In light of the ‘Black Lives Matter’ movement, organisations want to achieve more diversity in their workforces. In doing so, employers sometimes wish to ask their employees or candidates to disclose personal information on a voluntary basis (‘diversity monitoring’). This often involves data on race, ethnic origin, health, religion, sexual orientation, gender, gender identity or social origin. But to what extent is the collection of this data allowed under the GDPR?
The GDPR provides a special regime for a number of special categories of personal data because of their sensitive nature. Specifically, it concerns data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The processing of these special categories of personal data is in principle prohibited, unless the company can invoke a specific exception. In the context of a diversity policy, the following exceptions are relevant.
The explicit consent of the employee
The GDPR requires consent to be free, specific, informed and unambiguous. This implies, among other things, that there must be no imbalance of power between the data controller and the individual. For this reason, consent is not a solid exception in the context of a diversity policy in the workplace, as employees may feel pressured to register as belonging to the target group.
The necessity for the purposes of carrying out the obligations and exercising specific rights in the field of employment law
To date, there is no general legal obligation or provision allowing for the assessment of diversity in organisations.
Organisations could possibly rely on the introduction of so-called ‘positive actions’ as provided for in the anti-discrimination legislation. For the implementation of a positive action, the company (or the sector) must demonstrate that there is an inequality between members of the intended target group and others. According to the Data Protection Authority, however, this inequality can also be demonstrated in a different way than by the collection of personal data.
Therefore, there is no exception for Belgian organisations from the prohibition on processing sensitive data as part of a diversity policy.
We are only aware of one possible exception. Companies with their registered office or at least establishment unit in the Brussels Region are allowed, in accordance with Brussels’ regulations, to write a diversity plan and submit it to Actiris (the Brussels region employment agency) for approval. If this diversity plan is implemented correctly, the company may be awarded a diversity label. Within the framework of this specific diversity plan, there is a legal authorisation to classify the workforce into categories of beneficiary employees.
Other personal data (including gender, gender identity and social origin) do not fall under the special categories of sensitive data. However, this does not mean that these data can be requested just like that. After all, companies must rely on a legal basis.
For example, employers could invoke a legitimate interest for the organisation to obtain more diversity. However, this will raise the question whether it is necessary for an organisation to question employees about personal data. Moreover, in the framework of the accountability principle, organisations should elaborate a balancing test to weigh up the interests of the employer against those of the employees.
It is also important to take into account the discrimination legislation which prohibits any distinction on the basis of a number of protected criteria, including race, descent, religion, sexual orientation, as well as gender, gender identity and social origin, which cannot be justified. An employer who divides staff into categories based on protected criteria increases liability in discrimination claims.
Either way, both sensitive data and non-sensitive data may be collected and processed on an anonymous basis, as the GDPR does not apply to anonymous data. This does require, however, that the data cannot be linked in any way to an identified or identifiable person and has therefore been anonymised from the start (and not only anonymised after it has been collected).
Discrimination is prohibited, and employers are well advised to pursue diversity in their HR practices. However, it is important to keep in mind that the processing of sensitive personal data, even in the context of a diversity policy, is in principle prohibited and can only be done on the basis of a well-documented legal basis.
To exclude all risks, it is therefore strongly recommended to only collect and process employee data on an anonymous basis. This also applies if you plan to outsource the collection of the data to a third party, such as an independent agency, since it is the employer, as the controller, who is responsible for ensuring that processors who process data on their behalf also comply with the GDPR.