WP 29 releases an extensive opinion on data processing at work

The EU’s “Article 29 Working Party” (WP29) has adopted new guidance on the processing of personal data in the employment context (the New Opinion). This New Opinion complements their 2001 opinion and 2002 working document.

WP29 is the Data Protection Working Party established by Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy.

WP29 has released this New Opinion to take into account the developments coming into force in 2018 under the General Data Protection Regulation (GDPR), but also to respond to new information technologies that enable the more systematic processing of personal data (such as wearable devices, BYOD, GPS tracking systems).

The New Opinion discusses, via a series of practical scenarios, proportionality assessments for processing operations (i) during the recruitment process, (ii) resulting from in-employment screening, (iii) resulting from monitoring ICT usage at and outside the workplace, (iv) relating to time and attendance, (v) using video monitoring systems, (vi) involving vehicles used by employees, (vii) involving disclosure of employee data to third parties and (viii) involving international transfers of HR and other employee data.

Through practical scenarios, WP29 gives its opinion by providing answers to a number of specific situations, such as, for example:

• Can I check the social media profiles of job candidates? Summarised answer: if there is a legal ground and candidates are informed (eg in the text of the job advert).
• Can I give fitness monitoring devices to my employees? Summarised answer: yes, but the health data should not be accessible to employers.
• Can I monitor the LinkedIn profiles of former employees during the duration of non-compete clauses? Summarised answer: only if (i) necessary to protect legitimate interests, (ii) no less invasive means are available and (iii) the employee is informed.

Not all issues are covered in the New Opinion. Topics such as the analysis of biometric data are not discussed.

Finally, WP29 offers a series of recommendations for employers, and once again emphasises that it believes that, given the nature of the relationship between employer and employee, consent is highly unlikely to be a legal basis for data processing at work. Employers should preferably rely on legitimate interests instead.

The New Opinion stresses the need for transparency, proportionality and data minimisation. It also suggests, that where employees are expected to use online applications that process personal data, employers should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private email or document folder.

WP29 also takes a broad view of the notion “employee” and wishes to cover all employment relationships, irrespective of the existence of an employment contract.

Organisations will need to ensure that their HR policies and processes are compliant with the applicable employment and data protection regulations, whilst protecting their business interests. This is particularly the case for life sciences companies, where avoiding threats from within (such as security, confidentiality or data protection breaches and industrial espionage) is very high on their agenda.

The full New Opinion can be found here.