The Article 29 Working Party has published Opinion 2/2017 on data processing at work.
The Opinion’s Executive Summary states that it ‘complements’
Opinion 8/2001 on the processing of personal data in the employment context
(WP48) , and the 2002 Working Document on the surveillance of electronic
communications in the workplace (WP55). The Opinion takes account of a number
of new technologies have been adopted that enable more systematic processing of
employees’ personal data at work, creating significant challenges to privacy
and data protection.
The Opinion is said to make ‘a new assessment of the balance
between legitimate interests of employers and the reasonable privacy
expectations of employees by outlining the risks posed by new technologies and
undertaking a proportionality assessment of a number of scenarios in which they
could be deployed’. It covers both the Data Protection Directive and the
additional obligations placed on employers by the GDPR.
It restates the position that, when processing employees’
personal data:
- employers should always bear in mind the fundamental data
protection principles, irrespective of the technology used; - the contents of electronic communications made from business
premises enjoy the same fundamental rights protections as analogue
communications; - consent is highly unlikely to be a legal basis for data
processing at work, unless employees can refuse without adverse consequence; - performance of a contract and legitimate interests can
sometimes be invoked, provided the processing is strictly necessary for a
legitimate purpose and complies with the principles of proportionality and
subsidiarity; - employees should receive effective information about the
monitoring that takes place; and - any international transfer of employee data should take
place only where an adequate level of protection is ensured.
