GDPR data protection clause

Our clause draws attention to your data protection policy and puts the employee under a contractual obligation to comply with any requirements or restrictions in that policy in their personal data-handling activities. It also refers them to your privacy notice for further information concerning the personal data that you process about them.

The demise of consent

The giving of consent is one way in which you can lawfully process an individual’s personal data. Thus, under the old data protection laws, many employers traditionally relied on employee consent as their lawful basis for processing and they sought consent by including a suitably-worded clause in employment contracts. However, the UK GDPR sets much stricter conditions for obtaining consent. In particular, consent must be “freely given, specific, informed and unambiguous” - and it won’t be freely given if there’s no genuine or free choice for the employee. Given the imbalance of power in the employment relationship, the view of the Information Commissioner’s Office is that employees can’t ordinarily freely give their consent. If you do have a consent clause in employment contracts, you should therefore remove it and instead look for an alternative lawful basis on which to justify the processing of the employee’s personal data.

Clause benefits

There are nevertheless still benefits to including a data protection clause in contracts. Firstly, our GDPR Data Protection Clause notifies employees of their need to comply with the terms of your GDPR Data Protection Policy, and the provisions of the data protection legislation, whenever they’re handling personal data on your behalf in the performance of their job duties during their employment. This includes not only personal data relating to other members of staff but also the personal data of clients, customers, suppliers, etc. So, as well as drawing attention to your policy, the employee is placed under a contractual obligation to comply with any requirements or restrictions in that policy in their handling of the personal data of other people. Secondly, our clause refers the employee to the terms of the privacy notice you will have issued to them for further information concerning the personal data that you process about them - see our GDPR Privacy Notice for Staff. In place of consent, we’ve also stated that you’ll only process their personal data where you have a lawful basis for processing. You don’t need to say more than this as full details about the lawful bases for processing are contained in the privacy notice.