On 8 June 2017, Article 29 Data Protection Working Party (“A29WP”) adopted Opinion 2/2017 on personal data processing at work. Building on and complementing previous guidelines (namely Opinion 8/2001 and the 2002 Working Document on the surveillance of electronic communications in the workplace), the Opinion makes a new assessment of the balance between legitimate interests of employers and privacy expectations of employees, in view of recent technological progresses enabling increasingly invasive employees’ personal data processing.
New technologies or new developments of existing technologies create new avenues for more systematic and intrusive data processing at work. These progresses, while reducing the cost and the visibility of the data processing performed by employers, increase its capacity and amplify the risk of further processing and of pervasive analysis of metadata. New business models and an increase in the practice of remote work create new challenges to employees’ (and their family’s) privacy and data protection. A29WP made clear that a new assessment is required for the purposes of balancing, on one side, the legitimate interest of the employer to perform specific data processing and, on the other side, the employees’ right to privacy, any time an employment relationship is in place, regardless of the type of contract on which the employment relationship is based on.
The Opinion highlights the dependency resulting from the employment relationship, which impairs the chance of a freely given consent by the interested subjects (the employees). Consequently, employers will have to rely on different legal grounds for processing, for example on a legitimate interest (e.g. improvement of efficiency or protection of company assets), combined with a proportionality test assessing the necessity of that processing to achieve the sought legitimate purpose, and the proof that the risk to privacy is minimized by the adoption of adequate measures.
The Opinion refers both to the employers’ obligations deriving from the Directive 95/46/EC (Data Protection Directive, DPD) and to the additional obligations rising from the Regulation 2016/679 (General Data Protection Regulation, GDPR).
With regards to the DPD, A29WP underlines the necessity to apply three principles:
- Legal grounds for data processing (Art.7), namely consent (in residual cases), performance of a contract, legal obligations, or legitimate interest.
- Transparency in data processing (Art. 10 – 11), which entails the obligation to inform employees of the existence of any monitoring, its purposes and any other information necessary to guarantee fair processing.
- Prohibition of automated decisions (Art.15), according to which data subjects hold the right not to be subject to a decision based solely on automated processing, where that decision produces legal effects or similarly significantly affects them.
The GDPR strengthens these principles with new obligations for the data controllers, including employers:
- Employers need to implement data protection by design and by default towards their employees (Art. 25);
- they have to carry out a Data Protection Impact Assessment (DPIA) where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing itself, is likely to result in a high risk to the rights and freedoms of the employee (Art. 35);
- member States may provide for more specific rules to ensure stricter privacy protection (Art. 88).
The A29WP presented a series of scenarios of data processing at work in order to illustrate possible new breaches of employees’ privacy, for example describing the risks associated with the “bring your own device” practice and the use by employees of wearable devices provided by their employers.
As stressed in the Opinion’s conclusions, employers have to be aware that:
- Electronic communications made from business premises enjoy the same protections as analogue communications, being covered by the notions of “private life” and “correspondence” within the meaning of Article 8 paragraph 1 of the European Convention.
- According to the DPD, employers may only collect employees’ data for legitimate purposes, with their processing taking place under appropriate conditions and with an adequate legal basis for the processing.
- Given the imbalance of power of the employment relationship in itself, consent is unlikely to be a legal basis for data processing at work. Employers will have to rely on other legal grounds, such as performance of a contract or legitimate interests, being the processing strictly necessary and complying with the principles of proportionality, and minimization.
- Employees should be informed about possible monitoring, its purposes and circumstances, and should be free to refuse their data being captured by monitoring technologies. Policies and rules concerning legitimate monitoring should be elaborated with representative sample of employees, and be clear and readily accessible.
- Employers must take the principle of data minimisation into account when deciding on the deployment of new technologies.
- Employers should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances.
- Any international transfer of employee data should take place only where an adequate level of protection is ensured.