Processing employee data in the digital era must be done properly

On 8 June 2017, the Article 29 Working Party, the independent EU advisory body on data protection and privacy, published an opinion (02/2017) on data processing at work (the “Opinion”). The upcoming entry into force of the GDPR has been taken into account and reference is also made to its opinion 8/2001 on the processing of personal data in the employment context, and its 2002 working document on the surveillance of electronic communications in the workplace.

In this Opinion, the Working Party has provided guidelines for the legitimate use of new technologies in 9 specific situations (e.g. looking at the social profiles of prospective candidates during the recruitment process, the use of a Data Loss Prevention tool to monitor outgoing e-mails automatically, BYOD, vehicle telematics, etc.), detailing measures to safeguard the legitimate interest and fundamental rights of employees.

In all such cases, employers should consider whether:

1.       the processing activity is necessary, and if so, the legal grounds that apply;

In this regard, it is worth noting that for the majority of the cases of employees’ data processing, the legal basis of that processing cannot be the consent of the employees since the latter cannot be freely given. Processing personal data in the employment context must therefore rely on other legal grounds, such as the performance of a contract and/or the compliance with legal obligations (e.g. for the purpose of tax calculation and salary administration).

2.       the proposed processing of personal data is fair to the employees; 

3.       the processing activity is proportionate to the concerns raised; and

4.       the processing activity is transparent.

Another thing to point out is that, according to the Working Party, technologies enabling employers to locate devices remotely, deploy specific configurations and/or applications, and delete data on demand should be subject to a prior Data Protection Impact Assessment (DPIA), as required under the GDPR.

The above opinions and working document can be found on: