Monitoring employees personal data at work
Monitoring of employees’ personal data at work
A recent piece of legislation which came into force on the 31st of July, 2018 sets out specific conditions for certain categories relating to the personal data of employees. These special rules concern cases when employers use monitoring systems by electronic communication and/or means of video surveillance at work.
As per Article 5 of Law no. 190/2018 on the implementation of Regulation (EU) 2016/679 from the European Parliament and from the Council of the 27th of April, 2016 on the protection of natural persons with regard to processing personal data and on free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), for the lawful processing of personal data of employees in the above-mentioned cases the following cumulative conditions must be met:
1. a) the legitimate interests pursued by the employer are thoroughly justified and prevail over the interests or rights and freedoms of the data subjects;2. b) the employer has informed employees in advance, completely and explicitly on the intended data processing. This can be via a written notification accessible to all employees. The notification should be concise and easy to understand, using clear and plain language, in order for employees to get a clear, accurate and complete understanding of what processing biometric data and other personal data would entail. How data is effectively protected, for example by use of a password, who will have access to the data, the processing purpose , the legitimate interests pursued by the employer for such processing, the storage period, how long this measure will subsist and the employees’ rights in relation to personal data processing;
3. c) the employer has consulted with the trade union or (depending on the case) with employees’ representatives, before introducing monitoring systems. The Employer’s obligation is to consult trade union/employees’ representatives in respect to the proposed monitoring rules, without requiring the approval of the trade union/employees’ representatives. It is recommended that the exchange of views between employer and trade union/employees’ representatives, be documented. For example, a written invitation to consultations should be issued and minutes of the meetings should also be recorded in writing. This is to ensure transparency for employees in regards to the introduction of monitoring systems by the employer. These recommendations are set out in Opinion no. 2/2017 by the European Data Protection Board on the processing of personal data at work.
4. d) other less intrusive forms and methods of achieving the purpose pursued by the employer have proven inefficient in the past. Such monitoring methods may be used by the employer only after other less intrusive forms/methods have been implemented and these have proven inefficient. The employer should ensure that the supervision of employees by use of this monitoring process is based on a legitimate need aligned with the purpose pursued. Once such purpose ceases to exist, the measure must be terminated or replaced by another, less intrusive system;
5. e) the storage period of personal data is proportional to the processing purpose, but shall not exceed 30 days, except in situations expressly regulated by law or duly justified cases.
We strongly recommend revisiting the internal regulations/employers’ monitoring policies which are currently applicable to employees, in order to ensure compliance with the above principles.
In case of failure to observe the above rules, the National Supervisory Authority for Personal Data Processing may issue a warning or even apply a fine amounting to a maximum of 20,000,000 Euros or an amount equal to 4% of the annual turnover (based on the previous year) whichever is higher.