EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work
The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace). As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.
The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts). The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.
The WP29 observes the special risks that can arise from the increasing reliance on technologies by employers, such as enhanced IT monitoring capabilities, technologies that track the location of devices, computers routinely used by staff in performing their jobs, and the collection of information from social networking sites. It recommends that in all cases employers should consider whether:
the processing activity is necessary, and if so, what legal grounds apply to justify the processing as a matter of data protection law;
the proposed processing of personal data is fair to the employees;
the processing activity is proportionate to the concerns raised or the issues meant to be addressed; and
the processing activity is transparent to staff.
The WP29 offers a series of recommendations for employers, advising against the use of automated decision-making, and repeats the assertion that given the imbalance of power, employees can only give free consent in exceptional circumstances, meaning consent will rarely be a legitimate legal basis for processing.
The WP29 also intends to release guidance in the coming months on other GDPR topics such as transparency, certification, breach notification and data transfers, to add to recent guidance on data portability, Data Protection Officers and the “One Stop Shop.”
Rosie Klement is co-author of this article.