Newsflash
Data protection and privacy

In light of the “Black Lives Matter” movement, companies want to achieve more diversity in their workforces. In doing so, employers sometimes wish to ask their employees or candidates to disclose personal information on a voluntary basis (“diversity monitoring”). This often involves data on race, ethnic origin, health, religion, sexual orientation, gender, gender identity or social origin. But to what extent is the collection of such data allowed under the GDPR?

Sensitive personal data

The GDPR provides a special regime for a number of special categories of personal data because of their sensitive nature. Specifically, it concerns data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The processing of these special categories of personal data is in principle prohibited, unless the company can invoke a specific exception. In the context of a diversity policy, the following exceptions are relevant:

1. The explicit consent of the employee:

The GDPR requires consent to be free, specific, informed and unambiguous. This implies, among other things, that there must be no imbalance of power between the data controller and the individual. For this reason, consent is not a solid exception in the context of a diversity policy in the workplace, as employees may feel pressured to register as belonging to the target group.

2. The necessity for the purposes of carrying out the obligations and exercising specific rights in the field of employment law:

To date, there is no general legal obligation or provision allowing for the assessment of diversity in companies.

Companies could possibly rely on the introduction of so-called “positive actions” as provided for in the anti-discrimination legislation. For the implementation of a positive action, the company (or the sector) must demonstrate that there is an inequality between the persons of the intended target group and the other persons. According to the Data Protection Authority, however, this inequality can also be demonstrated in a different way than by the collection of personal data.

Therefore, there is no exception for Belgian companies from the prohibition on processing sensitive data as part of a diversity policy.

We are only aware of one possible exception. Companies with their registered office or at least establishment unit in the Brussels Region are allowed in accordance with Brussels’ regulations to write a diversity plan and submit it to Actiris for approval. If this diversity plan is implemented correctly, the company may be awarded a diversity label. Within the framework of this specific diversity plan, there is a legal authorisation to classify the workforce into categories of beneficiary employees.

Non-sensitive personal data

Other personal data – including gender, gender identity and social origin – do not fall under the special categories of sensitive data. However, this does not mean that these data can be requested just like that. After all, companies must rely on a legal basis.

For example, companies could invoke a legitimate interest for the company to obtain more diversity. However, this will raise the question whether it is necessary for a company to question employees about such personal data. Moreover, in the framework of the accountability principle, the company should elaborate a balancing test to weigh up the interests of the employer against those of the employees.

Discrimination risk

Furthermore, it is important to take into account the discrimination legislation which prohibits any distinction on the basis of a number of protected criteria, including race, descent, religion, sexual orientation, as well as gender, gender identity and social origin, which cannot be justified. An employer who divides staff into categories based on the protected criteria increases liability in discrimination claims.

Anonymous data

Either way, both sensitive data and non-sensitive data may be collected and processed on an anonymous basis, as the GDPR does not apply to anonymous data. This does require, however, that the data cannot be linked in any way to an identified or identifiable person and has therefore been anonymised from the start (and not only anonymised after it has been collected).

Action point

Discrimination is prohibited, and companies are well advised to pursue diversity in their HR practices. However, it is important to keep in mind that the processing of sensitive personal data, even in the context of a diversity policy, is in principle prohibited and can only be done on the basis of a well-documented legal basis.

To exclude all risks, it is therefore strongly recommended to collect and process employee data only on an anonymous basis. This also applies if you plan to outsource the collection of the data to a third party, such as an independent agency, since you, as the controller, are responsible for ensuring that processors who process data on your behalf also comply with the GDPR.