PERSONAL DATA PROTECTION ISSUES IN THE AREA OF LABOR RELATIONS
On June 8, 2017 the Data Protection Working Party, acting under Article 29 of the Directive 95/46 / EC, issued Opinion 2/2017 on the processing of data at work (furthermore- Opinion).
This Opinion attempts to re-evaluate the balance between the legitimate interests of employers, the risks posed by new technologies and the expectations of workers based on the preservation of privacy. It is important to note that this document is based not only on the principles for the protection of personal data provided for in Directive 95/46 / EC 29, but also introduces additional obligations for employers provided for in the General Data Protection Regulation, which will come into force in Lithuania, as well as in other Member States of the European Union, from 2018 May 25th.
This Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees. The rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and smart devices, allows for new types of systematic and potentially invasive data processing at work.
Therefore, whilst the use of such technologies can be helpful in detecting or preventing the loss of intellectual and material company property, improving the productivity of employees and protecting the personal data for which the data controller is responsible, they also create significant privacy and data protection challenges.
Word “employee” does not intend to restrict the scope of this term merely to persons with an employment contract recognized as such under applicable labour laws. This Opinion is intended to cover all situations where there is an employment relationship, regardless of whether this relationship is based on an employment contract.
Word “employee” does not intend to restrict the scope of this term merely to persons with an employment contract recognized as such under applicable labour laws.
It is important to state that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent— such as the necessity to process the data for their legitimate interest. However, a legitimate interest in itself is not sufficient to override the rights and freedoms of employees.
Regardless of the legal basis for such processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as the measures that have to be taken to ensure that infringements of the rights to private life and secrecy of communications are limited to a minimum.
Unless in exceptional situations, employers will have to rely on another legal ground than consent— such as the necessity to process the data for their legitimate interest.
Employers shall take into account the fundamental data protection principles when processing personal data in the employment context. Employers should:
– ensure that data is processed for specified and legitimate purposes that are proportionate and necessary;
– take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose;
– apply the principles of proportionality and subsidiarity regardless of the applicable legal ground;
– be transparent with employees about the use and purposes of monitoring technologies;
– enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data;
– keep the data accurate, and not retain them any longer than necessary; and
– take all necessary measures to protect the data against unauthorised access and ensure that staff are sufficiently aware of data protection obligations.
In summary, employers must therefore take note of the following:
– for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees due to the nature of the relationship between employer and employee; so a different legal basis is required. Employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer.
Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer.
– processing may be necessary for the performance of a contract in cases where the employer has to process personal data of the employee to meet any such obligations; Employment relationships are often based on a contract of employment between the employer and the employee. When meeting obligations under this contract, such as paying the employee, the employer is required to process some personal data;
– it is quite common that employment law may impose legal obligations that necessitate the processing of personal data (e.g. for the purpose of tax calculation and salary administration); in such cases the employee must be clearly and fully informed of such processing. In such cases, a law constitutes the legal basis for the data processing;
– should an employer seek to rely on legitimate interest, the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible;
It is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated. Such limitations could be:
– geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited), · data-oriented (e.g. personal electronic files and communication should not be monitored), and · time-related (e.g. sampling instead of continuous monitoring);
– the processing operations must also comply with the transparency requirements and employees should be clearly and fully informed of the processing of their personal data, including the existence of any monitoring; employees must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. Policies and rules concerning legitimate monitoring must be clear and readily accessible. The Working Party recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees.
– appropriate technical and organisational measures should be adopted to ensure security of the processing Employers must also take the principle of data minimisation into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified. Whenever information is no longer needed it should be deleted.