The GDPR generally prohibits the processing of data relating to sexual orientation. In practice, this can be an obstacle to efforts towards inclusion.
Many companies these days are asking themselves how they can become even more attractive to applicants and employees belonging to social minorities. In the corporate world, this is referred to as diversity and inclusion and is often the subject of group-wide initiatives. These initiatives stem from the recognition that people belonging to minorities often have needs that not only differ from the needs of the (relative) majority, but are also simply unknown to this majority.
Equal treatment can be discriminatory
The effort to meet the individual needs of each employee, especially considering their minority background, is the subject of discussion across the globe under the term “woke”. It is increasingly recognized that treating everyone “equally” is often driven by the best of intentions, but typically leads to forms of institutional discrimination. This is because equal treatment is traditionally based on the needs of the (relative) majority of the employees.
For example, a company outing scheduled on the Saturday on which the Pride parade takes place would not appear to be a scheduling conflict to many employees, while members of the LGBTIQ community (and those who advocate for them) would perceive this as a discriminatory restriction on private activities. Similarly, an internal company policy on “paternity leave” would be perceived as discriminatory by mothers who do not give birth to the child – in the international context, this is referred to as “non-birthing parent”.
The first step towards addressing this is to better understand the extent of the challenge within your own organization. To this end, many global companies try to gain a better understanding of unwanted discrimination by conducting surveys among their employees about their satisfaction and their ethnic origin, sexual orientation and religious affiliation. After all, only those who know where the challenges lie can tackle them effectively. For example, if the organization loses an above-average number of Muslim employees, there are clear starting points for necessary changes. However, the right countermeasures can only be taken if the underlying cause is known.
Staff surveys and data protection
Addressing your own employees, better understanding the reality of their lives and focusing more closely on their needs as an organization inevitably means collecting information that qualifies as “sensitive” data under the General Data Protection Regulation (GDPR). This includes, in particular, ethnic origin, religious beliefs, health data or data relating to a person’s sex life or sexual orientation. The GDPR only permits the processing (and therefore the collection) of this data in very limited cases.
One of the justifications for the processing of sensitive data under the GDPR is a legal obligation. Discrimination on the basis of ethnicity, religious beliefs or sexual orientation is prohibited under the Equal Treatment Act in Austria. However, there is no legal obligation to actively promote diversity and inclusion as an employer. This means that there is no legal obligation as a basis for data processing. The consent of the data subject is not a valid justification either. According to the prevailing view, such consent given by employees is not sufficiently free from employment-related constraints and is therefore invalid.
For companies that aim to comply with the GDPR, the only feasible option is a works agreement. Insofar as the works council allows the company to process the aforementioned sensitive data to promote diversity and inclusion, companies can indeed collect this data and respond to the associated special needs of the employees. This ranges from the consideration of religious dietary requirements in Islam or Judaism to religious fasting periods, for example in Ramadan or before Easter in Christianity, to the needs-based individualization of working hours.
That said, if no works council has been established or if the national law in the respective member state does not recognize the institution of a works council, the collection of such data about the company’s employees is, in principle, inadmissible. It is therefore fair to argue that the GDPR is based on the misconception that treating everyone equally will create a positive, inclusive working environment that values people in their individual characteristics. A self-critical examination reveals that this misconception is probably based on the white, Christian or agnostic and heterosexual privilege of not having to deal in depth with the social reality of people belonging to other social groups.
A legislative amendment would be sensible and necessary
Not least the lively discussion about diversity and inclusion that has been taking place in the United States for several years and increasingly in Europe has shown that not taking into account the reality of the lives of people belonging to minorities is detrimental to equal opportunities and leads to companies losing valuable employees. This results not only in a disadvantage for society as a whole, but also an economic disadvantage for companies that have not yet recognized the potential of a “woker” HR culture.
In order to at least partially improve the current legal situation, it would be worth introducing explicit legal provisions that allow the collection of sensitive data for the purpose of promoting diversity and inclusion. In order to prevent misuse, certain data protection and data security requirements, which must be strictly defined, would have to be met. The existing rules on data processing for statistical purposes could serve as a point of reference here, but require some clarification. According to the wording of the law, the collection of sensitive personal data for statistical purposes is currently only permitted – subject to approval by the data protection authority – if the company cannot determine the identity of the data subjects by legally permissible means. However, as this is often not realistic even for statistical surveys, improvements would have to be made here.
The objectives of diversity and inclusion constantly require us to question traditional structures and look for improvements. This also holds true for established legal regulatory structures such as the protection of sensitive personal data under the GDPR. Otherwise, we are left with well-intentioned equality instead of genuine inclusion.
By Lukas Feiler, Partner IP Tech, Adrian Brandauer, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie