Skip to Main Content

GDPR and “consent” in employment contracts: employers must take a new approach


The current Data Protection Act 1998 (DPA) intended for data protection consent clauses in contracts of employment to be a product of choice:  employees should be able to agree or disagree without repercussions. All well in theory, but the reality has been somewhat different. Such clauses are often buried in long employment contracts;  employees feel they cannot object due to the imbalance of power (and the simple desire not to cause a ‘nuisance”), perhaps saving their concerns for issues they perceive as more critical to them such as pay, holiday or restrictions on their activities following employment.

Employers will need to make changes in light of the new requirements:

Employers will be unable to rely upon generic consent clauses to data processing in employment contracts. Those clauses will fall foul of the requirement that consent be freely given, due to the imbalance of negotiating power; they are also not  distinguishable from other matters.
This will require a refocus of HR attention onto other justifications or legal grounds for processing permitted by the GDPR. Consent should only be relied upon when absolutely necessary and then in a separate ‘consent’ declaration complying with the ‘higher standard’ set out above.
Where consent is relied on, beware – an employee can retract it at any time and individuals have greater rights where data is processed on the basis of consent.  These new rights may well become a tactic used by employees to, for example, stall disciplinary or redundancy processes.


Do employers need to amend employees' contracts to comply with the General Data Protection Regulation (GDPR)?

No, it will not be necessary for employers to amend the contracts of existing employees to comply with the General Data Protection Regulation (GDPR). However, they should issue a new privacy notice to employees, providing information on the processing of their personal data and overriding any invalid data protection clauses in the contract. The GDPR specifies the information that the employer must provide in the privacy notice (also known as an information notice or fair processing notice). The information includes the purposes for which the employer will process the employee's personal data, the legal bases for the processing, information about the retention period and information about the employee's rights as a data subject.


If you are in any doubt please get in touch with your HR adviser.