The Covid-19 pandemic saw the rise of remote working. In light of this, an increasing number of organisations are also seeking to adopt monitoring tools in order to observe the productivity of employees.
Under Article 4 of the General Data Protection Regulation (GPDR), behavioural characteristics of an individual constitutes as personal data. Therefore, the GDPR applies to the monitoring of employees’ behaviour. Any monitoring tools being rolled out in the European Union (EU) is therefore subject to the legislation.
Requirements under the GDPR
Whilst workplace monitoring is permitted under the GDPR, there are clear guidelines regarding the limits to such action. Pursuant to Article 6 of the GDPR, organisations must have a legal basis for any processing of employees’ personal data, including monitoring. Consent is usually not an appropriate legal basis due to a clear imbalance of power between the employer and the employee. Thus, in most cases, organisations must rely on other bases, such as legitimate interests. To this end, the principle of proportionality is crucial here; there is a need to strike a balance between the need and extent of monitoring and the intended aim.
In addition to the proportionality test, organisations should also carry out data protection impact assessments (DPIA). Article 35 of the GDPR provides that a DPIA must be performed for data processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” Guidelines released by the Article 29 working party of EU data protection authorities refers to systematic monitoring as a high risk. It is therefore prudent for organisations to undergo a DPIA before adopting any monitoring tools to mitigate the privacy risks associated with the technology.
Furthermore, employers should be transparent regarding the monitoring activity. Employees should be informed regarding the reasons for monitoring, as well as what the monitoring involves and when and how it takes place. This is crucial as not providing proper notice to employees may lead to data protection authorities’ scrutinisation. Barclays Bank, for instance, has been under the investigation of the UK Information Commissioner’s Office (ICO) for using employee surveillance software without providing its employees with sufficient notice.
Involving works councils
Besides the necessity to comply with the requirement under the GDPR, organisations operating in the EU must remember to properly involve works councils before implementing any monitoring tools. This obligatory involvement of the works council is known as “co-determination right” and its scope differs based on the national legislation. Ignoring or not properly complying with the co-determination right can have detrimental consequences for the employer such as responsibility for the damages caused to the employee, invalidity of the employer’s decision or facing the legal proceedings initiated by the works council.
For instance, in The Netherlands, the employer needs to obtain consent of the works council for any decision to lay down, amend, or withdraw regulations aimed at or suitable for monitoring or checking the attendance, behaviour or performance of the persons working in the organisation. Notably, the employer does not even need to have an actual intention to check or monitor employees. What triggers the obligation to request works council consent is the mere fact that the introduced technologies are suitable for such purpose. Any decision taken without the endorsement of the works council is invalid by law if the works council submits an appeal to the employer within one month. The works council can also request the court to order the employer to refrain from any action of implementing the invalid decision.
Similarly in Austria, the employer needs to reach an agreement with the works council. However, unlike in Holland where consent is required for all technologies with the potential of surveillance, in Austria it’s only for those which interfere with human dignity. Without consent, such technologies would both be unlawful and could prompt compensation claims. The Austrian Supreme Court has already awarded damages to an employee who was monitored by a GPS tracker without the consent of the works council or the employee concerned (if there is no works council). It also confirmed the necessity of works council consent for alcohol breath-tests as it too qualifies as a measure affecting human dignity.
Germany is another country with very strong works council legislation where the employer cannot introduce technical devices designed to monitor the behaviour and performance of the employees without previous agreement with the works council. If they do, the works council can seek an injunction to block the use of such technology.
In contrast, France is an example of legislation where the works council only needs to be consulted in respect of the implementation of any means aimed at monitoring or controlling the employees’ activities. Naturally, such consultation must occur before the decision is taken and when the works council can still affect the decision.
Monitoring employees is a sensitive measure that requires a lot of compliance work to be done in advance on the side of the employer. As shown above, it is not only the GDPR that comes into play where there is legislation regarding works councils. While the GDPR primarily requires a proper DPIA assessment, works council legislation varies from country to country. For an employer operating in the EU, it is therefore important to look at national works council legislation when considering the use of monitoring tools.
HewardMills, as a global data protection officer (DPO), assists employers in all compliance efforts. Our consultants have long-standing expertise in performing DPIAs and, thanks to their international background, assess, evaluate and ensure compliance with national works council legislation. Proper assessment and observance of works council rights, whether these consist in consultation or consent granting, are essential and may avoid a flurry of legal issues.
By Claudia Chan and Katarina Sivakova