Data processing at work

28 june 2017

On June 8, 2017, Article 29 Working Party (“WP29”) adopted the new opinion 2/2017 on data processing at work, which makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed.

 WP29 conducted its analysis taking account the  current legal framework under Directive 95/46/EC (the Data Protection Directive or “DPD”) and the new Regulation 2016/679 (the General Data Protection Regulation or “GDPR”), which has already entered into force and which will become applicable on 25 May 2018. With regard to the proposed ePrivacy Regulation5, the Working Party calls on European legislators to create a specific exception for interference with devices issued to employees (WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation, WP 247, 04 April 2017).

 Under the legal grounds analyzed,  WP29 pointed out that employers must  take note of the following:

- for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees (Art 7(a)) due to the nature of the relationship between employer and employee;

? processing may be necessary for the performance of a contract (Art 7(b)) in cases where the employer has to process personal data of the employee to meet any such obligations;

- it is quite common that employment law may impose legal obligations (Art. 7(c)) that necessitate the processing of personal data; in such cases the employee must be clearly and fully informed of such processing (unless an exception applies);

- should an employer seek to rely on legitimate interest (Art. 7(f)) the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees;

- the processing operations must also comply with the transparency requirements (Art. 10 and 11), and employees should be clearly and fully informed of the processing of their personal data10, including the existence of any monitoring; and

- appropriate technical and organizational measures should be adopted to ensure security of the processing (Art. 17).

 WP29 highlighted the importance to guarantee transparency referring to the processing of personal data by means of  monitoring technologies.

 In addition, WP29 pointed out that data processing at work must be a proportionate response to the risks faced by an employer. The information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees should have the possibility to temporarily shut off location tracking, if justified by the circumstances.

 Finally, WP29 provided an analysis related to the obligations introduced by “GDPR”, for all data controllers, including employers, which also include requirements such as data protection by design and data protection impact assessment.

 

Avv. Silvia Giampaolo

News archive

 

Firm news

giu23

23/06/2025

Cyberbullismo

Pubblicata in Gazzetta Ufficiale la Legge 17/05/2024, n. 70,Disposizioni e delega al Governo in materia di prevenzione e contrasto del bullismo e del cyberbullismo (Pubblicata nella Gazz. Uff. 30 maggio

giu23

23/06/2025

L'estate e la tutela degli animali

Pubblicata in Gazzetta Ufficiale la legge 82/2025 recante Modifiche al codice penale, al codice di procedura penale e altre disposizioni per l'integrazione e l'armonizzazione della disciplina in materia

giu23

23/06/2025

Disciplina del D.Lgs. 231/2001 e società di capitali unipersonali

Con ricorso alla Corte di Cassazione veniva impugnata lasentenza del 22/4/2024 della Corte d'Appello di Trieste, in riforma della sentenza del Tribunale di Gorizia del 13/4/2022, denunciando inter alia

Lawyer News

lug9

09/07/2025

Decreto Sicurezza: c’è il rischio di incostituzionalità

Per l’Ufficio del Massimario della Cassazione

lug9

09/07/2025

Danni da amianto e i nodi da sciogliere sulla rilevanza del tabagismo

L'ingente abuso tabagico da parte del lavoratore

lug9

09/07/2025

Responsabilità Civile Autoveicoli: in Italia le polizze più care

I dati nella Relazione Annuale dell'Istituto