This article addresses the following questions: When you wish an employee a happy birthday, does it breach data protection rules? And if so, what can you do to avoid a breach?
We celebrate other people's birthdays by wishing them well, thinking about them and how much they mean to us. We might send flowers or a card, or bring cake for the team at their desk around their birthday. This is possible because colleagues know when each other's birthdays are. However, celebrating becomes an issue in light of Article 9 of the GDPR which “prohibits processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data for the purpose of uniquely identifying a natural person , data concerning health or data concerning a natural person’s sex life or sexual orientation”. We will explore this more further below.
It is legal to process date of birth when it is required by law, but under the GDPR it is also legal to process it for any other legitimate reason.
An employee's birth date is also critical data that distinguish each one of a company’s employees. It seems logical as well to be nice and send wishes on their special day. According to the GDPR, “the processing of personal data is generally prohibited unless a specific legal permission exists (Article 6(1)). In addition, the principle of purpose limitation (Article 5(1)b) must be respected.” The limitation of an organisation to only process the necessary information when entering a birthdate is a GDPR requirement. This not only prevents discrimination in the workplace but also ensures accuracy in your files. The use of a date of birth for congratulatory purposes does not necessary mean that an employer wants to show courtesy, it could be just a way for them to respect their obligations. If you do not want to share your date of birth with others, it is entirely optional. There may also be some hesitance around considering this type of information as a friendly gesture.
You will need employees’ consent to wish them happy birthday
If you want to wish your employees a happy birthday, but are concerned with the data protection implications, getting consent in advance is the only way to go. (Article 6(1)a GDPR). Employers must let their employees know that they plan on sending them a birthday message as this is an expectation. There's an exception: according to §26 paragraph 2 sentence 2 BDSG “consent may be voluntary if the employer and employee are engaged in similar interests.”
Conclusion
It may seem a little unusual, but a well-wisher cannot be prohibited from congratulating an employee on his or her birthday without their prior consent. It's important to abide by data protection requirements whenever you plan on celebrating a special occasion at work with your employees. Please remember to ask for their consent in advance and be mindful of their personal information. To avoid the risk of using someone's personal information to congratulate an employee, you'll want to refrain from such actions and use a safer, less controversial way of expressing your support.