1 minute read
What do we need to consider if we use a third-party provider or an application provided by a third-party to carry out monitoring?
Undertaking your UK GDPR obligations before proceeding with any monitoring reduces the chances of workers raising objections. Carrying out a DPIA helps you to do this, particularly the ‘consulting workers’ stage. You must complete a DPIA where monitoring creates a high risk to worker's data protection rights and freedoms.
You can also refuse to comply with an objection if it is:
Advertisement
• manifestly unfounded; or • excessive.
Example
A worker repeatedly sends different requests to you on a regular basis with the stated intention to cause disruption. This may be manifestly unfounded.
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the worker why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the ICO.
Further reading – ICO guidance
For more detail on what we mean by manifestly unfounded, see our core guidance on the right to object.
If your organisation uses a third-party to monitor workers or to process the data from monitoring workers, then that third party also has obligations under the UK GDPR. If you are using such a provider, and you as the employer determines the purposes and the manner of the processing, then it is likely the provider will be considered a processor under the UK GDPR, with your organisation being the controller. If the processor determines any purposes for the information, they may also be considered a controller.
As controller, you are ultimately responsible for the compliance of your processors as well as your own compliance. You are responsible for assessing
