Data processing at work: New opinion from the Article 29 Working Party

25 Aug 2017

Since new technologies have enabled more systematic processing of employees’ personal data at work and monitoring solutions, this has created significant new challenges to privacy and data protection.

In this context, the Article 29 Working Party (“WP29”) has issued a new assessment of the balance between the legitimate interests of employers and the reasonable privacy expectations of employees.

The WP29 is an independent European working party that deals with issues relating to the protection of privacy and personal data. It was “created” in Article 29 of the Data Protection Directive (Directive 95/46 EC) and set up in 1996. It is composed of representatives of all the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. The WP29 has an advisory status, but its opinions carry a great deal of authority due to its composition.

On 8 June 2017, the WP29 adopted an opinion on employee monitoring (Opinion 2/2017 on data processing at work), updating its previous publications.

In this recent Opinion, the WP29 emphasises that employers may only collect personal data in the employment context for legitimate purposes, whereby the processing of this data should take place under appropriate conditions and only insofar as there is one or more legal grounds for doing so. As far as the consent of an employee as legal ground for the processing of personal data is concerned, the WP29 confirms its previous position. Given the inherent imbalance of power, employees can only give free consent in exceptional circumstances, and thus their consent should not be the (sole) legal basis for the processing of personal data of employees. The legitimate interest of employers on the other hand can be invoked as a legal ground, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity.

Whereas the current legal framework is still the Data Protection Directive , the opinion also takes into account the obligations under the General Data Protection Regulation (Regulation 2016/679, “GDPR”), which has already entered into force but will only become applicable as from 25 May 2018, replacing the Data Protection Regulation.

The WP29 first confirms that the GDPR includes and enhances the requirements of the Data Protection Directive and highlights three principles in that regard, namely:

  • Legal grounds: in order to process data in the employment context, one or more legal bases are required (e.g., legal obligations or the legitimate interest of the employer);
  • Transparency: data processing at work requires a certain level of information towards the employees (e.g., attendance tracking and the purposes for processing the personal data);
  • Automated decisions can only produce effects under specific conditions (e.g., authorised by law).

Second, the WP29 confirms that the GDPR also introduces new obligations for all data controllers, including employers:

  • Data protection by design and by default, whereby the most privacy-friendly solutions should be deployed and the data collected should be minimised;
  • Data protection impact assessments have to be carried out whenever a type of processing (especially using new technologies) is likely to result in a high risk to the rights and freedoms of natural persons, in this context, employees;
  • Processing in the context of employment can be regulated further at the Member State level (e.g., with regard to recruitment, health and safety at work, termination of the employment relationship).

In addition to outlining the risks posed by new technologies, the WP29 provides a proportionality assessment of several concrete scenarios in which new technologies could be deployed. The scenarios listed relate among others to processing time and attendance data, cloud services, international transfers, processing personal data during the recruitment process, monitoring IT usage outside the workplace (e.g., using your own device for work purposes, the monitoring of home and remote working).

The WP29 concludes its opinion with certain recommendations in which it stresses that the fundamental rights of employees with regard to their communications and related traffic data remain fully intact irrespective of the kind of technology deployed.

Regarding the legitimate interest of employers as a legal ground, the WP29 recognises that it can sometimes be invoked but it recommends that a proportionality test should be conducted prior to the deployment of any monitoring tool in order to (i) consider whether it is really necessary to collect such data, (ii) whether this processing outweighs the general privacy rights that employees also have in the workplace and (iii) what measures have to be taken to ensure that infringements of the rights of the employees (e.g., their right to private life and their right to secrecy of communications) are limited to the minimum necessary.

Since data processing at work must be a proportionate response to the risks faced by an employer, prevention of misuses, such as blocking a website, should be given much more weight than detection, for example by the tracking of surfing behaviour. Information that is registered from ongoing monitoring, as well as the information that is shown to the employer, should be minimised as much as possible and it should be stored for no longer than the retention period specified.

In any event, transparency towards employees remains important. Employees have to be informed in an effective manner, not only about any monitoring that takes place, but also about the purposes of this monitoring and the circumstances, as well as the possibilities for employees to prevent their data from being captured by monitoring technologies. Any policies and rules concerning legitimate monitoring must be clear and readily accessible. Despite the rather technical nature of this matter, which is usually a matter settled at IT level, the WP29 recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees. 

> Action point

Employers should consider a similar new assessment of the balance between their legitimate interests as employers and the reasonable privacy expectations of their employees in light of any new technologies and developments of existing technologies that have been implemented.