HomeInsightsArticle 29 Data Protection Working Party publishes Opinion on data processing at work

Contact

+44 (0)20 7612 9612
info@wiggin.co.uk

This Opinion complements the previous Article 29 Working Party publications Opinion 8/2001 on the processing of personal data in the employment context, and the 2002 Working Document on the surveillance of electronic communications in the workplace. The Working Party says that since publication of those documents, a number of new technologies have been adopted that enable more systematic processing of employees’ personal data at work, creating significant challenges to privacy and data protection.

The latest Opinion makes a new assessment of the balance between the legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed.

Whilst primarily concerned with the Data Protection Directive (95/46/EU), the Opinion looks toward the additional obligations placed on employers by the new General Data Protection Regulation. It also restates the position and conclusions of Opinion 8/2001 and the 2002 Working Document, namely that when processing employees’ personal data:

  • employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place; and
  • any international transfer of employee data should take place only where an adequate level of protection is ensured.

To access the Opinion in full, click here.

Expertise