constitute an obstacle: this consent is indeed possible – and in this case even appropriate – if the employee would not suffer any disadvantage if he or she were to refuse consent. However, the consent has to be freely given, specific, informed and unambiguous.
A practical way of dealing with this is to use a tool that allows employees to voluntarily transfer personal data to be used for passing on best wishes and point out that they are not obliged to provide their data.
It is important to identify whether the company is processing personal data of employees in the context of “nice to have” activities. If so, permission is required. Should the company nevertheless decide not to ask permission, it is important, as the DPA confirms, to document the reasoning that precedes this decision, taking into account the accountability principle.