Photograph and Document of Employees

2. If we do need a consent, how should that be obtained? What must it contain?

Answers:

1. Usually I advise against using employees consent as a basis for processing their personal data. It was considered and it is still considered that consent from employees in not a genuinely “freely given” since there is an imbalance between the employer and the employee and the latter tends to agree to whatever the employer wants. Also, consider that consent can be withdrawn at any time and while doing so the employee would basically make the processing activity impossible for the company.

Regarding keeping copies of documents such as drivers license or other similar documents I would use as the legal basis for processing the legitimate interest since is first of all the interest of the company in some cases if an employee has a diver`s license in certain cases for example an employee who would be driving a company car.

2. In terms of consent the EU GDPR is stricter then the Directive. Consent has to be freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant data subject.

Here are some conditions regarding the consent that you should consider:
1. Plain language - A request for consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts. Separate - where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
2. Affirmative action - The consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted. However, consent through a course of conduct remains valid.
3. Consent to all purposes - If the relevant processing has multiple purposes, consent must be given for all of them. The meaning of this provision is not clear. At one extreme it might prevent mixed justifications for different activities. For example, it would not be possible to rely on performance of a contract when providing services to an individual and obtain a separate ancillary consent for direct marketing. You would need a (valid) consent for them all.
4. Unbundled consent - You cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately. Not tied to contract - Consent is presumed not valid if it is a condition of performance of a contract.
5. Withdrawable - The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.

You can find some template consent forms in folder 6 Managing Data Subject Rights of the GDPR & ISO 27001 Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

You can also find out about consent and alternative legal basis in our article “ Is consent needed? Six legal bases to process data according to GDPR” - https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

See also our free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//