EU: Article 29 Working Party provides guidance on processing of employees’ personal data at work

Modern technology enables employees to be tracked over time, across workplaces and their homes, through many different devices, such as smartphones, desktops, tablets and wearable devices. If there are inappropriate limits to the processing, and if it is not transparent, there is a high risk that the legitimate interest of employers in improving efficiency and protecting company assets is not properly balanced with data subjects’ rights and freedoms so that the basis for processing becomes unlawful, according to the EU’s Article 29 Working Party Opinion on data processing at work. 

The WP29 Opinion, which replaces previous guidance in 2001, assesses how to balance the employer’s legitimate interests with the employee’s reasonable expectation of privacy. It focuses on obligations under the Data Protection Directive but anticipates changes under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), which comes into force on 25 May 2018. The Opinion also deals with what are the different bases for processing personal data of employees.

The Opinion is clear that for most data processing at work consent cannot and should not be the basis for processing – this will be a significant change of approach for employers. Consent is also revocable. Instead a legitimate basis for processing employee data is likely to be where it is necessary for performance of the contract, to comply with legal obligations (e.g. employment law) or where the employer seeks to rely on a legitimate interest and the processing is necessary for that legitimate interest balancing the rights and freedoms of the employee. Regardless of the basis for processing, the processing must be transparent and secure.

Technology that monitors communications can have a “chilling effect” on the fundamental rights of employees to organise, set up workers’ meetings, and to communicate confidentially. Employees may not be aware of what personal data is being processed by their employer and for what purposes. Risks are heightened by the reduced cost of processing large quantities of personal data, the ability to monitor the use of online services and/or location data in ways which are less visible to employees (than traditional cctv cameras) and the blurring between home and work which can potentially include monitoring of the individual in a private context. Regardless of the legal basis for processing, a proportionality test should be undertaken to consider whether the processing is necessary to achieve a legitimate purpose and to minimise any infringement of the data subjects’ rights to a private life.

The Opinion recognises the growth of technology-based businesses which use digital platforms to create new working arrangements and business models in the “gig economy”. The Working Party’s recommendations are not restricted to individuals with an employment contract, but intend to cover all situations where there is an “employment relationship” in the widest sense (e.g. including working on a freelance basis).

Nine practical examples of data processing are given to highlight the potential for technology to jeopardise the privacy of employees in the workplace:

1. Recruitment – particularly the use of social media during the recruitment process to investigate candidates (just because a social media profile is public does not mean the employer is allowed to process data on that profile);
2. In-employment (or post-employment) screening regarding employees and their friends, opinions, beliefs, interests, attitudes and through the use of social media;
3. Monitoring Information and Communications Technologies (“ICT”) usage in the workplace – particularly given newer, potentially more intrusive and pervasive ways of monitoring which enable employers to monitor all ICT usage in the workplace as opposed to just email and/or website monitoring – consider undertaking a Data Protection Impact Assessment and ensure an acceptable use policy is in place and accessible to employees outlining what is permissible use and what processing is taking place (ideally discussed with a group of employees before implementation);
4. Monitoring ICT usage outside the workplace – particularly the extension of monitoring systems into the domestic sphere through homeworking, remote working and “bring your own device” policies – apply a proportionate, non-excessive approach and have measures in place to distinguish between personal and business use. Also, monitoring health data using wearable devices is likely to be prohibited – an employee would need to give explicit consent to processing this data and it is highly unlikely that legally valid consent could be given by an employee, unless it is clear the employee can refuse without adverse consequences;
5. Monitoring time and attendance – particularly more sophisticated technologies which enable tracking by mobile device tracking;
6. Video monitoring systems – particularly the new capability to access collected data remotely (eg through a smartphone), reduction in camera sizes with increased capabilities and new video analytics – employers should avoid monitoring the worker’s facial expressions;
7. Monitoring vehicle usage – particularly the collection of tracking data about the location, driver behaviour and continuous monitoring of the driver – monitoring should not take place where the employee uses a company vehicle for personal use (where permitted);
8. Disclosure of employee data to third parties – for example the transmission of an employee’s details to its customer (this may not be permissible);
9. International transfer of HR and other employee data – particularly the use of cloud-based applications and services, such as those designed for handling HR-data – where possible allow employees access to private spaces.

In each case employers should consider whether the data processing activity is lawful and necessary, and whether the processing is fair, proportionate and transparent.

Conclusions

The WP29 Opinion provides important and timely guidance to employers on the need to be proportionate in the way that technology is used in the workplace to protect the privacy of employees. The new obligations under the GDPR require employers to embed data protection by design; this may require a more thoughtful approach from employers as to how they introduce monitoring technologies into the workplace to ensure proper protections of employee personal data and privacy.

Practical tips

Employers should:

• Consider the fundamental data protection principles, irrespective of the technology used to process data.
• Designate certain private spaces on devices, where employees are expected to use online applications which process personal data for personal purposes only.
• Recognise that consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequences.
• Communicate with employees about any monitoring - policies and rules concerning legitimate monitoring must be clear and readily accessible.
• Ensure data processing at work is a proportionate response to the risks faced by an employer. Consider whether or not to undertake a Data Protection Impact Assessment.
• Avoid monitoring an employee’s social media profiles, without advising employees or job applicants of this practice.
• Restrict intrusive monitoring of an employee’s conduct, through facial recognition technology, keypad and mouse-monitoring to where it is absolutely necessary and proportionate. Select the most privacy-friendly settings on devices issued by the employer where the device can be tracked.
• Avoid using any technology analytics for automated decision-making.
• Ensure an adequate level of protection for any international transfer of employee data. NB The use of most cloud applications will result in the international transfer of employee data. Personal data should only be transferred to a third country outside the EU where an adequate level of protection is ensured and the data shared outside the EU/EEA should be limited to the minimum necessary.