Consent is not the right lawful basis for transferring employee data to Reward Gateway.
Reward Gateway provides many different ways of allowing employees to register for programmes. Whilst some of these minimise data transfers required, it would be a struggle to suggest they allow data processing by Reward Gateway on the basis of consent.
Why is consent not the right lawful basis for transferring employee data to Reward Gateway?
Consent is only appropriate if real choice and control over how their data is used can be provided. When it comes to systems that the employer has paid for, with an explicit business purpose in mind, this is unlikely to be the case.
Under a consent basis too, the administrative burden on the employer is likely to be significant. Every company leaver must be removed manually from Reward Gateway because automated transfers would contain data about people who had not consented, and managing consent lists internally would take significant effort.
What lawful basis would Reward Gateway suggest for transferring employee data?
Reward Gateway suggest that legitimate interest is used as a lawful basis. This reflects the businesses’ interest in sharing the information with Reward Gateway: it hopes to achieve a benefit in the processing i.e. increased employee engagement.
Legitimate interest also better reflects the expectation of the employee, who would reasonably expect their employer to provide them with secure individual access to business systems. The registration methods Reward Gateway provide can then be seen in the light of data minimization, and processing is only required to complete this activity.
What about data subjects right to object (i.e. opt-out) under legitimate interest?
Reward Gateway allow this through self-service tools and maintains a 'member opt-out list'. This list contains a hash of the data subject identifier which Reward Gateway can not reverse.
This list is used to check all data transfers to Reward Gateway, helping support cases where HRIS systems can not be used to manage the 'opt-out'.
Links to topics referenced in this article