Exploring the relationship between trade unions and employers under the GDPR – Introduction and Rationale
The interplay between employers and trade unions is one which has been considered in great depth and through many different optics. However, when viewing the dynamic from the perspective of personal data protection, our data protection team realised there was very little material available which truly analyses this complex subject.
With that in mind our Technical Director Mark Povey, and Data Protection Lawyer and Deputy DPO Larisa Munteanu, leveraging their deep theoretical and practical knowledge, recently published an article in the European Data Protection Law Review (EDPL) discussing this highly topical subject: the relation between employers and trade unions under the aegis of the General Data Protection Regulation (GDPR).
This post aims to offer a simple insight into the key areas covered in the work, and illuminate the questions raised which are answered in detail in the article.
The article itself does not present a final and straightforward conclusion as to which party has more strength or relevant arguments, and its position is one of strict neutrality. Rather, the purpose was to present how the GDPR is applied in this context and understand what are the missing pieces of this puzzle. When protecting employees, the aspect of trade union membership clearly plays a significant role when it comes to personal data protection.
GDPR trade union membership data – regulatory guidelines
As a premise, it is essential to know that the GDPR does not contain guidance with regards to trade union membership data, aside from its inclusion in the special categories of personal data (Art. 9). This was the case in other countries too, such as South Africa or Brazil. Contrastingly, China does not treat trade union membership as sensitive data.
Nonetheless, a clear definition of trade union membership, from a personal data protection standpoint, is not provided. In practice, there is a risk of inconsistent application. This means that organisations, regulators and even courts, might have a different understanding of what the GDPR includes.
For example, does the definition encompass only the status of being a member, or does it include the services provided by the union in exchange? The risk is that if this uncertainty is not clarified, it becomes almost impossible to effectively apply the legislation.
Simply put, how can you protect trade union membership data if you do not acknowledge what the data actually is to be rigorously protected?
Within the article, we describe our definition of trade union membership from a personal data protection standpoint.
Lawful application of trade union membership data under the GDPR
On the other hand, stemming from this discussion, it is worth pointing out the legal grounds on which trade union membership can be processed by both employers and trade unions.
There were voices stating that the right to represent employees includes implicit consent to disclose their membership information to employers. Is this rationale compliant with data protection legislation? Also, can employers constrain employees to disclose this data as part of their contracts? The legal grounds used for collecting and disclosing trade union membership might sometimes be unclear. This is why, in the article, we have explained some of the most frequent cases that occur.
Responsible parties under the GDPR
Another aspect we considered was who is the party in control of the data? In data protection language, who is the data controller in this relationship? In brief, the Data Controller is the party that ‘determines the purposes and means of the processing of personal data’, according to Art. 4 (7) of GDPR. In practice, this ‘decision-maker’ can act together with another identical party, resulting in joint controllership. Therefore, acknowledging the responsible party makes it easier to assess the accountability principle’s application.
In the trade union-employer relationship, it is clear that both parties decide upon certain rules for processing personal data of the employees. Therefore, the important aspect is concluding whether they have joint powers or not. Within our article, we linked this question with having and sharing the same database. In reaching our conclusion, we assessed the likeliness of this scenario actually happening in reality.
Data flows between the parties – Data Portability implementation
The last theoretical aspect to be addressed is related to the connectivity between the three actors: employees, employers and trade unions and the way personal data flows might be more or less numerous.
Data Portability, as one of the innovations brought by the GDPR, is a right data subjects can exercise against a Data Controller. According to Art. 20, it relies on the request to transfer the data from one Controller to another Controller, directly or indirectly (via the data subject). It is interesting to note that the trade union can act as a representative of the data subject – in this case, trade unions can directly engage with employers for requesting data of employees. However, it should not be understood that in this case, trade unions collect the data of employees through employers. This latter situation is a whole different case.
In addition, data portability operates using interoperability. In simple terms, interoperability is referring to the data flows between parties. Previously, it was considered that interoperability could be vertical or horizontal, but, within the article, we argue that these are not the only possibilities. We have created a third notion, diagonal interoperability, to be used in ambiguous cases that cannot be included in either of the above categories.
All in all, the practical value of these debates is undisputable. It has long been highlighted that the trade union-employer relationship can be conflictual one, resulting in serious accusations between the parties, founded on the way data protection rules have been applied. Using case law and public resources, we managed to establish the principal views and their underlying reasons. However, we are not in the position of explaining which party is (more or less) in line with the regulations.
The article takes a sometimes uncomfortable topic and shapes it into as a useful instrument to be used by any interested party: employer, trade union representative or employee. It acts as guiding material and also professional expertise that aims to present the current development in the field and the efficient way of applying personal data protection standards.
This is just a surface level walk-through of what we uncovered in our paper. If you would like to understand in greater detail how to lawfully manage trade union membership data, from either side of the relationship, we would love to help; please get in touch.
If you are interested in reading full article, which covers all the questions posed in this post, you can purchase it here, directly from the European Data Protection Law Review at https://edpl.lexxion.eu/article/EDPL/2022/1/8
To watch a discussion about the paper with Larisa, head over to our YouTube channel here: https://www.youtube.com/watch?v=FUb1VaVGVsM