New guidelines on personal data processing at work

New guidelines on personal data processing at work

The focus on personal data protection is today at its peak, considering the upcoming replacement of the Data Protection Directive 95/46/EC (the “DPD”) with the General Data Protection Regulation 2016/679 (the “GDPR”), starting 25 May 2018.

Opinion no. 2/2017 on data processing at work (hereinafter the “Opinion“)1, recently adopted by the “Article 29 Data Protection Working Party”2 (the “Working Party“), is therefore a welcomed guideline in a context where data controllers are bracing themselves for the much stricter new regulations.

The Opinion represents a new assessment of the balance between the legitimate interests of employers, on the one hand, and the reasonable privacy expectations of their employees, on the other hand. It outlines the risks posed by the new technologies which enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

Various employment scenarios are analysed:

  • processing operations during the recruitment process or resulting from in-employment screening3;
  • processing operations resulting from monitoring of electronic communications usage at or outside the workplace (e.g. phone, internet history, e-mail, instant messaging, VOIP etc.)4;
  • processing operations relating to time, attendance and video monitoring;
  • processing operations involving vehicles used by employees;
  • disclosure of employee data to third parties and international transfers of HR and other employee data.

The Working Party notes the special risks that can arise in these scenarios due to the increasing reliance, by employers, on technologies such as enhanced IT monitoring capabilities, technologies that track the location of devices and vehicles, computers used by staff in performing their jobs, the collection of information from social media networks. Thus, employers are advised to limit as much as possible the use of automated decision-making.

Employers should always consider whether the processing activity is:

  • necessary, and if so, what legal grounds apply to it;
  • fair to the employees;
  • proportionate to the concerns raised; and
  • transparent.

Given the imbalance of power between employers and employees, the Working Party notes that in many cases, the employees’ consent is probably not freely given.

The scope of the Opinion is not limited to the protection of persons with an employment contract, but is also intended to cover individuals who find themselves under other employment-related relationships with a company (e.g. applicants).

Although it is issued under the current DPD, the Opinion also takes a look into the new obligations imposed by GDPR on data controllers (including employers), such as:

  • the requirement to implement data protection by design and by default5;
  • the need to carry out data protection impact assessments for processing of data which imply a high risk to the rights and freedoms of natural persons.

It must also be noted that the GDPR provides the possibility that specific national rules related to the processing in the context of employment may be introduced.

The Opinion complements the previous documents adopted by the Working Party in relation to the processing of personal data in the working environment: (i) the Opinion 8/2001 on the processing on personal data in the employment context6 and (ii) the 2002 Working Document on the surveillance of electronic communications in the workplace7.

As a general remark, while the opinions of the Working Party are not legally binding, they are nevertheless highly influential, given that the Working Party is mainly composed of representatives of the national regulators. Therefore, the approach of national regulators will most likely be in line with the Working Party’s approach and businesses should consider the Opinion as a reference for the assessment of their internal policies in preparation for the upcoming GDPR.


1 Available here: http://ec.europa.eu/newsroom/document.cfm?doc_id=45631

2 The “Article 29 Data Protection Working Party” is an independent European advisory body on data protection and privacy, set up under Article 29 of the DPD.

3 O “In-employment screening” refers to the process of investigating employees by collecting information regarding their friends, opinions, beliefs, interests, whereabouts, etc. and therefore capturing data relating to the employee’s private life (for instance, from social media profiles).

4 In relation to this scenario, it is important to note that the European Court for Human Rights has very recently held in Case Barbulescu v. Romania (http://hudoc.echr.coe.int/eng?i=001-159906) that electronic correspondence and communications of an employee may only be monitored by the employer, only if there is a fair balance between the interests of the employer and the right to private life of the employee and the employer makes it clear to the employee what is or is not permitted and informs him of any monitoring which will take place.

5 “Privacy by design” means that for each new service, business process or device of the employer which use personal data, the protection of such personal data must be taken into consideration. It should be ensured that adequate security systems are in place and compliance is monitored. The Working Party mentions, by way of example, that where an employer provides devices to its employees, the most privacy-friendly solutions should be selected if tracking technologies are involved and data minimisation must also be taken into account.

6 Available here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf

7 Available here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp55_en.pdf