The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context.  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.

The WP29 observes the special risks that can arise from the increasing reliance on technologies by employers, such as enhanced IT monitoring capabilities, technologies that track the location of devices, computers routinely used by staff in performing their jobs, and the collection of information from social networking sites.  It recommends that in all cases employers should consider whether:

  • the processing activity is necessary, and if so, what legal grounds apply to justify the processing as a matter of data protection law;
  • the proposed processing of personal data is fair to the employees;
  • the processing activity is proportionate to the concerns raised or the issues meant to be addressed; and
  • the processing activity is transparent to staff.

The WP29 offers a series of recommendations for employers, advising against the use of automated decision-making, and repeats the assertion that given the imbalance of power, employees can only give free consent in exceptional circumstances, meaning consent will rarely be a legitimate legal basis for processing.

The WP29 also intends to release guidance in the coming months on other GDPR topics such as transparency, certification, breach notification and data transfers, to add to recent guidance on data portability, Data Protection Officers and the “One Stop Shop.”  InsidePrivacy will be tracking and reporting on these developments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.