Follow ACC Docket Online:  

The GDPR Balancing Act: Employer Interests and Employee Privacy

C ompanies collect an employee’s data throughout their tenure — beginning with recruitment and concluding with resignation, termination, or retirement. This data is gathered and processed at all stages. Many organizations are deploying new HR technologies to better manage and support the entire employment lifecycle, including in the cloud to analyse data that can lead to HR improvements.

The rapid adoption of new technologies in the workplace has been useful in detecting the loss of intellectual property or data breaches by an employee. What’s more, there are now predictive analytics and location data from smart devices that improve employee productivity. However, these technological developments are sometimes seen as intrusive and pervasive ways of cheaper monitoring and have raised concerns and challenges about employee privacy and data protection.

Such technology does not give unfettered powers to employers under the EU General Data Protection Regulations (GDPR). In many cases, monitoring every online activity of an employee has been held to be disproportionate and unreasonable when compared to employer’s interest to protect the company’s IT systems from being damaged or liability being incurred by the company for online illegal activities.

[Related: EU Data Regulators Review EU-US Privacy Shield]

For example, the Bărbulescu v. Romania case reviewed the dismissal of an employee of a private company after monitoring his electronic communications and accessing his content without providing any prior notice of monitoring. The European Court of Human Rights (ECHR) found that there had been a violation of Article 8 (right to respect for private and family life, the home, and correspondence) of the ECHR. Furthermore, they decided that the Romanian authorities had not adequately protected the applicant’s right to respect for his private life and correspondence. The authorities had failed to strike a fair balance between the interests at stake.

In this case, the ECHR noted that an employer’s instructions could not reduce private social life in the workplace to zero, or the right to respect for private life and the privacy of correspondence continued to exist, even if these policies might be restricted insofar as it is reasonable and legitimate reasons exist to justify monitoring.  

Though in Romania’s case, the ECHR has curtailed the powers of employers monitoring their employees’ communication after making an assessment of the legitimate interest and finding it excessive. In another recent case, ECHR held that the scope of monitoring and the degree of intrusion into an employee’s privacy was reasonable and within the legitimate interest of the employer.

In the latter case decided by ECHR, an employee was fired by SNCF, France’s national rail company, on the basis of a search in the employees’ computer in his absence, wherein SNCF found pornographic images and videos, as well as forged certificates. In its ruling, ECHR held that there had been no breach of Article 8 of the EU Convention on Human Rights and that the domestic courts had examined the employee’s right to respect for private life and did not exceed the ‘margin of appreciation’ available to them. ECHR agreed that the files had not been identified as private and SNCF had been legitimately ensuring that its computer was being used in line with contractual obligations and the applicable regulations and found the employee committing a serious breach of the SNCF professional code of ethics.

These two cases show that the dismissal of its employees must be justified on the basis of an employee’s monitoring will depend on both the nature of the conduct and how it will materially affect employee’s employment under the GDPR.

[Related: Beyond Data Collecting: How to Protect and Leverage Big Data]

Many companies use social media to recruit prospective candidates and assume that since the profiles are publicly available, such as LinkedIn, Facebook, or Twitter, then they are allowed to process those data for their background checks. It is possible in countries like India and Singapore to use personal data that is publicly available. However, for employees covered under the new GDPR, a legal ground is required for processing even publicly available data in social media such as legitimate interest. For example, if the employer wants to assess risks regarding candidates for a specific function, then the candidates must be informed of any such processing before they engage in the recruitment process.

Under the existing European Union Directive 95/46/EC, the employer must follow the fundamental data protection principles when processing personal data in the employment context, namely necessity, purpose specification, transparency, legitimacy, proportionality, and security. These fundamental principles are further strengthened with additional requirements under the new GDPR and the employer must now comply with the following principles before processing the data of an employee:

1. Legal basis

Working Party 29 in its opinion 8/2001 and 2/2017 has clearly mentioned that consent cannot be the legal basis of processing data of employees as consent cannot be freely given due to the nature of the relationship of employer and employee. Hence, obtaining consent in the employment contract for processing employees’ data and monitoring the employees’ communication may not be valid unless a specific and informed indication of the employee’s consent is obtained. A legal basis will be when processing is necessary for the performance of an employment contract to meet obligations such as protecting the safety of business assets or intellectual property rights or complying with legal obligations like paying salaries, tax calculation, social security payments etc.

2. Legitimate interest

To determine the legitimate interest of the employer, the employees’ data processing should be strictly necessary for a legitimate purpose and proportionate to the business needs. When deploying technologies for monitoring or tracking employees, the organization must first consider the specific reasons justifying the introduction of the monitoring measures; second, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and third, whether the communications might have been accessed without the employee’s knowledge.

3. Transparency

It is important for companies to follow transparency principles by informing the employees of the existence of any monitoring, the purpose of monitoring, and any other information for fair processing, such as implementing an employee monitoring policy or providing prior notices to the employees about the nature and extent of the monitoring.

4. Privacy by design

GDPR requires employers to implement privacy by design at the time of development of workplace technologies in order to determine the degree of intrusion of employee’s privacy and to consider data minimization.

5. Privacy impact assessment

GDPR requires employers to carry out the impact assessment when deploying new technologies to determine whether the monitoring is reasonable and fair. For example, when an employer deploys mobile device management to locate devices in real time, an assessment should be made to ensure that the data processing complies with the principles of proportionality and subsidiarity.

[Related: European Data Protection: New Rules, a Whole New Game]

Today’s organizations are using cloud applications to manage employee data with data centers located outside of the European Union, and are thus required to comply with the GDPR regulations. In such cases, the organization is required to ensure that adequate level of protection for transfer of data outside of the European Union and subsequent access by other entities within the group remain limited to the minimum necessary for the limited purpose. Similarly, if a company is using online office applications that process personal data, it should allow employees to save their personal data in a folder marked as ‘Private’ and shall not access such files without prior written notice and in presence of the employee.

Under the GDPR, authorities have stressed prevention over detection, and have clarified on many occasions that employers should deter misuse (e.g., blocking certain websites) rather than detect misuse (e.g., continuously monitoring all communication). The latter would be considered disproportionate and not a legal ground under legitimate interest. As such, in-house counsel should prioritize prevention in order to protect their interests without encroaching on their employees’ privacy.

About the Author

Kavitha GuptaKavitha Gupta is on the steering committee of ACC India Corporate Counsel Forum and senior legal counsel in aviation industry. She has nearly 15 years of experience in the technology industry and was previously with Hitachi Consulting as their senior legal counsel while overseeing the legal, risk management, and corporate governance aspects of the company’s business for the APAC region. She also worked with Wipro Ltd. handling global compliances for Americas and commercial IT contracts. She’s a certified privacy professional (CIPP/A) from IAPP.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.