Dear Nora,

Thanks for your question. All processing activities should fall within the purpose limitation for which there a legitimate basis. However, when there is a legal obligation for secondary processing, such processing activities would be also allowed. On the contrary, when a specific legal obligation is absent, secondary processing is not allowed. Informed consent remains an alternative, but that depends on the circumstances. Is such processing reasonably justified to be able to rely on consent exclusively?

Also be aware that additional safeguards should be applied in case of secondary processing, such as data minimalization (is all personal data needed? Propotionality check!). Moreover, the data subject should be informed of such secondary processing.

Please feel free to contact us directy.

Best regards,
also on behalf of Arnold Birkhoff

Robbert Santifort, privacy lawyer

Thank you for discussing GDPR in concrete combination with HR Analytics. I have a question regarding the use of HR data that is collected for a specific purpose (e.g. sick leave reporting in order to comply with the law), and how this should be treated when HR analyze this further and do a secondary processing. Considering that an employer should not use consent as a legal basis (in this case the legal basis would be legal obligation), how should this be treated? My concern for HR Analytics also regards the retention principle. Any comment on this? Thanks!