Snooping by an Employer on Its Workers Will Be a Breach of the GDPR
Tuesday, July 11, 2017
Posted by: ACEDS Marketing Team
Extract from Ardi Kolah LL.M's article "Snooping by an Employer on Its Workers Will Be a Breach of the GDPR"
Posted on LinkedIn
In its latest Opinion published on 29 June 2017, the Art.29 Data Protection Working Party (WP29) makes a fresh assessment of the balance between legitimate interests of the employer and the reasonable privacy expectations of employees working within the European Union.
The concept of ‘employee’ is widened and includes those with a contract of service as well as contractors working under a contract for services. The Opinion is intended to cover all situations where there’s an employment relationship, irrespective of whether this relationship is based on an employment contract.
WP29 also highlighted the risks posed by new technologies deployed in the workplace and the need for the employer to undertake a proportionality assessment before deploying such measures.
In many respects the Opinion of WP29 isn’t new but rather a reaffirmation of its previous position under the Data Protection Directive 95/46/EC and prior to the adoption on the 27 April 2016 of the Regulation 2016/679 (General Data Protection Regulation) although there are a few references directly about the GDPR that are discussed below in this blog.
WP29 will morph into the European Data Protection Board (EDPB) and as such this Opinion shouldn’t be ignored.
In essence, it expects all employers to adhere to the seven principles of data protection as provided under Art.5, GDPR and from a practical perspective, this means that all companies and organisations:
- should always bear in mind the fundamental data protection principles, irrespective of the technology used to monitor workers
- the contents of electronic communications made from a business premises enjoy the same fundamental rights protections as analogue communications
- consent is highly unlikely to be a legal basis for processing personal data at work, unless employees can refuse to give their consent without adverse consequences that would destroy a contract of service or contract for services
- processing of personal data of workers on other legal grounds, such as in pursuance of performance of a contract and under the legitimate interests of the employer can be invoked provided the processing of that personal data is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity
- workers should receive effective information about the monitoring that takes place in the workplace in a lawful, fair and transparent way
- any international transfer of an employee’s personal data should take place only where an adequate level of protection is provided by the employer (for example, Binding Corporate Rules exist).
There’s a growing consensus – including the view held by the Information Commissioner’s Office in the UK - that the legal basis for processing personal data of employees is likely to be on the grounds of legitimate interests of the employer or under contract as opposed to consent.
Read the full article here