Most of the data processing that HR undertakes may take place without express consent.
HR has a legal basis for processing in order to fulfil the terms of the employment contract, cf. Article 6(1)(b) and the processing is necessary for us to fulfil our legal obligations as employers, cf. Article 6(1)(c), cf. Sections 6(1), 7(1) and 12(1), (2) and (3) of the Danish Data Protection Act.
There are situations where Aarhus University is obliged to request express consent for data processing. They include the following instances:
The legal basis for processing the aforementioned data following consent is stated in Article 7(1) of the General Data Protection Regulation and Section 12(3) of the Danish Data Protection Act.
The publication of employee portrait photos on the website, in emails and on office doors requires their consent. Employees are asked to upload photos themselves.
Criminal records: Consent is deemed to have been granted if the applicant obtains and submits the criminal record as a jobseeker.
Criminal records may be obtained following a specific case assessment.
Statement of no previous convictions in respect of children: The university is obliged to obtain statements of no previous convictions in respect of children for employees whose work will involve direct contact with children under 15 years of age. The university will send to the police the CPR number (civil registration number) of the employee for whom we require a statement of no previous convictions in respect of children. The police will request the employee’s consent via e-Boks and the consent can be granted using NemID via the police website. The police will then send the statement to the university in its role of employer. Since obtaining statements of no previous convictions in respect of children is a statutory obligation, such statements will be filed.
Personality tests in connection with recruitment may only be processed following express consent. The test results of an identifiable natural person obtained in connection with recruitment must be deleted/shredded or made anonymous immediately after the applicant has received a rejection. If you wish to store the test results of employees who have been hired, after the employee has started in his/her position, a separate express consent is required, specifying the purpose of the continued storage. If the employee does not wish to consent to continued storage, the test must be deleted/shredded or made anonymous.
Personality tests of existing employees may only be processed with the employee’s express consent for the specifically indicated purpose. Employees are not obliged to consent to this, and refusal of consent may not lead to sanctions or repercussions under employment law.
The procurement of references may take place in connection with recruitment and requires express, informed consent from the applicant for the position. The university may set the procurement of references as a condition of employment. Consent may e.g. be given by email and it should be clearly stated which data the applicant consents to the processing of.
Non-specific consent to obtain references may not be used to obtain sensitive or confidential personal data. If the university requires data of a sensitive or confidential nature, express, specific consent must be obtained for requesting this type of data.
Disclosure of data in connection with references: When managers at Aarhus University are asked to provide information on an employee in connection with an application for employment by another employer, the AU manager must ensure that the employee has consented to the AU manager providing information. As a rule, the employee will have informed the current manager that he/she may be contacted regarding references. In this case, the manager will draft a dated memo stating that the employee has given consent and which information/data it has been consented to disclose. The memo must be filed in the personnel folder. If the employee has not notified the AU manager of a request for references, the manager may not provide any information until after the manager has contacted the employee and ensured their consent to the release of the reference. General data may be disclosed to a potential new employer under a general consent, while sensitive or confidential data may only be disclosed with express, specific consent.
The university does not disclose sensitive or confidential data to union representatives and/or union organisations authorised to negotiate. The employee is expected to disclose any sensitive or confidential data to the union representative/union organisation authorised to negotiate, if this is required.