Employer’s obligations when processing personal data. Article 29 Working Party Releases Opinion on Data Processing at Work in relation to GDPR (July 2017)

Article 29 Working Party Releases Opinion on Data Processing at Work in relation to GDPR

The constant increase of new information technologies, amount of generated data and new methods of data processing at a workplace is positive on the one hand. However, it also contributes to risks and challenges for both employers and employees since the distinction between private and work-related processing and monitoring of personal data is becoming harder to distinguish. The balance of employees´ privacy rights and data protection principles with employers´ legitimate interests has become increasingly relevant.
The Opinion of Article 29 Working Party on Data Processing at Work (02/2017) aids to specify the legal terms and principles applied in GDPR and provides updated guidelines and evaluation of the needed balance between
employers´ legitimate interests and employees´ privacy rights. The WP does so by applying the proportionality test on chosen employment scenarios ranging from recruitment process or employees screening, to monitoring of ICT usage, BYOD or wearable devices, and vehicle monitoring systems. Despite the employers´ ownership of the electronic means in all of these scenarios any processing should be limited to activity that is (a) necessary, (b) fair, (c) proportionate and (d) transparent.
Performance of contract or fulfilment of legal obligations are straightforward legal grounds for data processing. However, given the weaker power position of employees, their consent will in general not constitute valid legal ground to justify processing of employees´ data by employers. Legitimate interests of employers will have more weight but will not always outweigh rights and freedoms of employees. Therefore, the Working Party recommends employers to engage with proportionality test before any processing of employees´ data. Is the processing necessary to achieve legitimate purposes and proportionate to particular business needs? Either way, employees should be clearly and fully informed regarding processing or monitoring of their personal data and thus employers should avoid automated decision-making. When deciding on deployment of new technologies the principle of data minimization should be taken into account. Information should be stored for a specified minimum time period and deleted when no longer needed.

http://ec.europa.eu/newsroom/document.cfm?doc_id=45631