On June 8, 2017 the Data Protection Working Party, acting under Article 29 of the Directive 95/46 / EC, issued Opinion 2/2017 on the processing of data at work (furthermore – Opinion). This Opinion attempts to re-evaluate the balance between the legitimate interests of employers, the risks posed by new technologies and the expectations of workers based on the preservation of privacy. What fundamental data protection principles should employers take into account when processing personal data in the employment context from 2018 May 25th when the EU General Data Protection Regulation will come into force?
This Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees. The rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and smart devices, allows for new types of systematic and potentially invasive data processing at work. Therefore, whilst the use of such technologies can be helpful in detecting or preventing the loss of intellectual and material company property, improving the productivity of employees and protecting the personal data for which the data controller is responsible, they also create significant privacy and data protection challenges.
The rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and smart devices, allows for new types of systematic and potentially invasive data processing at work.
Word “employee” does not intend to restrict the scope of this term merely to persons with an employment contract recognized as such under applicable labour laws. This Opinion is intended to cover all situations where there is an employment relationship, regardless of whether this relationship is based on an employment contract.
It is important to state that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent – such as the necessity to process the data for their legitimate interest. However, a legitimate interest in itself is not sufficient to override the rights and freedoms of employees.
According to issued document employers should:
– ensure that data is processed for specified and legitimate purposes that are proportionate and necessary;
– take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose;
– apply the principles of proportionality and subsidiarity regardless of the applicable legal ground;
– be transparent with employees about the use and purposes of monitoring technologies;
– enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data;
– keep the data accurate, not retain them any longer than necessary and take all necessary measures to protect the data against unauthorised access and ensure that staff are sufficiently aware of data protection obligations.
In summary, employers must therefore take note of the following:
– for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees due to the nature of the relationship between employer and employee; so a different legal basis is required;
– processing may be necessary for the performance of a contract in cases where the employer has to process personal data of the employee to meet any such obligations. When meeting obligations under contract of employment, such as paying the employee, the employer is required to process some personal data;
– it is quite common that employment law may impose legal obligations that necessitate the processing of personal data (e.g. for the purpose of tax calculation and salary administration); in such cases the employee must be clearly and fully informed of such processing;
– should an employer seek to rely on legitimate interest, the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible.
It is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated. Such limitations could be: geographical, data-oriented, and time-related.
It is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees.
– the processing operations must also comply with the transparency requirements and employees should be clearly and fully informed of the processing of their personal data, including the existence of any monitoring. Policies and rules concerning legitimate monitoring must be clear and readily accessible.
The Working Party recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees and appropriate technical and organisational measures should be adopted to ensure security of the processing.
Employers must also take the principle of data minimisation into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified. Whenever information is no longer needed it should be deleted.