Your employer is watching you! Based on this motto and given the increasing use of new technologies by employers, the Article 29 Working Party (the representative body for data protection authorities in the EU) recently released an opinion (2/2017) on data processing at work. In addition to comments on the data protection principles applicable to processing in the employment context, including on the basis of the General Data Protection Regulation (GDPR), the opinion provides feedback on a number of concrete examples, such as the use of social media in the recruitment process and vehicle tracking systems. It also provides useful recommendations to help employers ensure compliance with privacy laws when engaging in data processing.
Consent not deemed a valid legal basis for the processing of employee data
The Article 29 Working Party (WP29) reiterates the position adopted in its previous opinion (8/2001) that due to the clear imbalance between employers and employees, the latter are almost never in a position to freely give, refuse or revoke consent. Hence, save for exceptional cases (when granting or withholding consent has no consequences for the employee), employers must rely on another legal basis for the processing of employee personal data.
Other possible grounds are the performance of an employment contract, the fulfilment of a legal obligation to which the employer is subject and the pursuit of a legitimate interest by the employer where the processing is strictly necessary for such purpose and complies with the principles of proportionality and subsidiarity.
Use of social media in the recruitment process
Companies may use social media to assess the application of a candidate where (i) doing so is necessary and relevant for the performance of the position applied for, (ii) the relevant social media profile is related to professional purposes, (iii) the applicant has been informed prior thereto, and (iv) the company generally complies with all data protection principles.
It should be noted that an employer may not require potential employees to become its “friends” or connections on a social media platform or oblige them to grant access to their profiles in any other way.
Techniques enabling employers to permanently screen their employees and their environment (such as their friends, opinions, beliefs, etc.) should not take place on a generalised basis. Monitoring of former employees’ LinkedIn profiles may for instance be done (i) when the company has a legitimate interest in doing so (e.g. to ensure compliance with a non-compete clause), (ii) there are no other less invasive means available, and (iii) the former employee has been adequately informed.
Furthermore, employees should always have the choice to use a “non-official” employer related social media profile. This possibility should be expressly stated in the employment contract.
Monitoring ICT usage at the workplace
Further to the position adopted in its previous working document on the subject (WP 55), WP29 addresses in its new opinion technical developments since 2002 such as data loss prevention (DLP) tools, next-generation firewalls (NGFWs), and e-discovery technology.
The use of such tools may be in the employer’s legitimate interest where the measures are proportional and additional actions are taken to mitigate or reduce the scale and impact of the data processing. For instance, where the monitoring tool recognises an e-mail as a possible data breach, a warning message should be delivered before the e-mail is sent in order to give the sender the option of cancelling it.
Furthermore, the employer should implement and communicate acceptable use policies in addition to privacy policies. Use policies outline the permissible use of the organisation’s network and equipment and strictly detail the processing taking place. WP29 recommends that a representative sample of employees be involved in assessing the need for monitoring, as well as the logic and accessibility of the policy.
Monitoring ICT usage outside the workplace
The first identified issue is the monitoring of home and remote working. Due to the higher risk of unauthorised access within the context of remote work, some employers deploy software packages enabling inter alia the logging of keystrokes, mouse movements or applications used. WP29 considers these technologies disproportionate and promotes less excessive tools.
With respect to “bring your own device” (BYOD) policies, WP29 points out the risks associated with security or location and traffic scans by the employer. In such case, it recommends (i) adopting appropriate measures to enable the employer to clearly distinguish between private and business use of the device and (ii) implementing methods to ensure that the employer’s own data on the device is securely transferred to its network.
WP29 also examines mobile device management (MDM) tools. Its opinion advocates a very restrictive use of technologies that enable employers to locate devices remotely, deploy specific configurations and/or applications, and delete data on demand. Such tools may only be used after conducting a DPIA (which is required under the GDPR for high-risk processing) and an assessment of compliance with the proportionality and subsidiarity principles and where (ii) the processing is limited to a specified purpose, (iii) tracking features are mitigated, and (iv) the employee has been adequately informed.
Finally, WP29 discourages employers from processing health and activity data collected by wearable devices. In its opinion, an employee may not validly consent to the processing of such sensitive data and it is technically very difficult to ensure complete anonymization. Hence, the resulting data should only be accessible to the employee, not the employer.
Vehicles used by employees
GPS tracking systems and event data recorders enable the employer to access data relating to a vehicle's location and the driver's behaviour. Use by the employer of such tracking systems may, to a certain extent, be justified by the need to comply with statutory obligations such as to ensure the safety of the employees driving the vehicles. However, the employer should nevertheless always verify compliance with the necessity, proportionality and subsidiary principles.
In any case, employees should be clearly informed of the use of such tracking systems, for instance by means of a clearly visible notice in every vehicle. Furthermore, if employees are allowed to use the vehicle for private purposes, they should be able to temporarily deactivate location tracking.
Room to legislate
Finally, it should be noted that despite the choice of a regulation by the EU legislature for the data privacy framework (GDPR), Member States have the possibility to adopt more specific rules in relation to:
- the performance of employment contracts (including the discharge of obligations laid down by law or in collective agreements);
- management, planning and organisation of work;
- equality and diversity in the workplace;
- health and safety at work;
- the protection of employer or customer property;
- the exercise and enjoyment (on an individual basis) of rights and benefits related to employment; and
- termination of the employment relationship.
Bills addressing these aspects are currently being prepared in the Benelux, and it appears that Luxembourg will maintain its legislative framework on the monitoring of the use of IT tools in the workplace.