The General Data Protection Regulation of the European Union brings several obligations to organizations processing data in the context of employment relationships. Today, we will continue exploring this very relevant topic, which is part of our special Privacy & Data Protection Law series, prepared to help organizations in the long road to GDPR compliance.
As we have explained in Part I of this article, organizations have to take several measures to ensure that they are meeting all of the data protection requirements in relation to their employees. There, we have explained why the legal basis for the processing of personal data have to be defined, as well as how employees must be informed of it, and how records should be kept.
Today, we will continue exploring this very relevant topic, which is part of our special Privacy & Data Protection Law series, prepared to help organizations in the long road to GDPR compliance. Shall we?
4. Determine if the monitoring systems in place are truly necessary
The right to privacy exists in all spheres of an individual’s life, and the workplace is no exception. At the same time, organizations have a legitimate right to operate their businesses and to be protected from potential harmful actions from employees. Neither of these rights should be compromised, so here are some of the considerations to take into account when trying to balance privacy and monitoring.
Is the monitoring necessary?
The employer must be able to demonstrate that the monitoring is really necessary. This means that if a less intrusive method to fulfill the need exists, for example, it should be used instead.
If the monitoring is likely to result in a high risk to the rights and freedoms of employees, the organization will have to conduct a DPIA - Data Protection Impact Assessment, taking actions to minimize the risk, if necessary.
Is the monitoring legitimate?
Are there lawful grounds for the collection and use of personal data by the monitoring system? Under the GDPR, there are six lawful basis for the processing of personal data: consent, contract, legal obligation, vital interests, public task or legitimate interests. This will be especially important if the monitoring involves the processing of sensitive personal data, since this type of data can only be processed for carrying out obligations related to employment, social security and social protection law, depending also on the specific rules from each EU Member State.
The degree of intrusiveness must also be considered. In certain jurisdictions, employers may be allowed to monitor time spent by employees on the internet or telephone calls to non-work numbers, but not to record the content of website visits or calls. In any case, prevention might be a better alternative. Instead of monitoring employees to check if they are spending time on unwanted websites, the employer could simply install a filter that will block access to them.
Is the monitoring proportional?
The need for implementing a monitoring system must be proportional to the issue the employer is trying to deal with. Monitoring employees because of small nuisances, for example, is not reasonable.
This proportionality goes in line with the GDPR principle of data minimization: the processing should be limited to the personal information that is relevant, necessary and adequate to achieve the purpose defined by the controller.
Is the monitoring transparent?
Employees must always be informed of the monitoring done by the employer. This is important not only because employers have a duty to give notice about the processing of personal data, but also to set employees’ expectations about their work.
Imagine that an employee was caught by the monitoring system while doing something against the organization’s policy. If this employee was unaware that what he/she was doing was wrong and that he/she was being monitored, the employer might even lose the lawsuit if the matter goes to the courts to be enforced.
To prevent this, employers can introduce an Acceptable Use Policy regarding the use of communication equipment (such as internet, phone, and email) and how they are monitored.
Who has access to the data collected through the monitoring system?
Any personal data collected through the use of such systems must be held securely and be accessible only to those in the organization who have a legitimate reason to view it - for instance, the person responsible for determining whether the employee has committed any action against the law. Additionally, the data must be deleted when it is no longer needed, in accordance with the principle of storage minimization.
5. Define your BYOD (Bring Your Own Device) policy
Some organizations allow employees to use their personal devices, such as smartphones and notebooks, for workplace communication. While this can be an efficient and cost effective strategy, it can also be problematic from a data protection standpoint.
In order to avoid that, organizations that permit BYOD practices must have a policy in place to determine:
- The measures that must be taken to protect personal data, both from employees and customers
- Measures to protect organizational data, such as intellectual property, financial information, and trade secrets
- Who to contact in case of questions or requests
- How to manage lost, stolen or misused devices
- Procedures for dealing with data when employment is terminated.
How is your organization handling all the requirements of the GDPR? We know that if you’re following our special series on Privacy & Data Protection Law, you are already well-informed, but how about learning how to make compliance even easier? To get ahead in your compliance journey, try out the Privacy Management Tool for free now!
Contact Xcure team, if you want more information or presentation about the Privacy Management Tool.