New guidance for employers on data processing

New guidance for employers on data processing

Given the rapid adoption of new workplaces technologies and ahead of the General Data Protection Regulation (“GDPR”), the Article 29 Working Party has released a new opinion on processing personal data in the context of the workplace.  The Opinion complements earlier opinions on employment-related processing and takes into account the new GDPR requirements.

The Opinion notes various scenarios where new technologies and their subsequent capacity to gather personal information could impact upon employees’ privacy – including using social media to screen potential recruits and the monitoring of employees’ personal devices.  

The Opinion provides guidelines for how legitimate processing might be achieved in certain scenarios and the safeguards that would need to be put in place.  It also considers how data protection concepts and principles – such as privacy by design, data minimisation and transparency – apply to the use of such technologies in the employment context.

Some key points from the Opinion include:

  • Legal basis for processing – for the majority of employee data processing, consent should not form the valid legal basis owing to the imbalance of power between employers and employees.  Instead, a different legal basis such as performance of a contract, legal obligation or legitimate interest will be required.  Where relying on ‘legitimate interests’, the processing must be necessary for the legitimate interest of the employer and proportionate to the business needs.
  • Recruitment – a legal basis (such as legitimate interest) will be needed to collect and process the personal data of job applicants, including their social media profiles.  Employers should only do so to the extent necessary and relevant to the performance of the relevant job and will need to inform the applicant before they engage with the recruitment process.
  • Monitoring – employers should consider the proportionality of the measures they are implementing and make their policies clear and accessible to employees.  When employees can use their own devices to carry out their job, employers should implement measures to prevent monitoring of the employee’s private information.
  • Other technologies – the Opinion also explores issues raised by wearable devices, video monitoring and telematics in company vehicles.

Contact our experts for further advice

Beverley Flynn

Search our site