Many organisations have a list of contact information to at least one family member of their employees. The purpose of this list is to be able to contact the family member if something would happen e.g. an accident or similar at the workplace. What does GDPR state about this kind of lists? Does the organisation need to take any actions in order to be allowed to process the information?
Published July 31th 2018
Updated November 30th 2023
It could be seen as a safety measure for the employees that the employer has someone to call if something were to happen during work time. Many companies therefore have lists with phone numbers to at least one relative per employee. That kind of list needs to contain personal data since the purpose is to use it in case of emergency. The list could include information such as name, phone number and possibly information in regard to what kind of relationship the relative has to the employee.
The first question the organisation has to ask is on what lawful basis the data shall be processed. Of the six lawful basis at hand, three are more frequently used in this regard, namely:
- Contract (Article 6(1)(b) GDPR)
- Consent (Article 6(1)(a) GDPR)
- Legitimate interest (Article 6(1)(f) GDPR)
Only use contract in regard to personal data concerning the employee
Many processing’s within an employment relationship can be based on the legal ground “contract” (Article 6(1)(b) GDPR). This have to concern data that is necessary for the fulfilment of the contract. Within this statement falls everything from salary statements to personal identity numbers, depending on how the employment relationship looks. However, this legal ground only concerns contracts where the data subject is one of the parties. Thus, processing of relative’ data cannot be based on this legal ground.
Consent can be troublesome
A valid consent gives the opportunity to carry out almost any kind of data processing. However, the employee cannot consent to the processing of the relative’s personal data. You can only consent to the processing of your own personal data. So, the consent has to come from the relative, either directly or collected by the employee.
It can be quite burdensome to collect consent from all relatives, but one requirement of the GDPR is to be able to demonstrate compliace, which means that the organisation needs to be able to prove that they have gotten valid consents. One thing that can ease the task when using consent as lawful basis is to use a standard consent form. It all gets even more complicated by the fact that the consent can always be withdrawn, so important to keep that in mind when choosing which lawful basis to rely upon.
Legitimate interest is easiest
The most useful legal ground in this regard is legitimate interest (Article 6(1)(f) GDPR). It concerns weighing the organisations legitimate interest for the processing against the interest of personal integrity of the dependant. The significant advantage with legitimate interest in relation to consent is that no action is demanded by the data subject. The legitimate interest assessment is made based on how the processing is constructed in different workplaces and what data is needed for the purpose in every specific case. Often a list of dependants can be regarded as a legitimate interest for the organisations to have and should therefore outweigh the dependants’ interest of personal integrity.
To be able to base a processing of personal data on legitimate interest, the decision must be made on a high level within the company. The motivation of the legitimate interest must be documented, which can easily be done within a register for your data processing.
Here you can read more about why it is important to have a good record of processing activities (in Swedish).
Thus, processing of personal data is therefore easiest to legitimise based on the lawful basis legitimate interest. Contract can in many cases not be used, and consent can be quite troublesome.
Limitations to your processing
On the list of dependants, the only personal data that is allowed is data that is necessary in relation to the purpose. This means in practice that the organisation must figure out what data is actually necessary to have. Other data than what is necessary shall not be on the list at all. It is also of importance to make sure that there is no wrongful data on the list.
As soon as the data no longer fulfil the purpose for processing, it shall be deleted. Your organisation is therefore in need of routines for how the list should be updated and when the data should be erased. In regard to lists of dependants, it is for example of importance that the data is erased when the employee terminates his or her employment. After that point there is simply no longer any need for keeping it.
Inform the data subjects
Within GDPR you find the so called “right to information”. In the present case this right constitutes that the data subject must be informed that his or her data is being processed. The data subjects must, inter alia, be informed about what data is being processed, what the purpose of the processing is, on what legal ground the processing is being based and when the personal data will be erased.