On June 8, 2017, Article 29 Working Party (“WP29”) adopted the new opinion 2/2017 on data processing at work, which makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed.
WP29 conducted its analysis taking account the current legal framework under Directive 95/46/EC (the Data Protection Directive or “DPD”) and the new Regulation 2016/679 (the General Data Protection Regulation or “GDPR”), which has already entered into force and which will become applicable on 25 May 2018. With regard to the proposed ePrivacy Regulation5, the Working Party calls on European legislators to create a specific exception for interference with devices issued to employees (WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation, WP 247, 04 April 2017).
Under the legal grounds analyzed, WP29 pointed out that employers must take note of the following:
- for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees (Art 7(a)) due to the nature of the relationship between employer and employee;
- ? processing may be necessary for the performance of a contract (Art 7(b)) in cases where the employer has to process personal data of the employee to meet any such obligations;
- it is quite common that employment law may impose legal obligations (Art. 7(c)) that necessitate the processing of personal data; in such cases the employee must be clearly and fully informed of such processing (unless an exception applies);
- should an employer seek to rely on legitimate interest (Art. 7(f)) the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees;
- the processing operations must also comply with the transparency requirements (Art. 10 and 11), and employees should be clearly and fully informed of the processing of their personal data10, including the existence of any monitoring; and
- appropriate technical and organizational measures should be adopted to ensure security of the processing (Art. 17).
WP29 highlighted the importance to guarantee transparency referring to the processing of personal data by means of monitoring technologies.
In addition, WP29 pointed out that data processing at work must be a proportionate response to the risks faced by an employer. The information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees should have the possibility to temporarily shut off location tracking, if justified by the circumstances.
Finally, WP29 provided an analysis related to the obligations introduced by “GDPR”, for all data controllers, including employers, which also include requirements such as data protection by design and data protection impact assessment.