A stricter regime for profiling07 June 2016
Part 11: Data Protection in the Workplace
Data privacy in an employment context remains an important challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance; few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a legitimate expectation of privacy – including at their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several member states, relating to the permissibility of internal investigations and compliance controls.
Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in many jurisdictions. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation, and it is expected that this area of data privacy will remain less harmonised than other fields of data protection.
Likely practical impact of the Regulation on employee data protection
For most member states, the Regulation will considerably change the landscape. Even for employers in member states with relatively strict employee data protection requirements, the upcoming data protection regime will create additional challenges.
As a general rule, all of the principles and restrictions of the Regulation also apply in the workplace. For instance, the new right of data portability means there will be a right to portability of data from one employer to another, and data privacy impact assessments may be required in many aspects of work life. Moreover, the severe maximum penalties which can be imposed under the new data protection framework are a strong encouragement for employers to ensure effective data protection for their employees.
Processing employees’ personal data for the performance of the employment contract
Personal data must be processed in a manner which is adequate, relevant and not excessive in relation
to the purposes of the employment relationship for which they are processed. Current Article 6 (1)(b) of the draft Regulation will be particularly relevant in an employment context, since it permits the use of personal data to the extent that processing is necessary for the performance of the employment contract between data subject and controller.
However, Article 82 of the Parliament draft also contains extensive additional provisions aimed at protecting the rights and freedom of employees. In accordance with the provisions of the Regulation and the principle of proportionality, member states may adopt specific rules regulating the processing of personal data in an employment context. Among other things, profiling or the use of employee data for secondary purposes as well as the processing of employee data without their knowledge will be prohibited.
It remains to be seen to what extent these employee- friendly provisions will actually make it into the final version of the Regulation. In any case, it is likely that member states that traditionally have a high degree of employee data privacy will adopt employee-specific data protection rules. As a consequence, there may be considerable variations in employee data protection and, consequently, a lesser degree of harmonisation between the individual member states.
Processing employees’ personal data for other legitimate purposes
The processing of employee data may be legitimised by the general provisions of the Regulation. For example, Article 6 (1)(b) permits processing where this is necessary for the purposes of legitimate interests pursued by the employer or by a third party. However, this must be balanced against the interests or fundamental rights and freedoms of the data subject, i.e. the employee. Outside an employment context, this provision may permit the collection and other processing of employee data.
Processing employees’ personal data on the basis of collective agreements
Under Article 82 of the Regulation, member states may allow the processing of personal data to be governed by collective agreements, for example by collective bargaining agreements or works council agreements, which may be entered into between employers and employees’ representatives.
In some countries with strong employee representative rights, like for instance Germany, works council agreements are already a reliable and safe way to govern the use of data in the work place. In member states permitting the use of employee data on the basis of collective agreements, it can be expected that domestic courts will quickly establish rules and standards for permissible collective provisions. However, this would then result in less EU-wide harmonisation regarding data protection in the work place.
Processing personal data on the basis of employee consent
Article 6 (1)(a) of the Regulation provides that processing of personal data for one or more specific purposes may be lawful if the data subject has given unambiguous consent to it. Not surprisingly, such consent must be freely given. In some member states, the question whether and under what circumstances employees can consent to the processing of their personal data has been an ongoing debate for years and the Regulation does not resolve this issue. Therefore, it is unlikely that employee consent will ever be the most robust basis for the use of that data, and this needs to be factored in when justifying such uses.
What to do now
- Keep in mind that specific employee data protection rules may be passed by individual member states, which would prevent a high degree of harmonisation in this area.
- Align HR and data protection functions in order to ensure compliance with the new requirements.
- Analyse whether your business’ personnel and data protection structures provide the level of transparency required by the new data protection rules.
- Closely monitor whether member states relevant to your business/workforce implement specific employee data rules.
- If collective agreements (including works council agreements or collective bargaining agreements) apply to your business: closely analyse any existing agreements and negotiate necessary changes in a timely manner.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016