Data processing at work

28 giugno 2017

On June 8, 2017, Article 29 Working Party (“WP29”) adopted the new opinion 2/2017 on data processing at work, which makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed.

 WP29 conducted its analysis taking account the  current legal framework under Directive 95/46/EC (the Data Protection Directive or “DPD”) and the new Regulation 2016/679 (the General Data Protection Regulation or “GDPR”), which has already entered into force and which will become applicable on 25 May 2018. With regard to the proposed ePrivacy Regulation5, the Working Party calls on European legislators to create a specific exception for interference with devices issued to employees (WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation, WP 247, 04 April 2017).

 Under the legal grounds analyzed,  WP29 pointed out that employers must  take note of the following:

- for the majority of such data processing at work, the legal basis cannot and should not be the consent of the employees (Art 7(a)) due to the nature of the relationship between employer and employee;

- ? processing may be necessary for the performance of a contract (Art 7(b)) in cases where the employer has to process personal data of the employee to meet any such obligations;

- it is quite common that employment law may impose legal obligations (Art. 7(c)) that necessitate the processing of personal data; in such cases the employee must be clearly and fully informed of such processing (unless an exception applies);

- should an employer seek to rely on legitimate interest (Art. 7(f)) the purpose of the processing must be legitimate; the chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of employees;

- the processing operations must also comply with the transparency requirements (Art. 10 and 11), and employees should be clearly and fully informed of the processing of their personal data10, including the existence of any monitoring; and

- appropriate technical and organizational measures should be adopted to ensure security of the processing (Art. 17).

 WP29 highlighted the importance to guarantee transparency referring to the processing of personal data by means of  monitoring technologies.

In addition, WP29 pointed out that data processing at work must be a proportionate response to the risks faced by an employer. The information registered from the ongoing monitoring, as well as the information that is shown to the employer, should be minimized as much as possible. Employees should have the possibility to temporarily shut off location tracking, if justified by the circumstances. 

Finally, WP29 provided an analysis related to the obligations introduced by “GDPR”, for all data controllers, including employers, which also include requirements such as data protection by design and data protection impact assessment.

 

Avv. Silvia Giampaolo

Archivio news

 

News dello studio

lug2

02/07/2026

Obblighi del titolare del trattamento in caso di uso di sistemi di AI

L' utilizzo di sistemi di AI per il trattamento dei dati comporta la necessita' per il Titolare del trattamento di rivedere ed aggiornare tutti la documentazione sulla privacy, ivi incluse le informative

lug2

02/07/2026

Obblighi del datore di lavoro in caso di utilizzo di sistemi di AI in azienda

  L’articolo 11 della Legge 23 settembre 2025, n. 132 (“Legge AI”) sancisce i principi fondamentali per un uso etico e responsabile dell’AI. Tale disposizione, nel riaffermare

lug2

02/07/2026

Autorità nazionale anticorruzione - Comunicato 15 maggio 2026[3][1] Approvazione della delibera n. 148 del 1° aprile 2026: «Approvazione delle modifiche e integrazioni apportate allo “Schema di bando tipo n. 1/2023 aggiornato al decreto legislativo 31 dic

L'Autorità nazionale anticorruzione (ANAC), nell'adunanza del Consiglio del 1° aprile 2026, ha approvato la seguente delibera: delibera n. 148 del 1° aprile 2026 «Approvazione

News Giuridiche

lug3

03/07/2026

ANAC: revisione al regolamento sull’esercizio del potere sanzionatorio

La modifica, approvata con la Delibera

lug3

03/07/2026

Sharenting, è necessario il consenso congiunto di entrambi i genitori

La madre non può pubblicare foto dei figli

lug3

03/07/2026

Domenico Digregorio: la prudenza del notaio e l’avvento dell’AI

<p><span>L’equilibrio tra la