Diversity and inclusion data – the view from the Netherlands

Although the pressure from stakeholders to report diversity and inclusion (D&I) and other ESG data is, in many cases, slightly less than in the UK, the position on data collection, processing and retention in mainland Europe is pretty much the same in terms of data protection. 

Information about a current or potential employee’s racial or ethnic origin, physical or mental health, religion or similar beliefs and sexual orientation, is sensitive or special personal data that may not be processed by employers unless GDPR requirements are satisfied.

The processing of special personal data is prohibited, unless the employer satisfies one of the Article 9 GDPR conditions for processing it, in addition to identifying a valid Article 6 lawful basis for processing 'ordinary' personal data.

Consent

In an employment relationship, the lawful basis can be the consent of the person concerned, a legal obligation to process the data, or because it is in the employer's legitimate interests. However, it is generally assumed that valid consent is difficult to obtain in an employment setting due to the imbalance of power in the employer/employee relationship. 

This means that the relevant lawful basis is likely to be either that the employer is required to process the data due to a legal obligation or because it is in their legitimate interests, taking into account the rights of the data subjects.

Legal obligation

In the Netherlands, a law is being made to help narrow the gender pay gap. That law will serve as a lawful basis for employers to legitimately ask about the employees’ gender and to process the answers. 

Employers also have an obligation to rehabilitate employees for two years during an illness which will require them to process data concerning their illness or disability. While this will enable reliance on the legal obligation lawful basis, under Dutch law, the data may only be processed in the Netherlands by an external occupational health service and not by the employer itself, subject to additional privacy safeguards and meeting an Article 9 condition.

A different take on legitimate interests of processing D&I data?

Interestingly, in the context of cultural diversity in the Netherlands, it is argued that collecting certain information about employees in the context of an affirmative action policy may be a legitimate interest for an employer to collect sensitive data. In doing so, the principles of proportionality and subsidiarity should always be taken into account.

The basis for this view is a study carried out by PwC on behalf of the Ministry of Social Affairs and Employment. It found that legitimate interests was a valid lawful basis under the old (pre-GDPR) Dutch Data Protection Act and that the Dutch legislator had not made any changes to the criteria. As a result, the processing of D&I data might be possible within the framework of an affirmative action policy regarding certain minority groups on the basis of legitimate interests, although the question of satisfying an Article 9 condition remains. 

Even if the D&I data can be processed lawfully in the context of an affirmative action policy, employers should keep an eye on the issues they are trying to address through affirmative action. Once certain groups are no longer seen to be disadvantaged in the workplace, changes to the policy might be required and the data relating to those groups can no longer be processed for D&I purposes on this basis. In addition, the data cannot be processed at all if the data subject has objected.

Partly due to a lack of enforcement capacity on the part of the Dutch Data Protection Authority, it's unclear what the Dutch government’s view is on this issue. Even if there is scope for processing special personal data in the Netherlands when it comes to an affirmative action policy, there is a need for clear legislation which covers this issue if diversity and inclusion policies are to translate to real change.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications or Data Protection & Cyber teams.