Success Portal

Lawful basis for transferring employee data to Reward Gateway

Adam
  • Updated
Follow

Consent is not the right lawful basis for transferring employee data to Reward Gateway.

Reward Gateway provides many different ways of allowing employees to register for programmes. Whilst some of these minimise data transfers required, it would be a struggle to suggest they allow data processing by Reward Gateway on the basis of consent.

Why is consent not the right lawful basis for transferring employee data to Reward Gateway?

Consent is only appropriate if real choice and control over how their data is used can be provided. When it comes to systems that the employer has paid for, with an explicit business purpose in mind, this is unlikely to be the case.

Under a consent basis too, the administrative burden on the employer is likely to be significant. Every company leaver must be removed manually from Reward Gateway because automated transfers would contain data about people who had not consented, and managing consent lists internally would take significant effort.

What lawful basis would Reward Gateway suggest for transferring employee data?

Reward Gateway suggest that legitimate interest is used as a lawful basis. This reflects the businesses’ interest in sharing the information with Reward Gateway: it hopes to achieve a benefit in the processing i.e. increased employee engagement.

Legitimate interest also better reflects the expectation of the employee, who would reasonably expect their employer to provide them with secure individual access to business systems. The registration methods Reward Gateway provide can then be seen in the light of data minimization, and processing is only required to complete this activity.

What about data subjects right to object (i.e. opt-out) under legitimate interest?

Reward Gateway allow this through self-service tools and maintains a 'member opt-out list'. This list contains a hash of the data subject identifier which Reward Gateway can not reverse.

This list is used to check all data transfers to Reward Gateway, helping support cases where HRIS systems can not be used to manage the 'opt-out'.

 

 

Links to topics referenced in this article

Agreements, Data Protection Addendum, Subprocessor Information

Guide on privacy tools available to members

Right to erasure

Registration Criteria

 

Did this article help you?

0 out of 0 found this helpful

Related articles

Still haven't found what you are looking for?

Product development updates
Learn now
Can't find what you are looking for?
Get in touch

Comments

0 comments

Article is closed for comments.

top Back to top