Business efficiency is not only about properly configured business processes but also about personnel control. Today, employers use various tools to monitor their employees’ work, such as video surveillance in office premises (CCTV), GPS, traffic control, etc. At the same time, the rapid evolution of remote work over the past few years has dramatically changed how we think about work rhythms and workflows. From being a necessary measure due to the pandemic, the home office has become a new normal and a search for work-life balance simultaneously. For businesses, this process has become an additional catalyst for the use of new methods of employee control, in particular, through software that tracks the efficiency of using working time on a computer. Therefore, a logical question arises: what should an employer know about the use of personnel monitoring tools in order not to violate the requirements of personal data protection legislation? Let’s try to figure it out.
Justifying the need for monitoring
The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The development of such regulations falls within the competence of the EU Member States, and the relevant rules may also be established at the level of collective bargaining agreements.
The processing of data obtained through monitoring software, as the European supervisory authority (WP29) notes, should only take place if it is necessary to achieve a legitimate aim and complies with the principles of fairness, proportionality, and subsidiarity. In other words, the availability of the monitoring option to the employer does not mean that this tool should be primarily used to achieve the goals it sets for itself: if such goals can be achieved by means that have a lesser impact on the interests of the employee, the monitoring may be recognized as illegal. Therefore, the decision to monitor employees should be made taking into account the balance between the interests of the employer and the rights and freedoms of employees regarding their personal data (e.g., conducting a legitimate interest assessment or data protection impact assessment depending on the chosen legal basis, the purpose of monitoring, the amount of information processed, and other factors).
Select the appropriate legal basis for processing
An employer who believes it can monitor employees based on their consent should consider some legal requirements for using consent as a sound legal basis for processing personal data.
As a personal data controller, the employer must comply with the consent requirements set forth in Article 4(11) of the GDPR and ensure that the consent obtained meets the additional conditions set forth in Article 7 of the GDPR.
At the same time, it should be remembered that in labor relations, there is an apparent inequality of status between the employer and the employee since the latter is dependent, which makes it impossible to provide consent that meets the necessary criteria. Therefore, consent as a legal basis for processing personal data in labor relations can be used only in cases where the employee’s refusal cannot lead to adverse consequences for them, and they have a “real choice” between giving or refusing to give consent. Obviously, in matters of refusal to participate in the system of automated monitoring of working hours or video surveillance in the office, the employee is deprived of the opportunity to express their wishes freely. Therefore, the employer should use a different legal basis for monitoring employees.
The choice of the legal basis depends on the specific purpose and context of the monitoring: in one case, the proper basis may be the fulfillment of a legal obligation (Art. 6(1)(c) GDPR); in another – a legitimate interest (Art. 6(1)(f) GDPR), etc.
Transparency as a prerequisite
Transparency is one of the fundamental principles of personal data protection law. For an employer, it means giving employees a clear understanding of how and why information about them is processed, which is inextricably linked to compliance with another principle – fairness. Monitoring conducted in a non-transparent manner is unfair and, therefore, illegal. Hence, employees must be provided with comprehensive information about any monitoring carried out concerning them in an accessible and understandable form before it is carried out (what information is collected, for what purpose and in what manner, how long the data is stored, etc). The exception is when monitoring is conducted covertly to prevent illegal activities, detect fraudulent actions of employees, etc.
An illustrative example of the recognition of unlawful actions of an employer regarding employee monitoring is the case of Bărbulescu v. Romania, in which the European Court of Human Rights (ECHR), recognizing a violation of the employee’s rights, stated that the national courts had not established 1) whether the applicant received prior notice from his employer of the possibility of monitoring his communications; 2) whether he was informed of the nature or scope of the monitoring, as well as the degree of interference with his private life and correspondence; 3) the specific reasons justifying the introduction of monitoring measures, as well as whether the employer could have used measures that would have involved less interference with the applicant’s private life and correspondence and whether access to communications could have been obtained without the applicant’s knowledge.
In addition, it is worth noting that the information collected during monitoring should be available to employees if they submit a data subject access request to information (DSAR), subject to exceptions.
Therefore, the employer should consider in advance that sometimes software or equipment that collects large amounts of data (CCTV recordings) may not store information so that personal data regarding a particular person can be easily and quickly found. Therefore, the employer should take care of an action plan in case of receiving a DSAR and determine the actions necessary to prepare a response to it, considering the specifics of the software/equipment used.
For example, the Italian supervisory authority fined Stay Over s.r.l. EUR 10,000 following a complaint filed by a former employee who failed to respond promptly to a request for access to personal data. In addition, the company continued to process data from the employee’s mailbox after the termination of the employment relationship without his consent.
Another example of an employer being penalized for unlawful processing of employees’ personal data is the decision of a Norwegian supervisory authority, to which a former employee of the company complained. After his dismissal, the employer automatically forwarded both work and private emails from the former employee’s mailbox to an email address administered by the managing director. During the investigation, the supervisory authority found that the controller had automatically forwarded the emails without proper legal grounds. In addition, the controller failed to inform the former employee about the data processing by forwarding the emails, contrary to its obligation under Article 13 of the GDPR and found that the controller had not adequately complied with the request for objection to processing submitted by the former employee.
Carefully select a service provider
The use of monitoring software or video surveillance cameras may involve the engagement of a company that provides the relevant service and processes the collected data. Since the employer is the controller of personal data in the employment relationship, it should keep in mind that the provider company engaged by it acts as a data processor and must meet all the requirements of the GDPR. At the same time, the employer is responsible for both the compliance of the provider company with the necessary criteria and the proper processing of the personal data it receives. Therefore, before starting cooperation, the employer should carefully check such a contractor and assess its competence to process personal data following the GDPR, if necessary, setting out in the agreement the mandatory measures to be taken by it in fulfilling its data processing obligations. It also should be figured out whether there will be cross-border data transfers (to countries outside the EU) and, if no adequacy decision has been made concerning such a country, take care of the necessary information protection guarantees.
The invisible eye
Monitoring software allows you to view an employee’s desktop in real-time, take periodic screenshots, track working hours, the number and content of typed pages of text, the frequency of mouse clicks, analyze incoming/outgoing traffic, and sometimes even monitor an employee via webcam. Software tools can evaluate staff productivity based on the collected data and form a rating list of employees, which can affect the level of remuneration and other aspects of labor relations. Is it a convenient tool for business? Absolutely. But the employer should be prepared for employee objections, as the GDPR prohibits automated decisions if they significantly affect the rights and interests of personal data subjects. So, if, for example, bonuses are paid, or liability measures are imposed solely based on rating or performance assessment data generated by software (automated decision making), i.e., without human intervention, the employee has the right to challenge such a decision and demand its review with the involvement of other employees. This is only one side of the coin.
The other side of the coin is the risk of violating the employee’s rights. The European Court of Human Rights has consistently held that video surveillance of an employee in the workplace, whether hidden or not, as well as interception of the content of employee conversations on a work phone, constitutes interference within the meaning of Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.
For example, in the cases of Halford v. the United Kingdom and Copland v. the United Kingdom, the European Court of Human Rights ruled that the applicants’ conversations on their work phones fell within the scope of the concepts of “private life” and “correspondence”, and that phone calls from office premises were prima facie covered by the concepts of “private life” and “correspondence”. Emails sent from work should be protected like information obtained from monitoring personal Internet use. The collection and storage of personal data related to an employee’s use of the telephone, email, and the Internet without their knowledge interferes with their right to respect for private life and correspondence.
Special data categories
During monitoring, the employer may accidentally gain access to particular categories of employees’ personal data. For example, software that arbitrarily turns on a webcam and takes pictures to check an employee at work may capture data related to their personal life, including those prohibited for processing under Article 9(1) of the GDPR. Or, when analyzing traffic, an email from a medical institution containing information about an employee’s health status may be included in the collected data. To prevent such cases from becoming an unfortunate mistakes that will lead to penalties, the employer:
1) must be able to document that the purpose of the monitoring outweighs the risk of unintentional collection of special categories of personal data and that measures have been taken to ensure that the interests of the employee are respected;
2) limit the amount and types of data collected as much as possible in order not to violate the principle of data minimization (Art. 5(1)(c) GDPR) and contain only as much information as is necessary to achieve the purpose, which must be documented;
3) not to use the data obtained for any other purpose (for example, not to include the information obtained during the observation of web resources visited by the employee during the working day in the data for performance review, etc.);
4) do not store the information received longer than necessary to achieve the documented purpose;
5) if national legislation (e.g., in Germany) requires that such measures be coordinated with the trade union body, obtain the latter’s permission.
Recently, a Dutch court found an employer’s requirement to keep a webcam during working hours unreasonable. The employee referred to the fact that he provides constant access to his desktop to enable him to monitor his work, and the requirement to keep the webcam on is not provided for in his contract. In addition, the camera turned on makes him feel uncomfortable. The court ruled that the employee’s privacy objections were justified.
In this context, the European Supervisory Authority (EDPB) has consistently emphasized in its guidelines that where any processing, in particular, using the latest technologies, and taking into account the nature, scope, context, and purposes of the processing, may lead to a high risk to the rights and freedoms of individuals, the data controller must conduct a data protection impact assessment (DPIA). Suppose an employer provides employees with electronic devices for work. In that case, it should choose the most privacy-friendly solutions regarding tracking technologies. Again, remember the principle of data minimization: collect only the data necessary to achieve its purpose.
A striking example of a violation of these guidelines is the decision of the Italian supervisory authority of 01.12.2022 in the case of the complaint of the FEDIRETS trade union. The latter complained about the illegal collection of data on employees of the legal department of the Lazio Region administration, namely, metadata related to the use of employees’ work email accounts. Since they were obtained by the administrative authority in advance of the special inspection and stored for 180 days, the latter had access to information relating to the employees’ private lives, including their contacts and other non-work-related information. The supervisory authority found that the Region of Lazio processed personal data without a lawful basis, violating the industry rules for remote monitoring of employees, and imposed a fine of EUR 100 thousand.
A video recording or image of a person obtained through video surveillance systems that can be used to identify that person (directly or indirectly) is considered personal data and subject to the GDPR.
For example, in June 2021, the Lower Saxony Data Protection Commissioner imposed a fine of EUR 10.4 million on notebooksbilliger.de AG, which had been conducting video surveillance of its employees for at least two years without any legal basis, placing cameras in salesrooms, warehouses, and public areas.
Supervisory authorities in different countries have generally taken a unanimous view: while employers may have legitimate reasons to install CCTV cameras in office premises in certain cases, employees also have a legitimate expectation that their privacy will not be disproportionately intruded upon. Therefore, cameras should focus wherever possible on high-risk areas, such as cash registers or areas where human observation is difficult. Video surveillance should be avoided in areas where employees have a high expectation of privacy, such as break rooms, locker rooms, and restrooms. Employees should be informed that CCTV surveillance is being conducted and where and for what purpose it is being undertaken. Suppose the use of CCTV has been justified for a specific purpose, such as security or health and safety. It should not be used for another purpose, such as monitoring attendance or staff productivity.
The employer using video surveillance systems is the controller of the relevant data and is obliged to implement organizational and technical measures to protect all components of the video surveillance system: document the purpose and scope of video surveillance, those responsible for managing and operating the system, determine the storage period of video recordings, who has access to them and for what purpose, etc.
Therefore, the legality of video surveillance in office premises depends on the employer’s implementation of some measures, ranging from conducting a data protection impact assessment (DPIA) as per Article 35 of the GDPR to proper documentation and a variety of technical aspects.
The need for tools to control employee work (including remote work) is constantly growing, and companies are actively implementing employee monitoring software. The use of various control methods requires measures to be taken to process the data received under the GDPR and national legislation requirements and avoid penalties. The specialists of Legal IT Group will help you with this.