Beyond Legal #23: The HR business partner who sent the survey anyway
I told him we needed a lawful basis. He sent the employee survey anyway. — Jo, Data Protection Leader
There is a particular kind of organisational mistake that looks like a communication failure but is actually a governance failure. One person raises a legal requirement. The other hears it as an opinion. The survey goes out. And then everyone is surprised by what happens next.
Taiwo’s story #
Taiwo is an HR business partner at an EU-based logistics company with operations across Germany and the Netherlands. He is good with people, moves quickly, and is not someone who thinks in terms of processing activities or controller obligations.
When he met with Jo, the Data Protection Leader, with a plan for a company-wide employee wellbeing survey, he had already chosen the vendor. The survey would cover workload, mental health, line manager relationships, and pay satisfaction. He wanted to launch it within the month.
She asked the obvious question: what lawful basis were they relying on?
Taiwo said it was fine because employees would click a consent box at the start of the survey.
She explained why that was wrong. Consent under the GDPR must be freely given. When there is a clear power imbalance between a controller and the person whose data is being processed, as there is in any employment relationship, the GDPR guidance is explicit: consent is unlikely to be valid. For employee data, the appropriate basis needs to be carefully identified and properly assessed, documented in the records of processing activities (RoPA), and due diligence conducted for any vendors involved including identifying their processing role, for example, as a processor under Article 28.
Taiwo thanked her. He sent the survey the following week.
What went wrong #
The platform he had chosen stored data outside the EU. There were no standard contractual clauses in place, no transfer impact assessment, and no Article 28 agreement with the processor.
When a works council in Germany raised a formal objection — they had a right to be consulted on processing activities involving employee personal data — the company had nothing documented to show. The local data protection authority opened a review and the wellbeing initiative became a six-month regulatory process.
The Data Protection Leader’s advice had been clear and given in writing. She kept her role. Taiwo did not.
What lawful basis for employee data actually requires #
Under Article 6 of the GDPR, the processing of personal data cannot take place without a valid lawful basis. Not retrospectively, and not in parallel. For employee data specifically, the European Data Protection Board has consistently held that consent is generally inappropriate because of the inherent power imbalance in the employment relationship. If the lawful basis is invalid, the processing is unlawful regardless of how well-intentioned the purpose was. The basis must be documented in the records of processing activities before a single data subject’s personal data is touched.
For more on how accountability is distributed across a data protection programme, see Beyond Legal #21 and Beyond Legal #22.
Article references: Article 6 (lawful basis), Article 7 (conditions for consent), Article 28 (processor obligations), Article 30 (records of processing activities), Article 46 (transfers subject to appropriate safeguards).
GDPR turns ten - this is a fictitious story part of a series of blog posts reminding us that data protection is not just an issue for the legal team. See Why the backstory of GDPR matters to read about about some of the key dates and events.
Purpose and Means works with organisations on data protection strategy, governance, and compliance — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your organisation, book a call or explore our services.
