Series
Blogs
Series
Blogs
The monitoring of employees remains an interesting and difficult area of law. Large companies have to grapple with:
We consider these issues in light of decisions issued by the Italian and Luxembourg supervisory authorities and recent guidance from the UK Information Commissioner.
The Italian supervisory authority, the Garante per la protezione dei dati personali (“Garante”) has taken action against an employer for the following three breaches:
A biometric alarm system
The company had installed an alarm system that was activated and deactivated by using employees’ fingerprints. This system stored biometric data, such as the employees’ fingerprints, jointly with their names, the environment in which access was enabled and the indication of the fingers used to activate/deactivate the alarm system.
The Garante decided that:
Geolocation of employee’s smartphones
The company installed an application on some employees’ smartphones to locate them via GPS when they worked offsite. However, the application: (i) tracked the employees on a continuous basis; and (ii) collected the time and date of the geolocation detection. Some of these data had been stored since 2014.
The Garante decided this personal data had been collected in violation of the specific employment laws on remote monitoring and of the lawfulness and minimisation principles set out in Article 5 GDPR. In particular, under Article 4 of Law No. 300/1970, remote monitoring of employees may only be carried out: (a) for organisational and production requirements; (b) work safety; and (c) protection of company assets. This can be carried out only with agreement of trade union representatives or the Labour Inspectorate.
Video surveillance of the reception area
The company’s legal representative was able to use his smartphone to access a video camera installed in the reception area and, thus, see all the employees passing by that same area. Not only could he monitor them but also admonish them using a speaker in the camera. It has also been ascertained that access to the video surveillance system was granted not only to the legal representative, but also to his wife, as owner of the subscription to the app installed in the smartphone, and to his two children.
The Garante observed that the company: (i) had not provided employees with a privacy notice regarding the camera, not even the short notice to be placed near the video surveillance area; and (ii) had not obtained any authorisation from trade union representatives or the Labour Inspectorate.
The Garante issued a fine of €20,000 for the breach of Article 114 of the Italian Data Protection Code and Articles 5, par. 1, a and c, 9, 13, 88 of the GDPR.
The principles laid down by the Garante mirror those in recent enforcement and guidelines by the Luxembourg supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”).
After onsite investigations on geolocation and video surveillance systems, the CNPD issued fines ranging from €200 to €12,500. The CNPD found violations of article 5 of the GDPR – including the principles of: (i) data minimisation (article 5, par. 1, c); and (ii) storage limitation (article 5, par. 1, e). We consider the thematic findings below:
Avoid continuous and permanent surveillance
The CNPD considers that employees have the right not to be subject to continuous and permanent surveillance at the workplace, as that would create considerable psychological pressure for them. In compliance with the principle of proportionality, the controller must use the means of surveillance most protective of the employees’ private sphere and, for example, limit the cameras’ field of view to the area which needs to be filmed for the purpose pursued.
This in principle excludes surveillance cameras in places reserved for employees’ private use, such as canteens or kitchenettes, changing rooms, smoking areas, rest areas, etc.
It also means that monitoring aimed at securing an entry point to the building should not cover the reception personnel. The same applies to cameras filming checkouts, which should be configured in such a way as to ensure that employees behind the counter are not targeted.
This prohibition on permanent surveillance seems to apply even: (i) if there is no intention to monitor employees, but the layout of the cameras allows for such permanent surveillance; and (ii) if the images captured by the cameras are not recorded, but only transmitted in real time to a control monitor.
It is not acceptable for the controller to delegate its responsibility to comply with GDPR to its employees, by asking them to ensure themselves that they are not being filmed during working hours.
In certain cases, the risk to staff security may be so great that it takes precedence over the protection of their privacy. For example, since robberies in banking establishments are often accompanied by violence, it may be necessary for certain employees to be under permanent surveillance. However, to be proportionate the monitoring must be adequate, relevant and not excessive. Consequently, the cameras’ field of vision must not focus on a particular employee’s workstation. If this cannot be avoided, the employee’s face must not be visible (e.g. by using masking or blurring techniques).
Geolocation should only be used when necessary
Furthermore, an employer should only use a geolocation system if there are no alternative means of achieving the desired purpose that are less intrusive on privacy.
Using a geolocation system to permanently monitor employees is objectionable in principle. This is a disproportionate breach of their right to privacy in the workplace. In particular, employers do not have the right to monitor employees outside working hours (which includes days off, lunch breaks, journeys between home and work, medical examinations and weekends).
For this reason, the CNPD distinguishes vehicle tracking where the vehicle can be used for personal purposes and where it can only be used for work purposes. In particular:
In addition, the CNPD considers that processing data relating to speeding is disproportionate unless it is based on a legal obligation imposed on the employer.
Don’t keep data for too long
The CNPD has also suggested specific retention periods for this type of personal data:
The UK data protection regulator, the Information Commissioner (“ICO”) issued guidance this October on lawful monitoring in the workplace.
The guidance is supported by research commissioned by the ICO that reveals over two thirds (70%) of people surveyed said they would find monitoring in the workplace intrusive and that fewer than one in five (19%) people would feel comfortable taking a new job if they knew that their employer would be monitoring them.
These findings are curious. The ICO includes a broad spectrum of monitoring activities ranging from monitoring clocking in/out times (which for some jobs is routine and unproblematic) all the way through to monitoring employees’ personal phones (which is exceptionally rare and potentially illegal). Arguably, these findings do not reflect the nuance in different monitoring activities.
The guidance itself is generally sensible and provides useful examples to help walk the line between legitimate monitoring and unlawful and disproportionate surveillance. The overall position is arguably more permissive than the position taken by some EU data protection authorities. However, the guidance contains the following points of note:
The CNPD’s decisions are available here.
The ICO’s guidance is here.