GDPR in work life
Monitoring and control of employees in the workplace
Monitoring and control of employees in the workplace is not uncommon. For example, when a company tracks employee performance, uses positioning technology or camera surveillance. When such a control involves the processing of personal data of employees, the employer must comply with the rules of the GDPR. However, the employer’s right to control its employees is governed first and foremost by national labour law.
Requirements for employers to process personal data of employees
Below you can read a summary of what is required for the employer’s processing of personal data to be permitted and lawful under the GDPR.
Principles
All processing of personal data must be carried out in accordance with the seven fundamental data protection principles. The principles are set out in Article 5 of the GDPR and relate to:
- Legality, regularity and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage minimisation
- Integrity and confidentiality
- Accountability
Legal basis
Any individual processing of personal data must be based on a legal basis in order to be lawful. There are a total of 6 legal bases under Article 6 GDPR:
- Consent
- Performance of a contract with the data subject
- Legal obligation
- Fundamental interests
- Tasks carried out in the public interest or in the exercise of official authority
- Legitimate interest
Inform about the processing
Employees shall be informed about the processing of their personal data and the controls that the employer can carry out through the data. For example, personal data is collected when the employees use the company's IT systems, and they have the right to know what the employer is doing with that information. According to the main rule, the information about the processing must be provided in a clear, easily accessible and easily understandable way. The information must contain at least what is stated in Article 13 GDPR, or if applicable, Article 14 GDPR.
Impact assessment
Before the employer starts processing personal data, the employer must investigate whether a data protection impact assessment (DPIA) is required. The purpose of the impact assessment is to find out what risks the processing entails and what consequences it may cause. For example, the employer must carry out an impact assessment if, in a systematic manner, the employer wishes to monitor how employees use e-mail and the internet.
Can employers carry out monitoring and control of employees at workplaces and follow up on their work performance?
Yes, it may be allowed to monitor and control the employees at the workplace and follow up on their work performance, but the employer must comply with the rules of the GDPR when processing the personal data.
Is an employer allowed to monitor the employees' work performance?
It is common for employers to monitor employees’ work performance and process personal data in connection with this. For example, when it is justified to do the follow-up at an individual level, instead of on a group level.
However, it is not allowed to follow up on performance, unless that was the idea of the processing from the beginning. In addition, employees must have been informed of the processing. Personal data shall be processed for the purpose for which it was collected, not for other incompatible purposes.
Why do some employers monitor the employees' work performance?
The employer may have a need to measure work performance in order to fulfil the employment contract. For example, if a seller only works with commission-based salary, it is necessary to know how much the seller has sold, in order to be able to calculate and pay the correct salary. In such cases, the legal basis for the processing is the contract with the data subject (i.e., the employment contract).
Can the employer have a legitimate interest to measure and follow up work performance?
It may be permitted to measure and follow up work performance for legitimate purpose, provided that it is done in a reasonable manner that is not offensive to employees. For example, to manage, organise, plan and follow up the work of employees.
In such cases, it is often more appropriate to apply the legal basis of legitimate interest under Article 6(1)(f) GDPR. However, the employer must carry out and document a balance of interests, to see if there is a legitimate interest or not, before the processing is carried out.
Use of IT systems at work
Companies that process personal data have an obligation to protect them, by taking appropriate technical and organizational security measures. In other words, by having a sufficiently high level of information security. Therefore, it is important that the company also informs its employees about how to use, for example, IT systems. In addition, the company should establish procedures and instructions for employees on how to use, for example, their mobile phones and computers.
It is not uncommon for employers to prohibit their employees from installing mobile applications for private use, which are not necessary for the performance of their duties, on a work phone or work computer. The reason for this is to reduce the risk of unauthorized access to the work-related information on the device.
The employer may have a legitimate interest in following up whether the employees follow the instructions. The company may have access to logbooks of the use of IT equipment and systems, and check them regularly. However, it is important to keep in mind that logging can be a privacy-sensitive processing, and therefore it is important that there is no more intervention than necessary for the purpose.
Is it permissible for employers to use positioning systems (GPS) that indirectly track employees?
Yes, employers may be allowed to use positioning systems (GPS) that indirectly track employees. It has become more common for companies to check, for example, where their work equipment, such as vehicles, is located through positioning systems (GPS). For example, in businesses that work with transport, such as couriers.
Tracking of the employees location
It is important to understand that use of positioning systems also in many cases controls the location of employees. This makes it possible to monitor employees. Therefore, it is important to minimise the risk of undue intrusion into the privacy of employees.
Legal basis for the use of positioning systems (GPS)
Legitimate interest under Article 6(1)(f) GDPR is often the most appropriate legal basis to use for non-government employers to support their processing of personal data, when the processing involves the positioning of their employees.
Can employers use camera surveillance of employees at the workplace?
In order for a company to implement camera surveillance in the workplace, there must be strong reasons. This is because it is a privacy breach that many people want to avoid while working. Companies do not always need a permit to conduct camera surveillance at the workplace, but this does not mean that it is always allowed.
For example, a company may have reasons to have camera surveillance in the office during the nights after work hours to prevent crime, such as burglary. A company may also have strong reasons to monitor its stock, in cases where the products have a high value.
Legal basis for camera surveillance of employees
It is common for employers, who are not public authorities, to use legitimate interest under Article 6(1)(f) GDPR as the legal basis for camera surveillance of employees.
Is it allowed for employers to implement camera surveillance to check how employees work?
No, it is generally not allowed as an employer to implement camera surveillance to check how employees work. It is forbidden to use cameras in the workplace to monitor work performance and how employees work regularly.
However, camera surveillance may be permitted in certain hazardous manufacturing processes or other specific circumstances, in order to prevent accidents and protect personnel or property.
Conduct an impact assessment before the camera surveillance begins
It is important to keep in mind that the employer may need to carry out and document a data protection impact assessment (DPIA) before the camera surveillance begins. In addition, the employer may need to request a prior consultation with the responsible data protection authority, if there is still a high risk for the data subjects. Furthermore, it is important to inform employees about the camera surveillance in a privacy notice.
Company received a fine after having had camera surveillance where employees changed clothes
One company received a fine of EUR 34 000 from the Icelandic Data Protection Authority after having had camera surveillance at the place where the employees used to switch to their work clothes. In addition, the company had not informed the employees about the camera surveillance. The Icelandic Data Protection Authority also ordered the company to cease camera surveillance in the dressing room.
Is it permissible to check the company’s vehicles or other equipment using positioning technology (GPS)?
Some companies, including those in the transport sector, often control their vehicles and any other equipment through positioning systems. Indirectly, this means that the employer also monitors its employees and where they are located.
Such monitoring poses a risk to employees. The employer should analyse whether they need to carry out a data protection impact assessment (DPIA) before commencing such processing.
What information is not allowed to process?
Please note that it is not allowed to process collected personal data in any way, just because you have a legal basis to collect them. For example, a company should not control how long breaks employees take through the data collected, even if such information could be deduced from the data collected.
Such monitoring poses a risk to employees. The employer should analyse whether they need to carry out a data protection impact assessment (DPIA) before commencing such processing.
When a vehicle is used by the employee both privately and at work
If an employee is allowed to use the vehicle both for work and private purposes, the employee should be able to turn off the tracking when not working. Most often, it is forbidden to monitor the vehicle position of employees when they are not working.
Legal basis for the use of positioning techniques for employee monitoring:
- Legitimate interest is the most common legal basis that companies use when monitoring employees through positioning technology. Examples of when an employer may have a legitimate interest in monitoring employee positioning include the following:
- Security reasons.
- Allocation of resources.
- Management and administration of logistics.
- Legal obligation may instead be an appropriate legal basis to use in certain cases. For example, if the employer needs to report driving records from their employees to the tax authority.
More information about GDPR
Responsibility for employers when processing personal data
The employer is the controller of personal data when processing its employees’ personal data. Often, the employer processes sensitive personal data of the employees, such as information on sick leave (which is data on health). As well as privacy-sensitive data, such as bank details and account numbers for payroll payments. The employees are thus considered as data subjects under the GDPR. They have the right to information about the processing from the employer, including the right to request that their other rights under the GDPR be met. Therefore, it is important that the employer has internal procedures in place to inform and handle such requests from its own employees.