In light of GDPR, should we include a data protection clause in our contracts of employment?

In light of GDPR, should we include a data protection clause in our contracts of employment?

Businesses are likely to process significantly more personal data in relation to its employees than in other contexts. Accordingly, compliance with GDPR is important for employers to avoid potentially hefty fines and difficult situations with employees.

One of the requirements of GDPR is that employers must have a legal basis for processing an employee’s personal data.

Article 6 of GDPR sets out six grounds on which an employer can legally process personal data with the exception of special categories of personal data (different rules apply to processing special categories of personal data).

The grounds likely to apply in an employment context are set out in the column to the left, while the grounds that are unlikely to apply are set out in the column to the right.

Likely to Apply Unlikely to Apply
Necessary for the performance of a contract

E.g. Payment of salary

Necessary to protect the vital interest of the employee or another person
Necessary for compliance with a legal obligation

E.g. tax calculation, salary administration

Necessary in the public interest
Necessary for the purposes of the legitimate interest of the employer

Must be necessary and proportionate and balance the interest of employer and the fundamental rights and freedoms of the employee



Consent is only one of the legal grounds for processing personal data. Consent has been heavily relied upon in the past by employers for processing employee data.
Contracts of employment commonly contain similar provisions to the following:-

By signing this Agreement the Employee consents to the Company collecting, retaining and processing personal information about the Employee.

Under GDPR, the rules for consent will change. GDPR provides that consent must be freely-given, specific, informed and revocable.

In an employment context, it is unlikely that consent can ever be “freely given” and so should not be relied upon by employers as a legal basis for processing employee data. Accordingly, the inclusion of a clause similar to the above is not recommended in a contract of employment.

The Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission) has issued a useful opinion on data processing at work (Opinion 2/2017). It is a highly influential group, whose opinions, whilst not law, are of great practical assistance.

In relation to consent, the Article 29 Working Group has stated:-

“Employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer.”

Article 13 of GDPR requires employers to provide employees with certain information at the time that their personal data is collected. Rather than include a data protection clause that relies on consent in a contract of employment, employers should have a non-contractual privacy notice in place for all employees in order to comply with GDPR.

For further information on this topic, please contact Laura Graham at

Laura Graham
Author: Laura Graham