Monitoring employees personal data at work

New legislation came into force on 31 July 2018 that sets out specific conditions for certain categories of personal data of employees. These special rules are aimed at situations where employers use electronic monitoring systems and/or video surveillance of employees at work.

Article 5 of Law no. 190/2018 deals with the implementation of EU Regulation 2016/679 (repealing Directive 95/46/EC) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

For the lawful processing of employees’ personal data in the above-mentioned situations the following conditions must all be met:

1. the legitimate interests pursued by the employer must be thoroughly justified and prevail over the interests or rights and freedoms of the data subjects;

2. the employer must  inform employees in advance, completely and explicitly, on the intended data processing. This can be by a written notification accessible to all employees. The notification should be concise and easy to understand, using clear and plain language, in order for employees to get a clear, accurate and complete understanding of what the processing of biometric data and other personal data would entail. For example: how data is effectively protected (eg. by the use of a password), who will have access to the data, the purpose of processing, the legitimate interests pursued by the employer for such processing, the storage period, how long this measure will subsist and the employees’ rights in relation to the processing of personal data;

3. the employer must have consulted either with the trade union or with employees’ representatives, before introducing monitoring systems. The employer must consult in respect of the proposed monitoring rules, but does not need the approval of the trade union/employees’ representatives. It is recommended that the exchange of views between them should be documented. For example, a written invitation to consultations should be issued and written minutes of the meetings should be made. This is to ensure transparency for employees regarding the introduction of monitoring systems. These recommendations are set out in Opinion no. 2/2017 of the European Data Protection Board on the processing of personal data at work.

4.  Any such monitoring methods may only be used by the employer after other less intrusive forms/methods have been implemented and have proven to be inefficient. The employer should ensure that the supervision of employees by use of this type of monitoring process is based on a legitimate need in accordance with the purpose pursued. Once such purpose ceases to exist, the measure must be terminated or replaced by another, less intrusive system; and

5. the storage period of personal data must be proportional to the processing purpose, but must not exceed 30 days, except in situations expressly regulated by law or in duly justified cases.

We strongly recommend that employers revisit their internal regulations and/or their monitoring policies to ensure they are in compliance with the above conditions.

Failure to observe these new rules, may result in the National Supervisory Authority for Personal Data Processing issuing either a warning or a fine of up to either 20,000,000 Euros or 4% of the annual turnover of the company (based on the previous year’s turnover), whichever is the higher.