Data privacy in an employment context remains a challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance. Few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a reasonable expectation of privacy – including in their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several Member States, e. g. relating to the permissibility of monitoring internal investigations and compliance controls.
Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection.
Likely practical impact of the Reulgation on employee data protection
For most Member States, the Regulation considerably changes the landscape. Even for employers in Member States with relatively strict employee data protection requirements, the upcoming data protection regime will create additional challenges.
As a general rule, all of the principles and restrictions of the Regulation also apply in the workplace. For instance, monitoring employee performance or conduct may call for prior data protection impact assessments. The new right of data portability means companies could be required to transfer employee data of a leaving employee to a new employer. Moreover, the severe maximum penalties which can be imposed under the new data protection framework are a strong encouragement for employers to ensure effective data protection for their employees.
Quite a number of provisions in the Regulation were obviously drafted in the light of internet commerce, social media or other contemporary forms of business or communication. Some of these mechanisms simply do not match well with an employment context, e.g. data portability. Employers should closely analyse where the Regulation necessitates changes to current employee data being processed.
Processing employees’ personal data for the performance of the employment contract
Personal data must be processed in a manner which is adequate, relevant and not excessive in relation to the purposes of the employment relationship for which they are processed. Current Article 6 (1)(b) of the Regulation will be particularly relevant in an employment context. It permits the use of personal data to the extent that processing is necessary for the performance of the employment contract between data subject and controller. Employers are well-advised to take particular care to comply with the strict requirements regarding transparency and documentation in order to avoid fines, employee damage claims and possibly exclusion of evidence presented to labor courts, e.g. in dismissal lawsuits.
Article 82 of the Regulation also contains additional provisions aimed at protecting the rights and freedom of employees. Member States may adopt specific rules regulating the processing of personal data in an employment context.
It is likely that Member States that traditionally have a high degree of employee data privacy will adopt employee-specific data protection rules. As a consequence, there may be considerable variations in employee data protection and, consequently, a lesser degree of harmonisation between the individual Member States.
Processing employees’ personal data for other legitimate purposes
The processing of employee data may be legitimised by the general provisions of the Regulation. For example, Article 6 (1)(b) permits processing where this is necessary for the purposes of legitimate interests pursued by the employer or by a third party. However, this must be balanced against the interests or fundamental rights and freedoms of the data subject, i.e. the employee. Outside an employment context, this provision may permit the collection and other processing of employee data.
Processing employees’ personal data on the basis of collective agreements
Under Article 82 of the Regulation, the processing of personal data may be governed by collective agreements, for example by collective bargaining agreements or works council agreements, which may be entered into between employers and employees’ representatives.
In some countries with strong employee representative rights, like for instance Germany, works council agreements are already a reliable and safe way to govern the use of data in the work place. In Member States permitting the use of employee data on the basis of collective agreements, it can be expected that domestic courts will quickly establish rules and standards for permissible collective provisions. However, this would then result in even less EU-wide harmonisation regarding data protection in the work place.
Processing personal data on the basis of employee consent
Article 6 (1)(a) of the Regulation provides that processing of personal data for one or more specific purposes may be lawful if the data subject has given unambiguous consent to it. Not surprisingly, such consent must be freely given. In some Member States, the question whether and under what circumstances employees can consent to the processing of their personal data has been an ongoing debate for years. The Regulation does not resolve this issue. Rather, Recital 34 states that consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller, therefore, it is unlikely that employee consent will ever be a robust basis for the use of that data, and this needs to be factored in when justifying such uses.
Rather, employers should establish a high degree of transparency regarding data protection at the workplace as well as a robust and effective data protection management system.
What to do
- Employers should closely analyse where the Regulation necessitates changes to current employee data being processed.
- Analyse whether your business’ personnel and data protection structures provide the level of transparency and documentation required by the new data protection rules.
- Align HR and data protection functions in order to ensure compliance with the new requirements.
- Keep in mind that specific employee data protection rules may be passed by individual Member States, which would prevent a high degree of harmonisation in this area. Closely monitor whether Member States relevant to your business/ workforce implement specific employee data rules
- If collective agreements (including works council agreements or collective bargaining agreements) apply to your business: closely analyse any existing agreements and negotiate necessary changes in a timely manner.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.