Consent is not the right lawful basis for transferring employee data to Reward Gateway.

Reward Gateway provides many different ways of allowing employees to register for programmes. Whilst some of these minimise data transfers required, it would be a struggle to suggest they allow data processing by Reward Gateway on the basis of consent.

Consent is only appropriate if real choice and control over how their data is used can be provided. When it comes to systems that the employer has paid for, with an explicit business purpose in mind, this is unlikely to be the case.

Instead Reward Gateway suggest that legitimate interest is used as a lawful basis. This reflects the businesses’ interest in sharing the information with Reward Gateway: it hopes to achieve a benefit in the processing i.e. increased employee engagement.

Legitimate interest also better reflects the expectation of the employee, who would reasonably expect their employer to provide them with secure individual access to business systems. The registration methods Reward Gateway provide can then be seen in the light of data minimisation, and processing is only required to complete this activity.

Under a consent basis, the administrative burden on the employer is likely to be significant. Every company leaver must be removed manually from Reward Gateway because automated transfers would contain data about people who had not consented, and managing consent lists internally would take significant effort.

There are still cases where employees may want to opt-out under such a legitimate interest argument. Reward Gateway allow this through self-service tools and can support cases where clients systems are unable to filter automated data transfers. A ‘blacklist’ of cryptographically hashed opt-outs is maintained and any transfers filtered against it (it is computationally hard for Reward Gateway to amend this and an opt-in request must be received for removal.)

Consent is used for some Reward Gateway services and these consents are collected at the appropriate times (e.g. opt-in to the retail newsletter.) These consents are independent of the data transfer from the employer, and not collected on behalf of the employer. They are consent agreements with Reward Gateway, who prepare the email content and administer it.

Reward Gateway is responsible for its legal obligations in this and the Privacy Notice and Terms & Conditions set this out.

Links to topics referenced in this article

Agreements, Data Protection Addendum, Subprocessor Information

Guide on privacy tools available to members

Right to erasure

Registration Criteria