In June 2017, the Article 29 Working Party - the collective group of European data protection authorities - (“WP29”) adopted new guidance on data processing in the workplace. This guidance complements previous WP29 opinions on the processing of data in an employment context and on electronic surveillance in the workplace. The new guidance seeks to address the increase in the amount of personal data collected in the workplace. It also focuses on the rise of new forms of data processing and new technologies in the workplace which, according to WP29, may allow for the systematic and potentially invasive processing of employees’ personal data.
While the guidance focuses primarily on processing under the Data Protection Directive (“Directive”), the guidance also considers the obligations that are imposed on employers by the upcoming EU General Data Protection Regulation (“GDPR”). This guidance is instructive for employers as it highlights the conservative views of EU regulators on the use of new technologies in the workplace.
Legal grounds for processing employee data
- Consent: WP29 restates its position that, for the majority of data processing activities carried out in the workplace, consent will not be a valid legal basis to process employee data. This is due to the power imbalance between the employee and the employer. This imbalance leads to a situation where employee consent is seen as not being “freely given”, which is one of the requirements for valid consent. Therefore, consent should only be relied on by employers in very limited situations where employees will not suffer any repercussions or consequences for failing to provide consent.
- Performance of a contract: Processing that is necessary for the performance of a contract is a valid legal ground where processing is required. For example, the processing of payroll data.
- Legal obligations: Reliance on legal obligations imposed on employers, such as the many obligations under health and safety legislation, and tax legislation, represents a valid ground for the processing of employee data.
- Legitimate interests: In many cases, employers will seek to rely on their legitimate interests to process employee data, for example, improving efficiency in the workplace and the protection of company assets. In order to rely on legitimate interests as a basis for data processing, WP29 states that: the purpose must be legitimate; the technology or method utilised must be necessary and proportionate; and the processing must be carried out in the least intrusive manner possible. There are certain difficulties associated with relying on legitimate interests as a legal basis to process employee data. Employers will need to be aware of these difficulties and afford them careful consideration. First, there is a necessity hurdle to overcome. Second, a balance must be struck between the employer’s legitimate interests and the interests and fundamental rights of the employees. Finally, if an employer seeks to rely on this legal basis, it will need to carry out and maintain a written assessment demonstrating that it has given proper consideration to the rights and freedoms of the employees.
Specific scenarios and good practice recommendations
WP29 looks at a number of different scenarios involving the use of new technologies in the workplace and provides practical guidance for employers in each situation. For example, WP29 examines the processing of personal data in the following workplace scenarios:
Social media profiles
According to WP29, employers are required to ensure that there is a legal ground, such as legitimate interests, to process a candidate’s social media profile during the recruitment process, even if the profile is publicly available. Employers are also advised to determine, prior to inspecting a job applicant’s profile, whether the profile is related to either business or private purposes. In addition, only data that is necessary and relevant to the position that is being applied for may be collected by employers. With respect to existing employees, WP29 advises employers that the screening of social media profiles should not take place on a generalised basis.
WP29 appears to accept that employers may be obliged to install tracking technologies in vehicles in order to comply with legal obligations. Equally, employers may have a legitimate interest in having the ability to locate their vehicles at any time. However, WP29 notes that where an employee is permitted to use a vehicle for private use, the employee should be permitted to opt-out of this monitoring and to temporarily turn off the vehicle tracking. In addition, WP29 suggests that employees be clearly informed that monitoring is taking place and that movements are being tracked.
What does this mean for employers?
An employer should:
- Carefully consider which legal grounds it currently relies on in order to process employee personal data, bearing in mind the challenges in obtaining valid employee consent.
- Ensure that the processing, including any monitoring, is necessary, proportionate and carried out in the least intrusive manner possible.
- Clearly inform employees of the processing of their personal data, including any monitoring. An easily understandable and accessible workplace monitoring policy should be made available to employees. In addition, employers should ensure that employee notices or privacy policies are updated so that they are compliant with the requirements of the GDPR.
- Bear in mind the principles of data protection by design and data protection by default. Assess whether data protection impact assessments (DPIA) are required, especially with regard to any new technologies used.
- Keep national laws under review. Article 88 GDPR allows Member States to introduce more specific rules regarding the processing of employees’ personal data in the employment context. See here for the current General Scheme of Data Protection Bill.