With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).


Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

On July 5, 2021, the Italian Supervisory Authority (“Garante”) announced that it has fined Foodinho S.r.l. (“Foodinho”) 2.6 million EUR for its use of performance algorithms in connection with its employees. The authority held Foodinho in breach of the principles of transparency, security, privacy by default and by design, and held it responsible for not implementing suitable measures to safeguard its employees’ (i.e., riders’) rights and freedoms against discriminatory automated decision making. The Garante’s decision is the first of its kind in the realm of the algorithmic management of gig workers. According to the Garante, Foodinho’s management violated Article 22(3) of the GDPR.
Continue Reading Italian Supervisory Authority Fines Foodinho Over Its Use of Performance Management Algorithms

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees.

In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came about following indications of fraudulent use of the company’s existing badge-based time management system.  After installation, the company’s old system co-existed with the new system, and employees were free to choose the method by which to sign in to work.  One of the employees subsequently filed a complaint with the Dutch SA, which led to this investigation.


Continue Reading Dutch Supervisory Authority Fines Company for Processing Biometric Data of Employees

Over the past several days, Germany Supervisory Authorities and health authorities have issued statements and guidance about the handling of personal data in the context of the ongoing COVID-19 pandemic.  In this blog, we consider some these statements in greater detail, as well as their implications for employers and employees.

Continue Reading German Authorities Issue Guidance Related to Coronavirus

Today, one of the most critical risks a company can face is the cyber risks associated with its own employees or contractors.  Companies are confronting an increasingly complex series of cybersecurity challenges with employees in the workplace, including employees failing to comply with established cybersecurity policies, accidentally downloading an attachment containing malware or providing their credentials in response to a phishing scam, or intentionally stealing company information for the benefit of themselves or the company’s competitors by simply copying information to their email or a thumb drive and leaving the company.  Contractors or consultants with access to company systems can pose these same challenges. To guard against these risks, companies can implement various policies and procedures to address an employee’s tenure, from pre-hiring to post-employment, and can implement many of these same precautions with respect to contractors, consultants, or any other third parties with access to company systems.
Continue Reading Cyber Risks in the Workplace: Managing Insider Threats

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

By Dan Cooper and Rosie Klement

The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context.  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.
Continue Reading EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

On January 12, 2016, the European Court of Human Rights (ECtHR) ruled that an employer who had monitored an employee’s private communications during working hours had not breached the employee’s right to privacy (under Article 8 of the European Convention on Human Rights).

This judgment will influence how other European national courts and regulators view similar cases involving employer monitoring of employee private communications. However, the full scope of the judgement remains somewhat unclear; in particular, it remains unclear whether the ECtHR would apply similar logic if the monitored communications had been carried out through a personal account, rather than a professional one.  Employers should also take note that the judgment emphasizes the need for employer monitoring policies to be reasonable and proportionate.  The judgment is available in full here.
Continue Reading European Court of Human Rights Rules That Employers Can Monitor Employee Private Communications