The monitoring of employees at work, or more generally the processing of data in the employment context, is a topic that has been debated for as long as the Data Protection Directive (Dir 95/46/EC – DPD) has been around. Nonetheless, due to the emergence of new technologies and changing work polices, the topic is red hot today.
The following blog post summarizes the current developments by paying special attention to the recently released Article 29 Working Party (WP29) Opinion, the near transition from the DPD to the General Data Protection Regulation (GDPR) as well as developments in Germany with the update of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), followed by a brief look at two high-stakes litigation cases, by the Federal Labour Court (Bundesarbeitsgericht) concerning the use of key loggers in the employment context and the European Court of Human Rights (ECHR) confirming monitoring of employee’s emails as a breach of his right to private life and correspondence.
WP29 Opinion: Data Processing at Work
The WP29 recently released an opinion addressing the processing of data in the employment context. The opinion focuses on a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees”. The WP29 stressed that employers should always consider the following four points to mitigate risks:
- the processing must be based on a legal ground such as Article 7 (b), 7 (c) or 7 (f) DPD;
- the processing must be fair to the employee;
- the processing must be proportionate to the concerns raised (purpose); and
- the processing must be transparent (e.g. informing the employee)
The following presents some of the risk scenarios WP29 explicitly laid out:
Employees’ Social Media Account(s)
The use of social media is quite common nowadays, and more than often the (future) employee’s social media profile is publicly accessible. Comprehensibly, employers might think, that, since the profile is public, a quick inspection during the recruitment process or even later on causes no harm in light of data protection rights. WP29 explicitly stresses the fact that the DPD is applicable to such processing activities and that a valid legal ground, such as legitimate interest according to Article 7 (f) DPD, is required.
To mitigate the risk and balance the employers interest with the employee’s rights and freedoms, the screening of social media accounts should be restricted to cases in which it is strictly necessary to assess specific risks regarding candidates for a specific function and to the extent that the data is necessary and relevant to the performance of the job. To comply with transparency, the respective (prospective) employee should be prior informed (e.g. on the job advertisement).
Employees’ ICT usage at the workplace
With the legitimate interest (Article 7 (f) DPD) of preventing loss of data or filtering malware, the employer might want to install advanced monitoring solutions. WP29 states that generally “prevention should be given much more weight than detection—the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.” Where it is strictly necessary, the monitoring should be configured in a way that prevents permanent logging of employee data, or at least should not be stored unless an incident occurs. To balance the rights and provide appropriate safeguards, the employer should develop an easy accessible policy, that lays out the purpose as well as when and by whom log data can be accessed.
A change in work polices such as “bring your own device” or remote working, poses security risks to the company but also risks to the employee’s private life, in that the monitoring system is extended into the domestic sphere. To balance the interests and rights, appropriate safeguards must be implemented that clearly distinguish between private and business use of a device. Monitoring activities such as logging keystrokes (key logger) or enabling webcams remotely, the WP29 points out, are “very unlikely to have a legal ground under legitimate interest”.
III. Employees’ health and activity
New trends include the tracking of employees’ health and physical activity within and outside the company. WP29 stresses that such activities involve the processing of sensitive data, and given the unequal relationship between employers and employees it is unlikely that explicit consent (Art. 8 DPD) can be freely given. Consequently, if employers want to hand out wearables aimed at this type of monitoring, they should strictly refrain from accessing such data, whether directly or through a contracting a third party.
Employees’ use of company vehicles
The employer will often have legitimate interest (Art. 7 (f) DPD) or might even be obliged by law (Art. 7 (c) DPD) to monitor the use and location of a company vehicle as well as its driver (e.g. using event data recorders).
WP29 makes clear, that although ensuring the safety of employees who drive the vehicles or recovering stolen cars are valid interests, any implementation of GPS and other technology must nonetheless comply with the principles of proportionality and subsidiarity.
For instance, if the vehicle is also allowed to be used after work hours or for private purposes, the employee should be given the possibility to switch of the GPS device. Furthermore, effective information should be provided to the driver, e.g. by installing information signs on the windshield.
General Data Protection Regulation
Unlike the DPD, the GDPR explicitly enhances the protection of employment data. Most notably, Article 88 GDPR allows EU Member States to establish more specific rules in the employment context, which might be provided inter alia for the purpose of recruitment, performance of the employment contract, health and safety at work as well as protection of the employer’s property.
Besides this specific provision, the GDPR introduces the concept of “privacy by design” and the “data protection impact assessment” (DPIA), which will help to assess risks prior to the actual processing and thereby effectively prevent or mitigate them. “Privacy by design” aims at implementing effective privacy protection into the hardware or software used for monitoring activities. Prior “data protection impact assessments” -according to Article 35 GDPR- allow the controller to identify privacy risk up front and might even result in an obligation to consult the national supervisory authority before a processing can be conducted.
Developments in Germany – New Federal Data Protection Act (June 2017)
The German legislator made already use of Article 88 GDPR and incorporated additional provisions into the recently (June 2017) updated Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG). Section 26 BDSG is a profound update to section 32 of the replaced framework. Special attention is payed to the balancing of employer interests against the freedoms and rights of the employee.
To a certain extent, the new provision, also allows for the monitoring of employees in regard to the detection of criminal offences. The provision stresses, that monitoring activities must be restricted to where sufficient factual indications show that a criminal offence during the employment relationship has been committed. The provision, unfortunately, falls short in providing a more detailed view on monitoring activities, especially, a provision addressing video monitoring is not to be found.
Court Rulings regarding employee monitoring
“Key logger decision” by the Federal Labour Court (July 2017) – 2 AZR 681/16
Confirming the WP29 prediction (see above) that key loggers will “very unlikely […] have a legal ground under legitimate interest”, the Federal Labour Court on July 27th of this year, promulgated its decision concerning the use of key loggers in the employment context. The Court found key loggers to conflict with section 32 of the new Federal Data Protection Act (see above). Only in limited circumstances, where sufficient factual indications show that a criminal offence might have been or will be committed, can a key logger be deployed.
“Bărbulescu v. Romania” by European Court of Human Rights (September 2017) ECHR 268 (2017)
The Strasbourg Court ruled in favor of employee’s right to respect his private life and correspondence (Art. 8 ECHR). The Court found that national courts failed to determine whether the employee had received prior notice from his employer of the possibility that his communications might be monitored or of the nature or the extent of the monitoring, or the degree of intrusion into his private life and correspondence. Also, the national courts had failed to determine if there had been a legitimate ground to justify the monitoring measures, or whether the employer could have used measures entailing less intrusion into the employee’s private life and correspondence, and whether the communications might have been accessed without his knowledge. The decision clearly states that “[t]he Court considered, following international and European standards, that to qualify as prior notice, the warning from an employer had to be given before the monitoring was initiated especially where it entailed accessing the contents of employees’ communications”.
Technological advancements will further challenge the newly adopted framework and promise to keep the topic of employment monitoring high on the data protection agenda. It would be desirable to receive more guidance by legislators on specific monitoring techniques. The WP29’s opinion should be seen as an incentive for the national legislator to make more use of the discretion provided for by Article 88 GDPR. The two Court cases provide further guidance, in that the employee must be able to foresee to which extent monitoring measures can be used, and that monitoring cannot be conducted on a generalized basis but only if sufficient factual indications can be determined.
 Article 29 Working Party, Opinion 2/2017 on data processing at work, WP 249, June 2017.
 Article 29 Working Party, Opinion 2/2017 on data processing at work, WP 249, June 2017.