Blog details

GDPR employment data processing explained by WP29

GDPR employment data processing explained by WP29

In the run-up to the implementation of the GDPR in 2018, Article 29 Working Party published a detailed Opinion on data processing at work. The text sheds light on key GDPR employment data processing issues.

GDPR employee data

Technological tools of profiling and monitoring employees’ behaviour are plentiful and enable an increasingly intrusive way of monitoring. Some examples include profiling via social media, use of wearable devices, video monitoring systems and monitoring of electronic communications via phone, email, internet browsing and application login. Hence, the volume of data collected on employees is immense and often relates to the strict private sphere. One can therefore expect GDPR employment data processing rules to be interpreted in a strict manner.

Consent insufficient for GDPR employment data processing

The EU top data protection body suggests that the traditional legal requirement of consent in personal data processing cannot legally justify the data processing due to the inherent dependency of the employee-employer relation. The legal ground for employee’s data collection should instead be sought in the performance of the employment contract such as for payment of salary purposes, other legal obligations such as tax calculation, or in the legitimate interest of the employer. 

In the latter instance, the specific method chosen should be necessary for the accomplishment of the legitimate interest of the employer, and the processing should be proportionate to the business needs. Additionally, during the selection of the data processing technology it is important that the least invasive manner is chosen and that the data is stored for the minimum amount of time in line with the data minimisation principle. In any case, fair data processing requires transparency over the existence of monitoring as well as its purpose and any relevant information.  

GDPR employee social media profiling

In addition to the general guidelines applicable in the working environment, the opinion includes several specific scenarios, one of them being profiling via social media accounts. According to the data protection working party, the profiling of prospective employees through their public social media profiles is not allowed unless the profile is related to business and not private purposes. Moreover, the applicant should have been previously informed about the process and the information should be deleted in the event of a negative decision. 

Overall, given the ease of data collection of employees by advanced technological tools and the imbalance of the employment relation, significance should be given to the principles of transparency and proportionality. This leads to a fair balance between the legitimate interest of the employer, as well as the right to private life and the secrecy of communication of the employee.

Is your business GDPR-ready? Aphaia acts as outsourced Data Protection Officer and helps employers prepare for GDPR before May 2018.

Prev post
‘GDPR practitioner’ ? I prefer ‘privacy professional’ instead
July 18, 2017
Next post
UK Data Protection Bill and GDPR
August 9, 2017

Leave a Comment