The Danish Data Protection Agency revises its guidelines on data protection: On March 29, 2023, the Danish Data Protection Agency published a revised version of its guidelines on data protection in employment relationships. The guidelines were first published in 2018 and most recently updated in December 2020.
The guide contains a review of the data protection rules that are particularly relevant in employment relationships, including processing activities in connection with the recruitment process, during the employment relationship, and to a certain extent after the employment relationship has ended.
Please also read the guide “Data protection in employment relationships.”
The revised guidelines contain several examples and detailed explanations of practical relevance to employers, a change to the rules on employers obtaining criminal records and references, and a clarification of the sections on employers' duty to provide information and the disclosure of personal data.
Firstly, the Danish Data Protection Agency points out that consent in employment relationships will rarely meet the validity requirement of being given voluntarily due to the unequal relationship that typically exists between the employer and the employee.
This has implications for the employer's ability to refer to consent as the basis for processing personal data about employees.
This is particularly relevant in relation to obtaining/disclosing references, obtaining criminal records, publishing recruitment and marketing videos, and using employee photos on the employer's website.
Obtaining and disclosing reference information
During the recruitment process, it will often be necessary to obtain references for one or more applicants.
Previously, the Danish Data Protection Agency accepted that consent could form the basis for obtaining/disclosing reference information. In the revised guidelines, the Danish Data Protection Agency states that this is no longer the case.
Consent cannot, as a general rule, constitute the legal basis for obtaining/disclosing references, as such consent (in a recruitment and hiring process) often does not meet the condition of being given voluntarily and therefore cannot be considered valid.
The correct legal basis for obtaining reference information will be the balancing of interests rule for private employers, while public employers may obtain reference information when it is in the public interest or falls within the scope of public authority. With regard to the disclosure of reference information, the balancing of interests rule will constitute the correct legal basis for both public and private employers.
When assessing whether the necessary legal basis exists for obtaining/disclosing reference information, considerable weight must be given to the interests of the data subject (the applicant) due to the potential consequences that such an exchange of information may have for the data subject. The hiring employer must therefore ensure predictability and transparency, including that the applicant is informed that references will be obtained (and what information will be obtained) and that the applicant agrees to this. This could be done, for example, by stating in the job advertisement that references from (previous) employers will be obtained, or if the applicant has provided the reference themselves.
When sharing references, it is important to note that sensitive personal data cannot, as a rule, be disclosed when exchanging references, and that information about criminal offenses can only be disclosed if there is a legal basis for this in the Data Protection Act.
Obtaining criminal records
An employer may always obtain a criminal record check or child protection certificate if the employer is legally obliged to do so.
In certain situations, it may also be relevant for an employer to obtain information about criminal offenses committed by persons who are being considered for employment and by employees who are already employed. If the criminal record does not contain information about criminal offences, the correct legal basis for private employers will be the balancing of interests rule, while public employers may obtain the criminal record when it is in the public interest or falls within the scope of public authority.
To the extent that criminal records contain information about criminal offenses, the legal basis must instead be found in the Data Protection Act.
In its updated guidelines, the Danish Data Protection Agency states that consent can no longer form the basis for obtaining criminal records.
The employer's processing of personal data in connection with obtaining criminal records must also comply with the basic principles in Article 5 of the GDPR, including in particular the principle of data minimization.
For example, a general policy of obtaining criminal records for applicants as a matter of course would not be in accordance with Article 5.
Instead, it must be based on a specific assessment in individual employment situations or in connection with employment in specific job categories whether obtaining a criminal record certificate can be considered objective and proportionate and thus in accordance with Article 5.
This means that obtaining a criminal record check from an applicant requires that the recruitment process is so advanced that the person for whom the criminal record check is being obtained is seriously in the running for the position.
This also means that a criminal record check may only be obtained from an applicant if it is relevant to the position whether the person in question has a criminal record. For example, it would be relevant for an employer to ensure that a person who has applied for a position as a financial officer has not previously been convicted of a property crime.
An employer will therefore not be entitled to obtain a criminal record certificate in cases where this is done simply "because it is possible" and where, in reality, it is done solely to assess the character of the applicant in question.
Essentially, a similar right applies to obtaining criminal records for existing employees, as the considerations that may justify obtaining criminal records in connection with recruitment are in many cases likely to apply during employment as well. However, the Danish Data Protection Agency points out that employers should always consider whether there are situations where it would not be necessary to obtain a criminal record certificate because the employer in question already knows the employee concerned.
Publication of employee photos and recruitment and marketing videos
In the revised guidelines, the Danish Data Protection Agency has also changed its previous practice that employers must obtain consent from employees to publish images on the employer's website.
The employer may stipulate that necessary (work-related) information about the employee be published on the employer's website, including portrait photos, if this is necessary due to the nature of the work. In such cases, the legal basis for private employers will be the balancing of interests rule, while public employers may publish the photos when it is in the public interest or falls within the scope of public authority. The same applies to webinars, podcasts, or other similar products with professional content that the employee has produced as part of their employment.
Nor can employee consent form the basis for processing in relation to videos, including recruitment and marketing videos, which are costly to produce, as the employee may fear negative consequences if consent is not given or if it is withdrawn. In relation to such videos, the legal basis would again be found in the balancing of interests rule for private employers, while public employers may carry out the processing when it is in the public interest or falls within the exercise of public authority.
The employer must therefore ensure in other ways that the employee understands that videos of them will be published and the consequences of participating, for example that material cannot simply be deleted or edited because this would be costly.
In cases other than those mentioned above, the employer must also ensure that the employee agrees to the publication of images or videos featuring them. In relation to images that can easily be replaced, this can be done by asking the employee for their consent to publication.
Although consent cannot, as a starting point, constitute the legal basis for processing personal data in employment relationships, the employee's understanding or consent may, in some situations, be necessary for processing to be considered reasonable under Article 5 of the GDPR.
The Danish Data Protection Agency revises data protection guidelines
The new version of the Danish Data Protection Agency's guidelines provides an excellent opportunity to review your company's procedures and policies in order to assess whether there is a need for any updates.
If you have any questions about the significance of the guidelines for you as an employer or about data protection law in general, you are always welcome to contact CLEMENS' data protection experts.
