Snooping by an employer on its workers will be a breach of the GDPR

In its latest Opinion, adopted on the 8 June and published on 29 June 2017, the Art.29 Data Protection Working Party (WP29) makes a fresh assessment of the balance between legitimate interests of the employer and the reasonable privacy expectations of employees working within the European Union.

The concept of ‘employee’ is widened and includes those with a contract of service as well as contractors working under a contract for services. The Opinion is intended to cover all situations where there’s an employment relationship, irrespective of whether this relationship is based on an employment contract.

WP29 also highlighted the risks posed by new technologies deployed in the workplace and the need for the employer to undertake a proportionality assessment before deploying such measures.

In many respects the Opinion of WP29 isn’t new but rather a reaffirmation of its previous position under the Data Protection Directive 95/46/EC and prior to the adoption on the 27 April 2016 of the Regulation 2016/679 (General Data Protection Regulation) although there are a few references directly about the GDPR that are discussed below in this blog.

WP29 that will morph into the European Data Protection Board (EDPB) and as such this Opinion shouldn’t be ignored.

In essence, it expects all employers to adhere to the seven principles of data protection as provided under Art.5, GDPR and from a practical perspective, this means that all companies and organisations:

  • should always bear in mind the fundamental data protection principles, irrespective of the technology used to monitor workers
  • the contents of electronic communications made from a business premises enjoy the same fundamental rights protections as analogue communications
  • consent is highly unlikely to be a legal basis for processing personal data at work, unless employees can refuse to give their consent without adverse consequences that would destroy a contract of service or contract for services
  • processing of personal data of workers on other legal grounds, such as in pursuance of performance of a contract and under the legitimate interests of the employer can be invoked provided the personal data processing of that personal data is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity
  • workers should receive effective information about the monitoring that takes place in the workplace in a lawful, fair and transparent way
  • any international transfer of an employee’s personal data should take place only where an adequate level of protection is provided by the employer (for example, Binding Corporate Rules exist).

There’s a growing consensus – including the view held by the Information Commissioner’s Office in the UK – that the legal basis for processing personal data of employees is likely to be on the grounds of legitimate interests of the employer or under contract as opposed to consent.

The reason is that in the employment context, consent can’t be deemed to be freely given and therefore wouldn’t comply with the GDPR as a lawful ground for personal data processing (Art.7, GDPR).

However, it should be remembered that the legitimate interests of the employer isn’t sufficient to override the rights and freedoms of employees.

“As a result, a new assessment is required concerning the balance between the legitimate interest of the employer to protect its business and the reasonable expectation of privacy of the Data Subjects: the employees,” observes WP29.

At the same time, employers are also expected to comply with Art.25, GDPR so that in the context of issuing a device that can track behaviour and whereabouts of an employee, only the most privacy-friendly solution on that device should be pre-selected and the employer must also comply with the principle of data minimisation (Art.5(1)(c), GDPR).

Any changes of a technical and organisational nature that impacts workers could trigger a Data Protection Impact Assessment (Art.35, GDPR) warns WP29.

Here, the Data Protection Officer (DPO) should advise the Board where any new measures alter the nature, scope, context and purposes of the processing of employees’ personal data and is likely to result in a high risk to their rights and freedoms.

Where the employer isn’t able to mitigate these very high risks and reduce them to a residual risk, there’s an obligation to consult with the Supervisory Authority prior to the commencement of that personal data processing (Art. 36(1), GDPR) as clarified in the WP29 guidelines.

The Opinion also references Art.88, GDPR that provides that Member States may, by law or collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of employees’ personal data in the employment context.

There are a number of scenarios contained in the Opinion where the employer’s legitimate interest in processing personal data of employees and the fundamental rights of the employees to the protection of their personal data can be finely balanced.

However, WP29 firmly draws the line where the employer may be tempted to snoop on employees as this would amount to an infringement of their data protection and privacy rights under the GDPR.

For example, consider the situation where an employer deploys a Data Loss Prevention (DLP) tool.

This is used to monitor outgoing e-mails automatically in order to prevent the unauthorised or accidental transmission of a customer’s personal data. Once an e-mail is being considered as the potential source of a personal data breach, further investigation is performed.

In such a scenario, the employer will be relying on its necessity for its legitimate interest to protect the personal data of customers as well as protect its assets against unauthorised access or personal data leakage.

However, such a DLP tool may involve unnecessary processing of personal data —for example, a ‘false positive’ alert might result in unauthorised access of legitimate e-mails that have been sent by employees and these may be personal emails of the employees.

In its Opinion, WP29 state:

“The necessity of the DLP tool and its deployment should be fully justified so as to strike the proper balance between legitimate interests and the fundamental right to the protection of employees’ personal data.”

In order for the ground of legitimate interests to be relied upon, the employer must carry out certain measures to mitigate such risks.

For example, the rules that the system follows to characterise an e-mail as potential data breach should be fully transparent to the users and in cases that the tool recognises an e-mail that’s to be sent as a possible data breach, a warning message should inform the sender of the e-mail prior to the email transmission so as to give the sender the option to cancel this transmission.

Another scenario considered by WP29 within the context of personal data processing at work is the situation where many millions of workers across the EU are now actively encouraged work from home. This has the benefit of cost savings in terms of physical space as well as helping people achieve a work/life balance – well, that’s the theory anyway!

The result of this shift in the way we work is the blurring of the line between business and private life and is potentially an area that needs to be very carefully managed where ICT equipment or software is used remotely to access the network, systems and resources.

“Whilst remote working can be a positive development, it also presents an area of additional risk for an employer,” says WP29.

The Opinion discusses in some detail the inherent risks that remote working can create both for the employer, the worker, and customers, clients and supporters.

Employees that have remote access to the employer’s infrastructure aren’t necessarily bound by the physical security measures that may be in place at the employer’s premises.

So, without the implementation of appropriate technical measures, the risk of unauthorised access to personal data increases and may result in the loss or destruction of information, including personal data of employees or customers, clients and supporters that the employer may hold.

In order to mitigate this area of risk, an employer may be tempted to assume it has a legitimate interest and a justification for deploying software packages – either on-premises or in the cloud – that have the capabilities of snooping on employees.

This could include logging keystrokes and mouse movements, screen capturing – either randomly or at set intervals, logging of applications used and how long they were used for. It may also be tempted to install a webcam to ensure workers are at their desks!

However, any of the above actions could be a breach of the GDPR as the processing involved in such technologies may be disproportionate and the employer is very unlikely to have a legal ground under legitimate interest, for example, recording an employee’s keystrokes and mouse movements.

“The key is addressing the risk posed by home and remote working in a proportionate, non-excessive manner in whatever way the option is offered and by whatever technology is proposed, particularly if the boundaries between business and private use are fluid,” concludes WP29.

For information about the GDPR Transition Programme at Henley Business School, click here.


Leave a reply