On June 8, 2017, Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work, which makes a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees” also considering the new challenges to data protection created by new technologies.
Opinion 2/2017 updates previousOpinion 08/2001 on the processing of personal data in the employment context (WP48) and the 2002 Working Document on the surveillance of electronic communications in the workplace (WP55).
The WP29 opined the contents of employees’ communications, as well as the traffic data relating to those communications, “enjoy the same fundamental rights protections as “analogue” communications.”
However, with reference to the legal basis allowing the processing of employees’ personal data, Opinion 2/2017 highlights how employees are almost never in a position to freely give, refuse or revoke consent, given the imbalance of power in an employer/employee relationship.
The legitimate interest of employers can sometimes be invoked as a legal ground, but “only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity.”
The principle of transparency permeates the whole Opinion: employers should duly inform employees of any monitoring that takes place, the purposes for this monitoring and the circumstances. The other two principles relied on by Opinion 2/2017 are the principles of proportionality and data minimization.
“Data processing at work must be a proportionate response to the risks faced by an employer” and “the information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible.”
All these principles shall be taken into account by employers when deciding on the use of new technologies.
The Opinion also discusses the additional obligations of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR),to wit:
- protection by design. Art. 25, GDPR, where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved;
- data protection impact assessments. Art. 35, GDPR, outlines the requirements for a data controller to carry out a Data Protection Impact Assessment (DPIA) where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons;
- “processing in the context of employment”. Art. 88, GDPR, states that Member States may, by law or collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment for example in the context of recruitment, health and safety, and termination of the employment relationship.
Opinion 2/2017 includes a section that addresses a number of scenarios in which technologies may put at high risk employees’ privacy. In all such cases, employers should consider whether the processing is necessary, fair, proportionate, and transparent.
- Processing operations during the recruitment process. First, employers should not assume that merely because an individual’s social media profile is publicly available they are then allowed to process it. Second, data collected during the recruitment process should generally be deleted as soon as it becomes clear that an offer of employment will not be made or accepted. Third, there is no legal ground for an employer to require potential employees to “friend” the potential employer, or in other ways provide access to the contents of their profiles.
- Processing operations resulting from in-employment screening. Through social media profiles, and new analytical technologies, employers have the technical capability of permanently screening employees by collecting information regarding their friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviors relating to the employee’s private and family life. “In-employment screening of employees’ social media profiles should not take place on a generalized basis.”
- Processing operations resulting from monitoring ICT usage at the workplace. Employers might implement an “all-in-one” monitoring solution, such as a suite of security packages which enable them to monitor all ICT usage in the workplace as opposed to just email and/or website monitoring. The conclusions adopted in WP55 would apply for any system that enables such monitoring to take place. However, the legal basis of Article 7(f) is only available if the processing meets certain conditions. First, employers utilizing these applications must consider “the proportionality of the measures they are implementing, and whether any additional actions can be taken to mitigate or reduce the scale and impact of the data processing.” A DPIA should assess monitoring technologies prior to their implementation. Second, employers must communicate acceptable use and privacy policies, outlining the permissible use of the organization’s network and equipment, and strictly detailing the processing taking place. Opinion 2/2017 also discusses bring-your-own-device policies (BYOD), mobile device management (MDM), and wearable devices.
- Processing operations relating to time and attendance. That processing is necessary and does not outweigh the right to private life of the employees, but there is a “legitimate interest” basis under Art. 7(f), GDPR, only if the employees have been adequately informed about that processing.
- “However, the continuous monitoring of the frequency and exact entrance and exit times of the employees cannot be justified if these data are also used for another purpose, such as employee performance evaluation.”
- Processing operations using video monitoring systems. Employer may technically monitor employees’s facial expressions by automated means, to identify deviations from predefined movement patterns (e.g. factory context), and more. However, these invasive technologies are generally disproportionate to the rights and freedoms of employees, and therefore, generally unlawful.
- Processing operations involving vehicles used by employees. Tracking technology in vehicles to demonstrate compliance with legal obligations, which are common, can be legitimate under employers’ legitimate interest but it must be assessed whether the processing is necessary, and “whether the actual implementation complies with the principles of proportionality and subsidiarity.” Employers must also clearly inform employees that a tracking device has been installed. Where employees use a professional vehicle for private matters, employers should offer an opt-out, i.e. the option to temporarily turn off location tracking.
- Processing operations involving disclosure of employee data to third parties. Often companies transmit their employees’ data to their customers for the purpose of ensuring a reliable service. Opinion 2/2017 reminds the employer that “if the data processing is not proportional, the employer does not have a legal ground [for this transmission]”.
- Processing operations involving international transfers of HR and other employee data. Art. 25 of the Directive states that transfers of personal data to a third country outside the EU can take place only where that country ensures an adequate level of protection. Similar provisions in Art. 44 and 45 GDPR.
Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work is available at http://ec.europa.eu…