Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Consent in imbalance of power

26.04.2018

Consent of a data subject is often used by data controllers in order to ensure lawful data processing. Still, processing on the single ground of consent may be considered unstable from legal perspective due to a number of reasons – it may be withdrawn at any time, it may be considered invalid in case it has not been given freely etc.

Certain issues appear with regards to consent, given within a situation of imbalance of power. Such cases are, amongst others, when data is being processed within an employment relationship or within the provision of services by public authorities. 

Consent in employment relationship

With regards to employment relationships, the current practice in Bulgaria includes inserting a clause with the explicit consent of the employee within the employment agreement, and thus the employer considers to be entitled to process personal data of the employee within the frames of the employment relationship. Even as per the present regulations in force, this practice raises some doubts with regards to the imbalance of powers.

With the art. 29 Working party guidelines on the requirements for valid consent under GDPR, special attention is turned to the employer-employee relationship. Namely, that in these cases the data subject would not have a realistic alternative to give his or her consent for the data processing. In this scenario it would be difficult to rely on such a consent as a legal ground for data processing. 

In the light of this, the attention of employers shall be brought to other means for lawful data processing. A viable option would be the processing to be grounded on art. 6, item 1, “b” – that the data subject is party to the employment agreement and the processing is required in this regard (payment of salary, social security etc.). In addition, certain data processing operations may be grounded on the legal obligation of the employer to maintain certain data for social security purposes – this includes processing with regards to pension and social insurance. 

Consent may still apply in certain angles of the employment relationship, for example some employers ensure additional health insurance to their employees, in which scenario giving consent from the employee would be a sufficient ground for processing in this regard.

The GDPR allows Member States to adopt delegations, which will protect the rights of the employees within an employment relationship. As at the present date Bulgaria has not adopted legal amendments with regards to the GDPR. Due to the nature of Bulgarian employment law, however, it may be reasonably expected that employees’ rights will be subject to a specific legal protection. 

Public authorities

Public authorities are often in a position of service providers for the regular citizens. In the view of this personal data is being processed for different reasons (e.g. information purposes, obtaining certificates, issuing of documents etc.). The Working party in its guidelines clearly outlines that in this scenario there is a “clear imbalance of power”, thus it is difficult to justify that consent has been freely given. 

Data processing by public authorities, based on consent is still possible in certain cases – e.g. when subscribing for an information bulletin to a local authority for receiving updates on different matters. Such a subscription may include newsletter from tax authorities regarding tax campaigns etc.

The risk of a consent, given by a data subject, to be found invalid because of not been freely given, makes it an unstable ground for data processing, which would lead data controllers to seeking alternative legal grounds for processing personal data.

 

Authors: 

  • Mitko Karushkov, Kambourov & Partners, Partner, Head of Technology, Media and Telecommunications Practice
  • Mario Arabistanov, Kambourov & Partners, Associate, Technology, Media and Telecommunications 

  

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Data Privacy Compliance (DPC)/Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT, 2018

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.