Surveillance of employees in the workplace has long been a hot topic among managers, human resources professionals and employment lawyers. The development of IT equipment used in the course of work, the widespread use of social media, the increasing level of teleworking and other flexible working methods all require employers to implement new techniques to control their employees' work.
Most jurisdictions have regulations which give employers the right to control their employees, and rightfully so. At the same time, employees have a legitimate expectation of both privacy in the workplace and appropriate protection of their personal data. Employers' rights of control are therefore always limited by employees' right to privacy.
The recent European Court of Human Rights judgment in Barbulescu v Romania (61496/08) addressed the conflict between these two rights. The judgment made waves in the press and many commentators interpreted it as empowering employers to read all employee emails or even spy on employees' online activity and private communications. These conclusions are exaggerated, to say the least.
This update summarises certain legal aspects of this issue and sheds light on the rules and principles governing use of surveillance methods under Hungarian law.
Surveillance in general
Hungarian labour law provides employers the right to monitor employees' behaviour and actions, provided that such monitoring pertains exclusively to employees' work. Employees' private lives may not be monitored or checked. Any methods used to monitor employees must relate directly to the protection of the employer's rightful interests and must be proportionate to achieve that purpose. Moreover, surveillance methods must not violate employees' human dignity. Employers must inform employees in advance of the possibility of surveillance and the technical methods used for that purpose.
Considering that the surveillance of employees almost always involves handling their personal data, the relevant data protection rules must always be complied with. Hungarian labour law authorises employers to handle employees' personal data as far as is necessary for the maintenance of the employment relationship. Employees need not provide consent to the employer's handling of their personal data in the context of the employment relationship. Data handling undertaken as a means of employee control is usually interpreted as lawful data handling; as such, it is generally unnecessary to obtain employee consent to the control.
Principles of surveillance
As the legal regulations provide only a judicial framework for surveillance, specific surveillance and monitoring methods need to be regulated by employers. Such regulations are typically set out in internal policies. The Hungarian National Authority for Data Protection and Freedom of Information (DPA) has issued guidelines and recommendations to assist in establishing such internal policies.
Principles that employers should follow when establishing their internal policies include the following:
- The surveillance must relate to the employer's proper operations.
- The surveillance is allowed only to the extent necessary to protect the employer's rightful interests and any restriction of employees' privacy must be proportionate.
- Employees must be informed in advance of the possibility of surveillance.
- Employers need to request the opinion of employee representatives (eg, works councils and unions) before establishing policies and methods of surveillance.
- Personal data related to the surveillance must be handled in accordance with the general principles and rules of the Act on Data Protection.
In addition to these guidelines, both the DPA and the courts have addressed specific types of surveillance in specific resolutions. Conclusions drawn from these resolutions can also help practitioners to establish best practices and internal policies on specific types of surveillance. The legal aspects of specific surveillance methods in accordance with these conclusions are set out below.
Monitoring telephone calls Although mobile phones are usually provided by employers only for professional purposes, a reasonable degree of private use is usually accepted. However, the employer is entitled to restrict or completely prohibit private use.
A plausible means of monitoring telephone use is to review the list of dialled numbers. However, the legal difficulty arising from this method is that the telephone number of the dialled party constitutes personal data and it is practically impossible to collect such parties' consent to handling their data. Nevertheless, in practice this usually does not block employers from reviewing call lists.
Interception of telephone calls is forbidden, as doing so is considered a disproportionate restriction of privacy. Notably, an employment court found an employee termination based on the operation of tracking software on his smartphone without his knowledge to be lawful and well founded.
Monitoring email correspondence Employers enjoy a great degree of freedom when establishing the rules governing use of professional email addresses. Professional email addresses must be used primarily for professional purposes, but a reasonable degree of private use is usually accepted, as long as this does not interfere with professional use. Employers may prohibit sending or receiving emails to or from specific addresses and may use specific filters to enforce these rules.
Employers are allowed to access employees' mailboxes for monitoring and control purposes, provided that the employees are informed in advance (ie, before the process commences) of the reasons for such access. If possible, it is recommended to allow employees sufficient time to dispose of their private data before accessing their mailbox.
Employers may access the contents of messages sent or received by employees in professional matters. However, if a message can be assumed to be private, the employer may not access its contents.
Monitoring internet use Employers are also free to establish rules governing use of the Internet in the workplace, which may include allowing, banning or restricting access to specific websites.
Restrictions may include:
- material restrictions (ie, restricting access to certain types of website, such as gaming and gambling sites);
- volume restrictions (ie, restricting the amount of data transferred); and
- temporal restrictions (ie, restricting the timeframe in which access to specific sites is allowed).
The use of social media may also be banned.
Controlling access to websites is allowed only if employees are informed in advance of this possibility. If access is granted to certain sites on which private data or content is stored (eg, private email accounts and electronic banking accounts), such data may not be accessed by the employer.
Generally, it is advisable to train employees on acceptable internet use in the workplace, as imprudent internet use may lead to security risks for the employer.
GPS tracking devices Another interesting aspect of control and surveillance is the use of built-in Global Positioning System (GPS) devices in company cars. While the use of GPS tracking systems may well be an appropriate method to protect employers' rightful interests (eg, protection of property and checking appropriate use of vehicles – particularly in the case of transportation companies), GPS devices may not be used to monitor employees' whereabouts outside working hours.
Data transmitted by the device constitutes personal data of employees authorised to use the car. If such data is not handled exclusively in the context of the employment relationship, employees' consent may be required for such data handling. The need to obtain such consent can be established only on the basis of careful legal analysis.
The DPA guidelines confirm that it is the employer's responsibility to establish a balanced system which protects the employer's rightful interests, but restricts the possibility of monitoring employees' private lives (including monitoring their location outside working hours). A potential solution in this regard is using systems in which the tracking function can be turned off outside working hours.
This area of law provides a great degree of flexibility to employers to establish policies and guidelines for controlling employees. To exploit this flexibility, careful consideration of the company's needs and thoughtful legal analysis are required. Establishing good policies and practices not only facilitates employers' legal compliance, but also enhances employees' wellbeing by safeguarding their right to privacy.
For further information on this topic please contact Dániel Gera at Schoenherr Hungary by telephone (+36 1 8700 700) or email ([email protected]). The Schoenherr website can be accessed at www.schoenherr.eu.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.