In this GDPR Update we address several separate aspects of data processing that relate to the employment context.
There are many new technologies, such as online tools, that enable a more systematic processing of employees' personal data at work. These technologies can be helpful in detecting or preventing the loss of company property, improving the productivity of employees and protecting the personal data for which the data controller (the employer) is responsible.
However, these technologies also create significant privacy and data protection risks. An assessment concerning the balance between the legitimate interest of the employer to protect its business and the privacy of the employees is required. Irrespective of the technology used, the employer must always bear in mind the fundamental data protection principles.
First, we will address article 88 of the GDPR and the possibility of derogations from the main GDPR rules. Second, we will discuss the processing of employee data in general. Third, we will go into more detail on employee monitoring. Fourth, we will look briefly into cloud-based tools and data transfers. Finally, we will finish with practical recommendations.
Article 88 of the General Data Protection Regulation (the GDPR) provides that EU member states may provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context.
Any such rules should include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, particularly regarding:
- The transparency of processing;
- Transferring personal data within a group of undertakings or group of enterprises engaged in a joint economic activity; and
- Monitoring systems at the workplace.
The Dutch GDPR Implementation Act (to date a draft) does not provide any such specific rules, as the Dutch government finds that the general rules of the GDPR provide sufficient protection to the employee for the processing of his or her personal data in the employment context. However, other EU member states have indicated that, where allowed, they will implement greater restrictions than imposed by the GDPR. This is something employers with operations in various EU member states should take into account carefully.
Legal grounds for employees' data processing
Pursuant to article 6 of the GDPR, a legal basis is required to process personal data legally. This article lists exhaustively six legal grounds, which are as follows:
- Data subject's consent;
- Processing is necessary for the performance of a contract to which the data subject is a party;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary for the protection of vital interests of the data subject or any other natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party.
In the employment context, processing may, for example, be necessary for the performance of an employment contract in cases where the employer has to process the personal data of an employee to meet its obligations under the contract, e.g. to transfer the salary to the employee. Furthermore, employment law also often imposes legal obligations that necessitate the processing of personal data, such as salary administration and the payment of taxes. In such cases, the law provides a legal basis for the processing of data.
Another legal ground for processing is consent (first bullet above), which should be 1) freely given, 2) specific, 3) informed and 4) unambiguous. Employees are seldom in the position to 1) freely give, 2) refuse or 3) revoke consent, due to the dependency that results from the relationship between the employee and the employer. Given the imbalance of power, it is unlikely that the employee is able to deny his or her consent to the employer for the processing of data without experiencing the fear of real risk of detrimental effects as a result of a refusal. For the majority of the cases of data processing in the employment context, the legal basis cannot and should not be the consent of the employee. However, this does not mean that employers are never able to rely on consent as a lawful basis. In exceptional cases, in which it is evident (to the employee) that denying consent will have no adverse consequences for the employee at all, the employer may rely on consent.
Invoking the ground of a legitimate interest (last bullet above) as a lawful basis for processing is only possible to the extent that the processing is necessary for a legitimate purpose and if the processing complies with the principles of proportionality and subsidiarity. The employer should be able to demonstrate that appropriate measures are put in place to ensure a balance with the fundamental rights and freedoms of employees, e.g. limit monitoring to specific work areas.
Monitoring systems at the workplace
Modern technologies enable employers to monitor employees over time, across workplaces and their homes, through many different devices, such as smartphones, desktops, tablets, vehicles and wearables.
Employers must inform employees on the existence of any monitoring, the purposes for which personal data will be processed and any other information necessary to guarantee fair processing.
Monitoring every (online) activity of the employees is disproportionate. The employer should first investigate other less invasive means to protect the privacy and confidentiality of the personal data of its employees and the security of the network. Furthermore, if there are no limits to the processing and it is not transparent, there is a high risk that the legitimate interest of employers in the improvement of efficiency and the protection of company assets turns into unjustifiable and intrusive monitoring.
Proportionality and data minimization
Employee monitoring must be a proportionate response to the risks faced by an employer. For example, internet misuse can be detected without the necessity of analyzing website content. The employer has, for example, no general right to monitor its employees if misuse can be prevented though alternative measures such as web filters. Prevention is generally preferable over detection.
Employers using monitoring products and tools must consider the proportionality of the measures they are implementing. They should check whether it is possible to take any additional actions to reduce the impact of the data processing. The Article 29 Working Party makes two recommendations in this regard:
- To undertake a data protection impact assessment prior to the introduction of any monitoring technology in the workplace; and
- To implement and communicate acceptable use policies alongside privacy policies that strictly details the processing taking place.
The information registered from the ongoing monitoring, as well as the information shown to the employer, should be minimized as much as possible. For example, where the employer implements new technologies, the processed information should be stored for the minimum amount of time needed with a specified retention period. Furthermore, if the employer issues new devices to its employees with inter alia a tracking function, it should be possible to shut off location tracking temporarily (if justified by the circumstances). Generally, an employer should refrain from tracking an employee's location outside of working hours.
Cloud services, online tools and international transfers
Where employers use online tools that process personal data, they should consider enabling employees to designate certain private spaces to which he or she may not gain access under any circumstances, such as private mail or a specific document folder.
The use of most cloud-based tools will result in the international transfer of employee data. The employer should assure that personal data transferred to a third country outside the EEA takes place only where an adequate level of protection is ensured.
Employers should take into account the following action points when processing employees' personal data:
- Employers should always have a valid legal basis for the processing of employees' personal data;
- Consent is highly unlikely to be a valid legal basis for data processing at work, unless employees can refuse without any adverse consequences;
- Performance of a contract and legitimate interest can be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
- Data processing at work must be a proportionate response to the risks faced by an employer;
- Information registered from e.g. ongoing monitoring, as well as information shown to the employer, should be minimized as much as possible;
- Employers should inform the employees in advance that the monitoring of IT systems is taking place;
- Any international transfer of employee data should take place only where an adequate level of protection is ensured.
Lastly, please note that when determining internal regulations or privacy policies regarding the processing of employees' personal data and employee monitoring, Dutch and other EU member states' laws require that such policies first must be submitted to and approved by the Works Council, where applicable.
Overview of subjects
|January 2017||Territorial scope of the GDPR(Dutch)|
|February 2017||The Concept of Consent|
|March 2017||Sensitive Data|
|April 2017||Accountability, Privacy by Design and Privacy by Default|
|May 2017||Rights of Data Subjects (information notices)|
|June 2017||Rights of Data Subjects (access, rectification and portability)|
|July2017||Rights of Data Subjects (erasure, restriction, objectand automated individual decision-making)|
|August 2017||Data Processors|
|September 2017||Data Breaches and Notifications|
|October 2017||Data Protection Officers|
|November 2017||Transfer of Personal Data (outside the EEA)|
|December 2017||Regulators (competence, tasks and powers)|
|January 2018||One Stop Shop|
|March 2018||Processing of Personal Data in the Employment Context|
|April 2018||Profiling and Retail|
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.