The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.
The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:
- the satisfaction of a legal basis to process under Article 7 of the DPD;
- whether the processing activity is both necessary and fair to the employee;
- whether the processing activity is proportionate; and
- whether the processing activity is transparent.
The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.
The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).
The WP29 comment that the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.
The full opinion can be read here.