Personal Data Processing at Work

The rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and smart devices, allows for new types of systematic and potentially invasive data processing at work. For example (WP29 Opinion 2/2017, p. 3-4) :

  • technologies enabling data processing at work can now be implemented at a fraction of the costs of several years ago whilst the capacity for the processing of personal data by these technologies has increased exponentially;
  • new forms of processing, such as those concerning personal data on the use of online services and/or location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras. This raises questions about the extent to which employees are aware of these technologies, since employers might unlawfully implement these processing without prior notice to the employees; and
  • the boundaries between home and work have become increasingly blurred. For example, when employees work remotely (e.g. from home), or whilst they are travelling for business, monitoring of activities outside of the physical working environment can take place and can potentially include monitoring of the individual in a private context.

Therefore, whilst the use of such technologies can be helpful in detecting or preventing the loss of intellectual and material company property, improving the productivity of employees and protecting the personal data for which the data controller is responsible, they also create significant privacy and data protection challenges.

Definitions
The scope of the term “employee” is not restricted merely to persons with an employment contract recognized as such under applicable labour laws. Over the past decades, new business models served by different types of labour relationships, and in particular employment on a freelance basis, have become more commonplace. Therefore, the statutory protection of employee data should extend to all situations where there is an employment relationship, regardless of whether this relationship is based on an employment contract (WP29 Opinion 2/2017, p. 4).

Legal Framework
The protection of employees’ data in the context of the employment relationship is regulated by the general provisions of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“E-Privacy Directive) and Regulation (EC) 2016/679 (GDPR) .

In addition, article 29 Working Party (“WP29”) has provided relevant interpretation and guidance of the E-Privacy Directive and the GDPR in its following opinions and working documents :

  • WP29, Opinion 08/2001 on the processing of personal data in the employment context, WP 48, 13 September 2001.
  • WP29 Working document on the surveillance of electronic communications in the workplace, WP 55, 29 May 2002.
  • WP29 Opinion 2/2017 on data processing at work, WP 249, 8 June 2017.

Consent in the Employment Context
Consent is defined as any freely-given, specific and informed indication of a data subject’s wishes by which the he or she signifies his or her agreement to personal data relating to them being processed. For consent to be valid, it must also be revocable.

Employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer (WP29 Opinion 2/2017, p. 22).

It is important to state that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent— such as the necessity to process the data for their legitimate interest. However, a legitimate interest in itself is not sufficient to override the rights and freedoms of employees (WP29 Opinion 2/2017, p. 4).

WP29 has previously outlined in Opinion 8/2001 that where an employer has to process personal data of his/her employees it is misleading to start with the supposition that the processing can be legitimised through the employees’ consent. In cases where an employer says they require consent and there is a real or potential relevant prejudice that arises from the employee not consenting (which can be highly probable in the employment context, especially when it concerns the employer tracking the behaviour of the employee over time), then the consent is not valid since it is not and cannot be freely given. Thus, for the majority of the cases of employees’ data processing, the legal basis of that processing cannot and should not be the consent of the employees, so a different legal basis is required (WP29 Opinion 2/2017, p. 7).

Moreover, even in cases where consent could be said to constitute a valid legal basis of such a processing (i.e. if it can be undoubtedly concluded that the consent is freely given), it needs to be a specific and informed indication of the employee’s wishes. Default settings on devices and/or the installation of software that facilitate the electronic personal data processing cannot qualify as consent given from employees, since consent requires an active expression of will. A lack of action (i.e, not changing the default settings) may generally not be considered as a specific consent to allow such processing (See also WP29, Opinion 15/2011 on the definition of consent, WP187, 13 July 2011, url: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion- recommendation/files/2011/wp187_en.pdf, page 24)

Employers must therefore take note that, for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees due to the nature of the relationship between employer and employee (WP29 Opinion 2/2017, p. 6).

Other Legal Grounds in the Employment Context
The legitimate interest of employers can sometimes be invoked as a legal ground, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. A proportionality test should be conducted prior to the deployment of any monitoring tool to consider whether all data are necessary, whether this processing outweighs the general privacy rights that employees also have in the workplace and what measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary (WP29 Opinion 2/2017, p. 22).

Should an employer seek to rely on legitimate interest the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees (WP29, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP 217, adopted 9 April 2014, url: http://ec.europa.eu/justice/data-protection/article- 29/documentation/opinion-recommendation/files/2014/wp217_en.pdf, WP29 Opinion 2/2017, p. 6).

Ιt is quite common that employment law may impose legal obligations (Art. 7(c)) that necessitate the processing of personal data; in such cases the employee must be clearly and fully informed of such processing (unless an exception applies); the processing operations must also comply with the transparency requirements (Art. 10 and 11), and employees should be clearly and fully informed of the processing of their personal data10, including the existence of any monitoring (WP29 Opinion 2/2017, p. 6).

If an employer wishes to rely upon the legal ground of the legitimate interest of the employer, the purpose of the processing must be legitimate, and the chosen method or specific technology with which the processing is to be undertaken must be necessary for the legitimate interest of the employer. The processing must also be proportionate to the business needs, i.e. the purpose, it is meant to address. Data processing at work should be carried out in the least intrusive manner possible and be targeted to the specific area of risk. Additionally, if relying on the legitimate interest of the employer, the employee retains the right to object to the processing on compelling legitimate grounds. In order to rely on the legitimate interest of the employer as the legal ground for processing it is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees (see the case of Köpke v Germany, [2010] ECHR 1725).Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated Such limitations could be (WP29 Opinion 2/2017, p. 7-8) :

  • geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as
  • religious places and for example sanitary zones and break rooms should be prohibited),
    data-oriented (e.g. personal electronic files and communication should not be monitored), and
  • time-related (e.g. sampling instead of continuous monitoring).

Data Protection Principles in the Employment Context
In terms of the data protection principles, employers should (WP29 Opinion 2/2017, p. 5) :

  • ensure that data is processed for specified and legitimate purposes that are proportionate and necessary;
  • take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose;
    apply the principles of proportionality and subsidiarity regardless of the applicable legal ground;
  • be transparent with employees about the use and purposes of monitoring technologies;
  • enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data;
  • keep the data accurate, and not retain them any longer than necessary; and
  • take all necessary measures to protect the data against unauthorised access and ensure that staff are sufficiently aware of data protection obligations.

Indicatively, where an employer issues devices to employees, the most privacy- friendly solutions should be selected if tracking technologies are involved. Data minimisation must also be taken into account (WP29 Opinion 2/2017, p. 7).

Special Categories of Data in the Employment Context
If the types of personal data processed involve special categories of data, the processing is prohibited unless an exception applies (WP29 Opinion 2/2017, p. 6).

Transparency in the Employment Context
Employees must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. With new technologies, the need for transparency becomes more evident since they enable the collection and further processing of possibly huge amounts of personal data in a covert way (WP29 Opinion 2/2017, p. 8).

Effective communication should be provided to employees concerning any monitoring that takes place, the purposes for this monitoring and the circumstances, as well as possibilities for employees to prevent their data being captured by monitoring technologies. Policies and rules concerning legitimate monitoring must be clear and readily accessible. The Working Party recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees (WP29 Opinion 2/2017, p. 12).

DPIAs in the Employment Context
Regardless of the legal basis for such processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as the measures that have to be taken to ensure that infringements of the rights to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA) (WP29 Opinion 2/2017, p. 4).

The requirements for a data controller to carry out a Data Protection Impact Assessment (DPIA) are fulfilled where new technologies are used and, taking into account the nature, scope, context and purposes of the processing itself, such use is likely to result in a high risk to the rights and freedoms of natural persons. An example is a case of systematic and extensive evaluation of personal aspects related to natural persons based on automated processing including profiling, and on which decisions are taken that produce legal effects concerning the natural person or similarly significantly affect the natural person (WP29 Opinion 2/2017, p. 8).

Case-By-Case Evaluation
The processing of employee data may take place at least in the following circumstances (WP29 Opinion 2/2017, p. 9) :

  • Recruitment;
  • Performance of the Employment Contract (including discharge of obligations laid down by law or collective agreements);
  • Management, Planning and Organisation of Work;
  • Equality and diversity in the workplace;
  • Health and safety at work;
  • Protection of an employer’s or customer’s property;
  • Exercise and enjoyment (on an individual basis) of rights and benefits related to employment; and
  • Termination of the employment relationship.

Employers should not assume that merely because an individual’s social media profile is publicly available they are then allowed to process those data for their own purposes. A legal ground is required for this processing, such as legitimate interest. In this context the employer should—prior to the inspection of a social media profile—take into account whether the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection. In addition, employers are only allowed to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job which is being applied for. Data collected during the recruitment process should generally be deleted as soon as it becomes clear that an offer of employment will not be made or is not accepted by the individual concerned (See also Council of Europe, Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the context of employment, paragraph 13.2 (1 April 2015, url: https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805c3f7a). The individual must also be correctly informed of any such processing before they engage with the recruitment process (WP29 Opinion 2/2017, p. 11). Through the existence of profiles on social media, and the development of new analytical technologies, employers have (or can obtain) the technical capability of permanently screening employees by collecting information regarding their friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviours therefore capturing data, including sensitive data, relating to the employee’s private and family life. In-employment screening of employees’ social media profiles should not take place on a generalised basis. Moreover, employers should refrain from requiring an employee or a job applicant access to information that he or she shares with others through social networking (WP29 Opinion 2/2017, p. 12).

The fact that an employer has the ownership of the electronic means does not rule out the right of employees to secrecy of their communications, related location data and correspondence. The tracking of the location of employees through their self-owned or company issued devices should be limited to where it is strictly necessary for a legitimate purpose. Certainly, in the case of Bring Your Own Device it is important that employees are given the opportunity to shield their private communications from any work-related monitoring (WP29 Opinion 2/2017, p. 22-23).

Monitoring every online activity of the employees is a disproportionate response and an interference with the right to secrecy of communications. The employer should first investigate other, less invasive, means to protect the confidentiality of customer data and the security of the network. As a good practice, the employer could offer alternative unmonitored access for employees. Moreover, employers should consider certain types of traffic whose interception endangers the proper balance between their legitimate interests and employee’s privacy—such as the use of private webmail, visits to online banking and health websites—with the aim to appropriately configure the appliance so as not to proceed with interception of communications in circumstances that are not compliant with proportionality. Information on the type of communications that the appliance is monitoring should be specified to the employees. A policy concerning the purposes for when, and by whom, suspicious log data can be accessed should be developed and made easily and permanently accessible for all employees, in order to also guide them about acceptable and unacceptable use of the network and facilities. This allows employees to adapt their behaviour to prevent being monitored when they legitimately use IT work facilities for private use. As good practice, such a policy should be evaluated, at least annually, to assess whether the chosen monitoring solution delivers the intended results, and whether there are other, less invasive tools or means available to achieve the same purposes. The legal basis of the employer’s legitimate interest is only available if the processing meets certain conditions. Firstly, employers utilising these products and applications must consider the proportionality of the measures they are implementing, and whether any additional actions can be taken to mitigate or reduce the scale and impact of the data processing. As an example of good practice, this consideration could be undertaken via a DPIA prior to the introduction of any monitoring technology. Secondly, employers must implement and communicate acceptable use policies alongside privacy policies, outlining the permissible use of the organisation’s network and equipment, and strictly detailing the processing taking place. In some countries the creation of such a policy would legally require approval of a Workers’ Council or similar representation of employees. In practice, such policies are often drafted by IT maintenance staff. Since their main focus will mostly be on security, and not on the legitimate expectation of privacy of employees, WP29 recommends that in all cases a representative sample of employees is involved in assessing the necessity of the monitoring, as well as the logic and accessibility of the policy (WP29 Opinion 2/2017, p. 14). The processing involved in technologies of extensive employee surveillance, e.g. for recording an employee’s keystrokes and mouse movements, are disproportionate and the employer is very unlikely to have a legal ground under legitimate interest (WP29 Opinion 2/2017, p. 17).

An employer might be obliged to install tracking technology in vehicles to demonstrate compliance with other legal obligations, e.g. to ensure the safety of employees who drive those vehicles. The employer may also have a legitimate interest in being able to locate the vehicles at any time. Even if employers would have a legitimate interest to achieve these purposes, it should first be assessed whether the processing for these purposes is necessary, and whether the actual implementation complies with the principles of proportionality and subsidiarity. Where private use of a professional vehicle is allowed, the most important measure an employer can take to ensure compliance with these principles is the offering of an opt-out: the employee in principle should have the option to temporarily turn off location tracking when special circumstances justify this turning off, such as a visit to a doctor. The employer must also clearly inform the employees that a tracking device has been installed in a company vehicle that they are driving, and that their movements are being recorded whilst they are using that vehicle (and that, depending on the technology involved, their driving behaviour may also be recorded). Preferably such information should be displayed prominently in every car, within eyesight of the driver. it is unlikely that there is a legal basis for monitoring the locations of employees’ vehicles outside agreed working hours. However, should such a necessity exist, an implementation that would be proportionate to the risks should be considered. For example, this could mean that, in order to prevent car theft, the location of the car is not registered outside working hours, unless the vehicle leaves a widely defined circle (region or even country) (WP29 Opinion 2/2017, p. 19-20).

Data processing at work must be a proportionate response to the risks faced by an employer. For example, internet misuse can be detected without the necessity of analysing website content. If misuse can be prevented (e.g., by using web filters) the employer has no general right to monitor. Further, a blanket ban on communication for personal reasons is impractical and enforcement may require a level of monitoring that may be disproportionate. Prevention should be given much more weight than detection–the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse. The information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees should have the possibility to temporarily shut off location tracking, if justified by the circumstances. Solutions that for example track vehicles can be designed to register the position data without presenting it to the employer. Employers must take the principle of data minimisation into account when deciding on the deployment of new technologies. The information should be stored for the minimum amount of time needed with a retention period specified. Whenever information is no longer needed it should be deleted (WP29 Opinion 2/2017, p. 23). Where employees are expected to use online applications which process personal data (such as online office applications), employers should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder. The use of most applications in the cloud will result in the international transfer of employee data. It should be ensured that personal data transferred to a third country outside the EU takes place only where an adequate level of protection is ensured and that the data shared outside the EU/EEA and subsequent access by other entities within the group remains limited to the minimum necessary for the intended purposes (WP29 Opinion 2/2017, p. 24).

Employers are increasingly using cloud-based applications and services, such as those designed for the handling of HR-data as well as online office applications. The use of most of these applications will result in the international transfer of data from and concerning employees. As previously outlined in Opinion 08/2001, Art. 25 of the Directive states that transfers of personal data to a third country outside the EU can take place only where that country ensures an adequate level of protection. Whatever the basis, the transfer should satisfy the provisions of the Directive. It should thus be ensured that these provisions concerning the international transfer of data are complied with. WP29 re-states its previous position that it is preferable to rely on adequate protection rather than the derogations listed in Art. 26 of the DPD; where consent is relied on it must be specific, unambiguous and freely-given. However, it should also be ensured that the data shared outside the EU/EEA, and subsequent access by other entities within the group, remains limited to the minimum necessary for the intended purposes (WP29 Opinion 2/2017, p. 22).

Tips & Tricks
When processing employees’ personal data employers should always bear in mind the following points (WP29 Opinions 08/2001 and 2/2017) :

  • fundamental data protection principles should be observed, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place; and
    any international transfer of employee data should take place only where an adequate level of protection is ensured.

Sources
WP29, Opinion 08/2001 on the processing of personal data in the employment context, WP 48, 13 September 2001.
WP29 Working document on the surveillance of electronic communications in the workplace, WP 55, 29 May 2002.
WP29 Opinion 2/2017 on data processing at work, WP 249, 8 June 2017.