May 2018 is getting closer and, from next September, Companies and Public administrations, if they have not done so yet, should work hard to comply with the GDPR.

Before saying goodbye for summer holidays, we want to keep to your attention an opinion of the Working Party 29, which, taking into account both the current legislation and the new rules introduced by Regulation (EU) 2016/679, defines a framework of the fundamental principles for the correct processing of data in the context of the employment relationship (Opinion on data processing at work 2/17- 8 June 2017 - Article 29 Data Protection Working Party).

■       OBLIGATION TO RESECT THE PRIVATE LIFE, THE LIBERTY AND DIGNITY OF THE WORKER. The main principle is that every worker, regardless of the kind of contract applied to their relationship, has the right to be respected in his private life, his freedom and dignity. Every worker must be adequately informed about how their personal data are processed in a clear, simple and comprehensive way, especially if employers monitor their activity. In any case the controls should also be compliant with national standards and regulation.


Every processing of data must be proportionate to its purpose.

For example, in the application of the aforementioned principle, with regard to geolocation systems, Working Party 29 indicates that they can be used for strictly business purposes and the worker should be allowed to disable the localization device  if necessary.

In case the employee use some devices both for personal and business reasons, in order to prevent monitoring of private information appropriate measures must be in place to distinguish between private and business use of the device.

■       MONITORING ICT USAGE AT THE WORKPLACE. It is legitimate to setup security packages or tools to reduce the risks of hacker attacks, data breaches or dissemination of confidential information, but the employer cannot spy on employees' mail or their internet browsing. However, monitoring every online activity of the employees is a disproportionate response and an interference with the right to secrecy of communications. The employer should first investigate other, less invasive, means to protect the confidentiality of customer data and the security of the network.

■       SOCIAL NETWORK. Any consultation of social media should be limited to professional profiles only, excluding the possibility to monitor private lives of the employees or candidates during recruitment.

■       PRIVATE SPACES ON COMPUTER AND CLOUD SERVICES. Where employees are expected to use online applications which process personal data (such as online office applications), to reduce the risk of processing and/or monitoring information regarding private life and to ensure that these tools are used only for work purposes, WP29 suggest enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder.

■       WORKERS' CONSENT IS NOT SUFFICIENT TO LEGITIMATE THE DATA PROCESSING. The consent, to be considered valid, must be freely-given. As a consequence, the Working Party 29 has pointed out that, given the difference in position between the two parties of the employment contract,  it is not sufficient for the employer to acquire the consent of the employees to legitimate every processing of their personal data. Working Party 29 remarks that the alternative legal basis of the processing could be the performance of the contract, the legal obligations or the "legitimate interest" (eg: right to security); in this latter case, it is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees.

Moreover, the Working Party underlines that , even in cases where consent could be said to constitute a valid legal basis of such a processing (i.e. if it can be undoubtedly concluded that the consent is freely given), it needs to be a specific and informed indication of the employee’s wishes.

Once again, then, design in the right way the Company policies on the use of ICT systems by the employees is essential to avoid sanctions and litigation risks.