WP29 is an expert group who provides guidance to the authorities in the EU on data protection. The opinion is a supplement to previous publications "Opinion 8/2001 on the processing on personal data in the employment context" (WP48) and the 2002 "Working Document on the surveillance of electronic communications in the workplace" (WP49).
The Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed.
First and foremost, WP29 outlines a number of considerations the employer should always make, when there is a risk that data processing may result in high risks to the privacy of employees. These are:
Thus, the employer must at all times consider whether the processing of the data is proportional and necessary in any given situation. WP29 has commented on a number of "standard" situations where a processing of data in relation to the employment happens and what the employer should be aware of in these situations. Below are just a few main points from the opinion from WP29.
Social media in relation to the recruitment process and in-employment
Employers should not assume that merely because an individual’s social media profile is publicly available they are then allowed to process those data for their own purposes. A legal ground is required for this processing such as legitimate interest. In this context, the employer should — prior to the inspection of a social media profile — take into account whether the social media profile of the applicant is related to business or private purposes as this can be an important indication for the legal admissibility of the data inspection. In addition, employers are only allowed to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job which is being applied for. On this basis, it can be argued that it most likely will not be legitimate to review an applicant's Facebook profile (regardless of whether it is public or not), but that the LinkedIn profile likely will be okay to process data from.
Only if it is necessary for the job to review information about a candidate on social media, for example in order to be able to assess specific risks regarding candidates for a specific function, and the candidates are correctly informed (for example in the text of the job advert) the employer may have a legal basis to review publicly available information about candidates.
In-employment screening of employee's social media profiles should not take place on a generalized basis.
Monitoring of information and communication technologies (ICT) at the workplace and outside
According to the WP29, there is a need to take into account technological developments that have enabled newer, potentially more intrusive and pervasive ways of monitoring which could constitute an (even bigger) threat to employees’ privacy than before.
Firstly, employers must consider the proportionality of the measures they are implementing, and whether any additional actions can be taken to mitigate or reduce the scale and impact of the data processing. As an example of good practice, this consideration could be undertaken via a Data Protection Impact Assessment ("DPIA") prior to the introduction of any monitoring technology. Secondly, employers must implement and communicate acceptable use policies alongside privacy policies, outlining the permissible use of the organisation’s network and equipment and strictly detailing the processing taking place.
WP29 recommends that if a policy is made on this, a representative sample of employees is involved in assessing the necessity of the monitoring, as well as the logic and accessibility of the policy.
WP29 also states that if it is possible to block websites, instead of continuously monitoring all communications, blocking should be chosen in order to comply with this requirement of subsidiarity. Thus, more generally, prevention should be given much more weight than detection because the interests of the employer are better served by preventing internet misuse through technical means than by expending resources in detecting misuse.
Even more interesting is the question in relation to monitoring outside the workplace with the growth of homeworking, remote working and “bring your own device” policies. The key is first and foremost to address the risk posed by home and remote working in a proportionate, non-excessive manner, in whatever way the option is offered and by whatever technology is proposed, particularly if the boundaries between business and private use are fluid.
The employer must among other things consider the prohibition of the use of specific work devices for private use if there is no way to prevent private use being monitored — for example if the device offers remote access to personal data for which the employer is the data controller.
Mobile device management enables employers to locate devices remotely, deploy specific configurations and/or applications, and delete data on demand. Employees whose devices are enrolled in MDM services must also be fully informed as to what tracking is taking place, and what consequences this has for them.
Processing operations using video and involving vehicles
Video monitoring and surveillance continues to present similar issues for employee privacy as before: the capability to continuously capture the behavior of the worker. WP29 underlines, however, that employers should refrain from the use of facial recognition technologies. There may be some fringe exceptions to this rule, but such scenarios cannot be used to invoke a general legitimation of the use of such technology
Any employer using vehicle telematics will be collecting data about both the vehicle and the individual employee using that vehicle. Even if employers would have a legitimate interest to achieve these purposes, it should first be assessed whether the processing for these purposes is necessary, and whether the actual implementation complies with the principles of proportionality and subsidiarity. Thus, the employee should in principle have the option to temporarily turn off location tracking (i.e. "opt-out") when special circumstances justify this turning off, such as a visit to a doctor. In addition, WP29 states that it is unlikely that there is a legal basis for monitoring the locations of employees’ vehicles outside agreed working hours.
The concept of consent
The concept of consent has been discussed and debated many times by WP29. In this opinion, WP29 once again underline that they believe that employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances when no consequences at all are connected to acceptance or rejection of an offer.
In a Danish context, the employee consent has not been interpreted so strictly as the opinion of the WP29. The opinion is generally that consent can be given freely even though there is an imbalance of power between the employer and the employee. This interpretation is mainly due to the Danish tradition with a balanced employee/employer relationship and a general trust between the parties.
Effective communication should be provided to employees concerning any monitoring that takes place, the purposes for this monitoring and the circumstances, as well as possibilities for employees to prevent their data being captured by monitoring technologies. Policies and rules concerning legitimate monitoring must be clear and readily accessible. WP29 recommends involving a representative sample of employees in the creation and evaluation of such rules and policies as most monitoring has the potential to infringe on the private lives of employees.
Bird & Bird's comments
Overall the WP29 does not provide any ground-breaking principles, but to a wider extend an underlining and "expansion" of previous opinion due to the new technologies etc. Thus, the principles are more or less the same as described earlier on, but entails a higher level of detail than before due to the fact that each technical device and possibility should be considered.
Bird & Bird has big experience within the data protection field and assist multiple employers and companies on these data protection matters – especially in relation to the General Data Protection Regulation.