On April 2, 2015, the Committee of Ministers of the Council of Europe issued a comprehensive recommendation that contains principles regarding the processing of personal data in the context of employment for the national legislations of its 47 member states.[1] However, this recommendation constitutes only so-called "soft law" and therefore is not binding for the member states of the Council of Europe. In this recommendation, the Committee has revised its previous recommendation[2] by taking into account the new challenges that the member states are frequently facing in their legislation due to new information and communication technologies. The purpose of the recommendation is to ensure the employees' data protection rights at work given the use of new information and communications technologies.

Structure

The recommendation applies to any processing of personal data for employment purposes in both, the public and private sector, including the activities of employment agencies and is divided into two major parts: General Principles and Particular Forms of Processing.

General Principles

The General provisions list generally acknowledged principles of data protection, such as:

  1. Purpose limitation and proportionality.
  2. Transparency, i.e. providing information about the origin and purpose of the data processing and obtaining the employee's consent.
  3. Access for employees to stored personal data and the right to object to the processing or to request the rectification or deletion of data when incorrect or illegal.[3]
  4. Consultation of employees' representatives if introducing monitoring systems.
  5. Furthermore, the general provisions include guidelines on how to collect, store and disclose employee's personal data to third parties, such as public authorities.

Particular Forms of Processing

Additionally, the recommendation provides further details for particular forms of gathering and processing personal data, especially:

  1.  Preventive measures, such as the use of filters to prevent particular operations should be preferred over monitoring the pages accessed by employees on the internet or Intranet.[4]
  2. Professional electronic communications should only be accessed by the employers after informing the employees about the possibility thereof, and only be based on legitimate reasons such as security.[5] However, private electronic communication at work should never be monitored.[6]
  3. Video surveillance for monitoring locations that are part of the most personal area of life of employees should never be permitted.[7]
  4. The access to evaluation data, such as assessments of performance, productivity or capability, should be granted to employees.[8]
  5. Any collection of genetic, biometric or health data should only be allowed under existing legal safeguards, and only to the extent necessary for the protection of legitimate interests of employers and in connection with the type of activity performed in the job.[9]
  6. Employees should be able to obtain copies of recordings in the event of disputes or legal proceedings.[10]

Conclusion

As the recommendation is not binding, it remains to be seen if, and to what extent, the recommendation will be implemented by the member states. For member states that are also subject to the EU data protection directive and the upcoming general data protection regulation, it remains to be seen to what extent the upcoming regulation will make this recommendation obsolete or if it will vary the level of data protection at work.

If the recommendation is implemented, employers will have to ensure that their everyday practices are in compliance with the requirements mentioned above. In particular, dismissals may then no longer be justifiable by facts which have been obtained by violating any of the above-mentioned standards.