The Article 29 Working Party (WP29) has issued Opinion 2/2017 on data processing at work (the “Opinion”).
The Opinion complements earlier WP29 publications around the processing of employee data, and expands upon them in response to the advancement of technology that has taken place in recent years that has led to new types of systematic and potentially invasive data processing in the workplace, and the challenges that go along with them.
The Opinion analyses these new technologies against the principles and requirements found in the EU Data Protection Directive, as well as the additional obligations presented by the EU General Data Protection Regulation (GDPR), which is set to go into effect on 25 May 2018.
Legitimate Interests vs Reasonable Expectations
The Opinion provides guidance on assessing the legitimate interests of employers against the reasonable privacy expectations of employees in regard to these technologies, and provides example proportionality assessments for processing operations:
- during the recruitment process;
- resulting from in-employment screening;
- resulting from monitoring ICT usage at the workplace;
- resulting from monitoring ICT usage outside at the workplace;
- relating to time and attendance;
- using video monitoring systems;
- involving vehicles used by employees;
- involving disclosure of employee data to third parties; and
- involving international transfer of HR and other employee data.
Conclusions and Recommendations
The Opinion closes with a number of conclusions and helpful recommendations:
- Electronic Communications
Fundamental rights and protections apply regardless of the content of electronic communications or the traffic data relating to those communications. Even though an employer has ownership over the means of communication, employees still maintain a right to secrecy over their communications, as well as any related location data or correspondence. In the case of Bring Your Own Device (BYOD) programs, employees should have the opportunity to shield their private communications from any work-related monitoring.
Due to the imbalance of power inherent in the employment context, consent as a legal basis of processing will be valid in exceptional circumstances only (e.g., when there are no consequences tied to the acceptance or rejection of an offer.)
- Legitimate Interests
Legitimate interest can serve as a legal basis of processing only if the processing is strictly necessary to achieve a legitimate purpose and complies with the principles of proportionality and subsidiarity, namely, whether all data is necessary to achieve the specific purpose, whether the processing outweighs general employee privacy rights, and what measures are needed that infringements on privacy are limited to the minimum necessary.
Employees should be informed of any monitoring that takes place, along with its purposes and circumstances, and the level and areas of control that employees have over their data in this context. Employers should supply employees with an understandable and readily accessible workplace monitoring policy, and employees should be involved in the creation and evaluation of such policies.
Data processing at work must be proportionate to risks faced by the employer (e.g., if a risk can be prevented by some other, less-intrusive means, then the processing does not need to take place.) Prevention of employee misconduct or misuse should be given more weight than detection through processing.
- Data Minimisation
Data collected, as a result of any processing at work, should be minimised as much as possible. For example, employees should be able to temporarily shut off location tracking where justified. The principle of data minimisation must be taken into account when assessing the use of new technologies, and data should stored for only as long as necessary to achieve its purpose. When data is no longer needed, it should be deleted in accordance with a specified retention period.
- Designating Private Spaces
Employers should consider enabling employees to designate certain spaces as private and sectioned-off from employer access, like private mail or document folders, for example.
- International Transfers
Employers must ensure that adequate safeguards are in place when transferring employee data out of the EU/EEA, to ensure a legal cross-border transfer. Transfers should be limited to the minimum necessary.
How OneTrust Helps
With OneTrust, you can easily identify and assess the privacy impacts of new technologies and processing activities. Choose from numerous pre-defined template questionnaires, or import and tailor your own. Configure risk tracking workflows, distribute questionnaires to business users, and collect and analyze risks. Assign follow-up tasks and generate documentation to assist in meeting record keeping requirements.