Blog » A GDPR-PROOF WORKPLACE – 5 MUST-KNOWS FOR EMPLOYERS
A GDPR-PROOF WORKPLACE – 5 MUST-KNOWS FOR EMPLOYERS
28 September 2017
In a very fresh judgement, the Strasbourg Court of Human Rights ruled that employers can monitor their employees’ messages only within certain limits. This judgement gave me the idea to collect 5 areas of the employment relationship where personal data of employees may be collected and processed and thus the principles of the GDPR such as lawfulness or purpose limitation should be taken into account.
Can you check the candidates Facebook profile?
Personal data handling issues arise even during the recruitment process. I hear from more and more employers that during the recruitment of new staff, they check the social media profiles of the candidates.
Just to mention some aspects, the principle of lawfulness allows employers to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job. Thus, if you inform candidates in advance, it can be GDPR-compliant to review their career path on the LinkedIn. Nevertheless, there is no legal ground for checking the relationship status of the possible employee on Facebook.
It is very common that during the recruitment employers ask the candidates to fill out fitness tests. Based on the principle of the data minimization the employer should not send to an office-job applicant a questionnaire with specific question about his health condition that are only relevant for blue-collar workers.
Last but not least, as soon as it becomes clear that an offer for the job would not be made to the applicant, his data should be deleted in accordance with the principle of storage limitation, unless he specifically consented to the retention.
Can you monitor employees’ ICT usage?
Nowadays it is quite usual that employers monitor the electronic communication (eg. e-mail, instant messaging) or Internet-use of their employees in the workplace. There are several types of monitoring systems, for example DLP-tools which enable to monitor outgoing communication for the purpose of detecting potential data breaches.
However, the prevention of data loss can be a legitimate interest for personal data processing, deploying a monitoring system may only be lawful if the employer takes into consideration the privacy principles. First and foremost, to comply with the principle of proportionality, the employer must consider whether he could use other, less invasive method, for example instead of monitoring the Internet usage, simply blocking the websites he does not want for his employees to visit. This means that in some cases no monitoring may take place at all.
If the monitoring is possible, it must be transparent which requires from the employer the prior notification of the employee. Also, the monitoring practice should include some limitations where it is possible, like sampling instead of continuous monitoring.
Can you control your employee working remotely?
It has become more common that employers allow their employees to work from home. In fact, some studies show that employees who work from home are more productive compared with their in-office counterparts. However, working from home without the implementation of appropriate technical safeguards can be very risky for the employer. In order to reduce the risk, employers may implement software packages. Some of them are even capable of logging keystrokes or mouse movements.
Nevertheless, before deploying such packages employers should consider the principle of lawfulness. It is very unlikely that the legitimate interest of protecting the employer’s business secrets may be a ground for recording an employee’s mouse movements.
With proportionate methods and accurate policies, employers can reach the goal of being protected without the violation of the employees right for private life.
Can you use the entry-exit system for performance evaluation?
To measure attendance and the time spent at the workplace employers often use systems that enable them to track the employees’ entries and exist. In some cases, these devices are used because of safety reasons, for example to monitor who has entered into a room where business-sensitive data is maintained.
On the one hand, based on the Labour Code, employers are obliged to keep records about the working time, so the necessity to fulfill this legal obligation may be a legitimate ground to use the entry-exit system.
On the other hand, the continuous monitoring of the frequency and the exact entrance and exit times of the employees could be hardly justified if these data would be used for performance evaluation since this would not be in compliance with the principle of lawfulness.
Can you track your employees’ company car?
Some positions require the use of company vehicles by employees and because of safety reasons technologies that enable employers to monitor their vehicles have become widely adopted. Some kind of these devices do not only collect data about the car itself but also about the employee (eg. driving behavior). If the employer allows the employee to use the car for private purposes, collection of personal data is even more concerned.
Employers must bear in mind the principles of proportionality and subsidiarity. Where private use of the car is allowed, it is unlikely that there will be a legal basis for monitoring the locations of the employees’ vehicles outside the working time. Thus, in order to be compliant with data protection rules, employees should have the possibility to turn off the location tracking.
To sum up the above I suggest you to pay particular attention of the privacy principles and to take the necessary measures (eg. setting up policies) when you decide to deploy monitoring systems or otherwise collect the personal data of your employees.
ONLINE CONSUMER CONTRACTS – IS YOUR BUSINESS CONCERNED?
Black Friday is once again around us: the time when online shops and the consumer protection authority cash in some extra income every year. We guess you’ve already read about the extreme discounts and the record-breaking fines by the authorities, so in our article, we will explain, that without your knowledge, your own business can easily step into the field of consumer protection, in which case, your contracts are subject to special rules. In our article, we show you how you can recognize these situations and, of course, summarize the obligations.Read more »
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.Read more »
THE SUPREME COURT RULED – FLEXIBLE WORKING TIME CAN ONLY BE ORDERED IN WRITING IN HUNGARY
It is often the case that the employer does not clearly regulate the employment relationship of the employees, which later leads to an employment lawsuit. This happened in the case before the Hungarian Supreme Court, where a legal dispute arose in connection with the employee's work schedule, the stake is the payment of several million forints of overtime work compensation to the employee. In our short article, we analyze the Supreme Court’s decision and draw conclusions on how the employer can avoid similar situations.Read more »