Worldwide: EU Regulators Issue An Updated Opinion On Processing Data In The Workplace

On June 29, 2017, the Article 29 Working Party (the EU body representing the data protection authorities (DPA) of each EU member country) issued an updated opinion regarding the processing of personal data in the workplace. Recognizing that employers are rapidly adopting new information technology, the opinion updates the Working Party's 2001 opinion regarding processing data in the employment context and 2002 opinion regarding the surveillance of electronic communications in the workplace. Additionally, the opinion provides guidance for processing employment data under the EU General Data Protection Regulation (GDPR), which becomes effective in May 2018.

The opinion reiterates that employers must have a legitimate legal basis to process employment-related data. The opinion confirms that employee consent cannot be used as the legal basis for the majority of processing because the unequal relationship between employers and employees casts doubt on the voluntariness of the employee's consent. Instead, employers must justify the processing of employee data under other legal grounds such as the performance of an employment contract (e.g., for pay purposes), compliance with legal obligations (e.g., for tax obligations or legitimate interests of the employer, which must be balanced against the fundamental privacy rights of employees).

The opinion provides guidance for processing data in the following, common employment scenarios:

Processing Applicant Data

Employers should not assume that they can process social media information about a candidate simply because the candidate's social media profile is publicly available. Rather, employers may review a candidate's social media information only if necessary and if the candidates are properly notified of the processing in the text of the job advertisement or by other means. Further, an employer cannot require potential employees to "friend" the employer or provide access to the contents of their profiles. Finally, employers are required to delete any data collected during the recruitment process as soon as it becomes clear that the employer will not be making an offer of employment or that the individual will not be accepting an offer.

Processing Social Media Data During or After Employment

Employers may not review or monitor employees' social media profiles to make employment decisions unless the employer can prove that such monitoring is necessary to protect legitimate interests (i.e., monitoring LinkedIn profiles of former employees to enforce non-compete obligations), there are no other less invasive means available, and the employees have been adequately informed about the extent of the monitoring.

Additionally, employers cannot require employees to use a social media profile provided by the employer, even where the profile is related to their jobs (e.g., as it may be for a spokesperson for an organization). Rather, employers must provide employees the option of a "non-work," non-public profile that they can use instead of an official employer-related profile, and this option should be specified in the terms and conditions of the employment contract.

Monitoring Employee Usage of Information and Communications Technology

Although employers have a legitimate interest in monitoring employee use of company provided information and communications technology (ICT) to protect the security of the network and prevent unauthorized access to or release of confidential information, continuous or excessive monitoring of the ICT activity of employees is prohibited because employers may also access employees' personal communications or activities. Instead, employers should take the following steps to prevent unauthorized access to or release of confidential information:

  • Blocking suspicious incoming or outgoing traffic and redirecting employees to an information portal where they may ask for review of such an automated decision;
  • Offering employees free, unmonitored Wi-Fi or stand-alone devices or terminals for personal use and communications;
  • Providing guidance to employees regarding acceptable use of company ICT;
  • Consulting with employee representatives or a representative sample of employees regarding monitoring practices;
  • Conducting a data protection impact assessment (DPIA) prior to introducing monitoring technology;
  • Implementing rules in the system that alert employees prior to sending a particular email that the email constitutes a possible data breach and allows the sender the option to cancel the transmission; and
  • Providing employees with designated private spaces in the company's systems that the employer cannot access except in exceptional circumstances.

Monitoring Employees Working Remotely

While employers may believe that there is a greater need to monitor remote, unsupervised employees, the use of software packages capable of logging keystrokes and mouse movements, screen capturing (either randomly or at set intervals), and logging of applications used and how long they were used is excessive, and employers are unlikely to prove that they have a legitimate interest for such monitoring.

Monitoring Employee's Devices

Monitoring employee-owned devices per an employer's bring your own device (BYOD) policy often involves monitoring technologies that collect identifiers such as media access control addresses or perform security scans. Consequently, employers should ensure that they:

  • do not access sections of a device that are presumed to be only used for nonbusiness purposes (e.g., the folder storing photos taken with the device),
  • use technologies that that offer additional protections such as "sandboxing" data (keeping data contained within a specific app), and/or
  • consider prohibiting employees from using their own devices for work purposes if there is no way to prevent the monitoring of private use.

Implementing Mobile Device Management Applications

Mobile device management (MDM) applications enable employers to locate devices remotely, deploy specific configurations and/or applications, and delete data on demand. Employers should conduct a data privacy impact assessment prior to the deployment of any such technology where it is new, or new to the employer. Further, tracking systems should be designed to capture an employee's device location data without providing the location data to the employer, except where the device is reported lost or stolen.

Monitoring Wearable Devices

Wearable devices that track and monitor the user's health and activity are gaining in popularity. However, employers are generally prohibited from monitoring health data in this manner on devices they supply to employees, and it is highly unlikely that employees can give legally valid explicit consent for the tracking or monitoring of such data. Processing this data would be unlawful even if the employer uses a third party to collect the health data and the third party provides the employer with aggregated information about their employees' general health.

Thus, any health data collected on a wearable device should be accessible only to the employee and not to the employer. Further, employers should evaluate the privacy policy of the manufacturer and/or service provider of the wearable device to ensure that a third party does not engage in unlawful processing of health data of employees.

Using Access Control Systems

Employer systems that control which employees can enter the employer's premises or enter certain areas within the workplace are also capable of tracking employees' activities within the workplace. Employers may legitimately monitor access to server rooms in which business-sensitive data and personal data relating to employees and customers is stored to protect such data. However, the continuous monitoring of the frequency and exact entrance and exit times of the employees cannot be used for purposes other than security—such as for employee performance evaluation.

Monitoring Employees Using Facial Recognition Programs

Currently, it is possible for an employer to monitor employees' facial expressions by automated means to identify deviations from predefined movement patterns. This processing is likely to involve profiling and, possibly, automated decision-making. Therefore, employers should refrain from the use of facial recognition technologies in the workplace.

Monitoring Vehicles Used by Employees

Employers using GPS tracking devices or other telematics such as event data recorders in company vehicles must clearly inform employees that a tracking device has been installed in the vehicle, that their movements are being recorded while they are using that vehicle, and/or that their driving behavior is being recorded. Such notification should be displayed prominently in every company vehicle within the eyesight of the driver.

Where employees are permitted to use company vehicles for personal use, employers should not continuously monitor the location of an employee's vehicles outside agreed working hours. Employees should have the option to temporarily turn off the location tracker when engaging in personal activities. Additionally, while employers have a legitimate interest in preventing vehicle theft, employers should set the location tracking device so that it does not capture the location of the vehicle outside of working hours unless the vehicle leaves a widely defined circle (region or even country). Further, the location data should be accessible to the employer only when the vehicle leaves the predefined region

Event data recorders provide employers with a significant amount of personal data about the driving behavior of employees. Although improving employee driving skills is a legitimate employer interest, continuous monitoring of drivers through technology such as video cameras inside the cabin that record sound and video is excessive, and employers should employ other methods that prevent improper driver behavior. Such measures include installing equipment that prevents the use of mobile phones and installing safety systems like an advanced emergency braking system or a lane departure warning system that can be used for the prevention of vehicle accidents.

Disclosing Employee Data to Third Parties

Companies often transmit employee data to customers for the purpose of ensuring reliable service. For example, a delivery company may send its customers an email with a link to the name, location, and a photo of an employee making a delivery to allow the customer to recognize the employee as from the company. However, it is not necessary to provide the name and the photo of the employee to the customers and, therefore, the delivery company is not allowed to provide this personal data to customers.

Transferring HR Data Internationally

Employers increasingly are using cloud-based applications and services, such as human resources information systems (HRIS) and online employment applications. When company personnel located outside of the country in which an employee or applicant works or resides accesses one of these systems, that access is considered an international transfer of employee or applicant data. Thus, employers should ensure that they have a legal basis for the transfer of this HR data that ensures an adequate level of protection (i.e., standard contract clauses, binding corporate rules, EU-U.S. Privacy Shield, etc.).

Complying With the GDPR

The GDPR enhances the data protection requirements under current law and imposes new obligations for all data controllers, including employers. For example, the GDPR requires employers to implement data protection by design and by default. Thus, where an employer issues devices to employees, employers that are using tracking technologies should select the most privacy-friendly solutions. Additionally, the GDPR requires employers to perform a DPIA where the use of new technologies is likely to result in a high risk to the rights and freedoms of employees as monitoring technologies do.

Further, while the GDPR is intended to apply across the EU, the GDPR expressly permits each EU member state to establish its own specific requirements for the processing of employee personal data. The Working Party indicates that such rules should include suitable and specific measures to safeguard the employee's human dignity, legitimate interests, and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings or group of enterprises engaged in a joint economic activity, and monitoring systems at the workplace.

Key Takeaways for Employers

  • Because employees cannot freely provide consent to have their personal data processed, employers must justify the processing of human resources information based on other legal grounds such as performance of the employment contract, compliance with legal obligations, or legitimate interests of the employer. Thus, employers should analyze their current employee data processing practices to ensure that they have a legal justification for processing all employee data collected and processed.
  • Employers monitoring employees within or outside of the workplace should avoid continuous or excessive monitoring. Rather, employers should conduct data privacy impact assessments to determine whether there are other, less obtrusive means to accomplish their legitimate interests, such as implementing preventative measures that block inappropriate employee behavior or providing employees with unmonitored, "private spaces" to conduct personal activities.
  • The GDPR treats human resources data differently than consumer data and permits each EU member state to implement its own country-specific rules for employment data. Thus, employers should review the labor and data privacy laws in the countries in which they have employees and structure their GDPR compliance programs accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions