12 minute read
4.2. When and what monitoring activities are permissible?
Modern technologies enable employees to be tracked over time, across workplaces and their homes, through many different devices such as smartphones, desktops, tablets, vehicles, and wearables.255
Monitoring activities are forms of personal data processing that can occur during the recruitment process (e.g. if an employer checks data of aspirant employees on social media), for the length of the contractual relationship (e.g. video surveillance, GPS on vehicles used by employees) and even after the end of the working relationship (e.g. if an employer monitors former employees’ LinkedIn profiles to ensure that they are not infringing a non-competition clause).256
Advertisement
In certain situations, the employer may be legally obliged to perform certain forms of tracking (e.g. install tracking technologies in vehicles to be sure that a driver does not exceed a certain number of driving hours per day).
In other cases, the employers may have a legitimate interest in monitoring employees (e.g. for security reasons; for safety reasons; to prove unlawful conduct of an employee). However, monitoring employees poses risks from a fundamental rights perspective. Systematic or occasional monitoring can infringe upon the privacy rights of an employee, and limit employees’ channels by which they could inform employers about irregularities or illegal actions of superiors and/ or colleagues threatening to damage the business or workplace.257
255 Ibid. 256 Ibid. 257 Ibid.
EXAMPLE
An employer, who seeks to install a GPS in a company car to control the progress and circumstances of work of the employees, may invoke the legitimate interest as a legal basis.
However, the employer must first evaluate whether the data processing is necessary for the purposes designated, and whether its implementation by a GPS device is proportionate to the limitations imposed on the rights of the employees.
Employers must inform their employees of the installation of tracking devices in the company cars and must make clear that, while the employees use the vehicle, their movements are recorded.
The situation would be different if the employees were allowed to use company cars for private purposes, too. In this case, the employer could not invoke the legitimate interest because the implementation of a GPS device that would track a company car at all times would be disproportionate.
SUGGESTION
Whilst there are national differences concerning whether an employer can monitor their employees, the common traits are that: » policies and rules concerning legitimate monitoring must be clear and readily accessible, ideally elaborated by the employer together with the representatives of the employees; and » privacy-friendly organizational solutions have to be preferred to the monitoring of the employees. For example, an employer may opt for the introduction of filters upon websites accessible from the workplace rather than monitoring all the web activities of the employees. Consider what other options are available to achieve the same goal.
Annex I – National laws
The General Data Protection Regulation replaced the Data Protection Directive on 25 May 2018. While it harmonized data protection rules and became ‘directly applicable’ across the EU/EEA, some differences remain among national laws specifying data protection rules. For this reason, when adhering to data protection rules, national laws implementing the GDPR must be consulted. Below is an overview of such laws, prepared by VUB-LSTS.258
Member State National law implementing the GDPR Unofficial English Translation
Austria Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Datenschutzgesetz – DSG) StF: BGBl. I Nr. 165/1999 (NR: GP XX RV 1613 AB 2028 S. 179. BR: 5992 AB 6034 S. 657.) Federal Act concerning the Protection of Personal Data
258 The online version of this list can be found at https://lsts.research.vub.be/en/ specifying-the-gdpr/.
Member State National law implementing the GDPR Unofficial English Translation
Belgium Wet betreffende de bescherming van natuurlijke personen met betrekking van persoonsgegevens (Kaderwet), 30 juli 2018 Loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (Loi cadre), 30 juillet 2018 68616 BELGISCH STAATSBLAD—05.09.2018— MONITEUR BELGE [C−2018/40581] Wet van 3 december 2017 tot oprichting van de Gegevensbeschermingsautoriteit - Loi du 3 décembre 2017 portant création de l’Autorité de protection des données. BELGISCH STAATSBLAD— 10.01.2018—MONITEUR BELGE 989 [C−2017/31916]
Bulgaria Закон за защита на личните данни В сила от 01.01.2002 г. Обн. ДВ. бр.1 от 4 Януари 2002г, изм. ДВ. бр.93 от 26 Ноември 2019г Act on the protection of natural persons with regard to the processing of personal data
Personal Data Protection Act
Member State National law implementing the GDPR Unofficial English Translation
Croatia Zakon o Provedbi Opće Uredbe o Zaštiti Podataka. Izdanje: NN 42/2018 Broj dokumenta u izdanju: 805 ELI: /eli/ sluzbeni/2018/42/805
Cyprus
Αριθμός 125(Ι) του 2018 ΝΟΜΟΣ ΠΟΥ ΠΡΟΝΟΕΙ ΓΙΑ ΤΗΝ ΠΡΟΣΤΑΣΙΑ ΤΩΝ ΦΥΣΙΚΩΝ ΠΡΟΣΩΠΩΝ ΕΝΑΝΤΙ ΤΗΣ ΕΠΕΞΕΡΓΑΣΙΑΣ ΤΩΝ ΔΕΔΟΜΕΝΩΝ ΠΡΟΣΩΠΙΚΟΥ ΧΑΡΑΚΤΗΡΑ ΚΑΙ ΓΙΑ ΤΗΝ ΕΛΕΥΘΕΡΗ ΚΥΚΛΟΦΟΡΙΑ ΤΩΝ ΔΕΔΟΜΕΝΩΝ ΑΥΤΩΝ ΕΠΙΣΗΜΗ ΕΦΗΜΕΡΙΔΑΤΗΣ ΚΥΠΡΙΑΚΗΣ ΔΗΜΟΚΡΑΤΙΑΣΠΑΡΑΡΤΗΜΑ ΠΡΩΤΟ ΝΟΜΟΘΕΣΙΑ -ΜΕΡΟΣ I Αριθμός 4670, Τρίτη,31 Ιουλίου 2018, 827 Czech Republic Zákon č. 110/2019 Sb. Zákon ze dne 12. března 2019 o zpracování osobních údajů Částka 47/2019 Implementation Act Not available
Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data
Act of 12 March 2019 on personal data processing
Member State National law implementing the GDPR Unofficial English Translation
Denmark LOV nr 502 af 23/05/2018 Lov om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger (databeskyttelsesloven) Ressortministeriets journalnummer Justitsmin., j.nr. 2017-7910-0004
Estonia Isikuandmete kaitse seadus Avaldamismärge: RT I, 04.01.2019, 11
Finland Tietosuojalaki 1050/2018 Hallinnonala: Oikeusministeriö Voimaantulo: 01.01.2019
France Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés Modifié par Ordonnance n°2018-1125 du 12 décembre 2018 JORF n°0288 du 13 décembre 2018 Data Protection Act
Personal Data Protection Act
Data Protection Act (1050/2018)
Act N°78-17 of 6 January 1978 on Information Technology, Data Files And Civil Liberties
Member State National law implementing the GDPR Unofficial English Translation
Germany Zweites Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU–2. DSAnpUG-EU) 1626 Bundesgesetzblatt Jahrgang 2019 Teil I Nr. 41, ausgegeben zu Bonn am 25. November 2019
Greece NOMOΣ ΥΠ’ ΑΡΙΘΜ. 4624 Τεύχος A’ 137/29.08.2019 Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, μέτρα εφαρμογής του Κανονισμού (ΕΕ) 2016/679 του Ευρωπαϊκού Κοινοβουλίου και του Συμβουλίου της 27ης Απριλίου 2016 για την προστασία των φυσικών προσώπων έναντι της επεξεργασίας δεδομένων προσωπικού χαρακτήρα και ενσωμάτωση στην εθνική νομοθεσία της Οδηγίας (ΕΕ) 2016/680 του Ευρωπαϊκού Κοινοβουλίου και του Συμβουλίου της 27ης Απριλίου 2016 και άλλες διατάξεις Act to Adapt Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680
Hellenic Data Protection Authority (HDPA), measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and transposition of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, and other provisions
Member State National law implementing the GDPR Unofficial English Translation
Hungary 2011. évi CXII. Törvény az információs önrendelkezési jogról és az információszabadságró Iceland Lög um persónuvernd og vinnslu persónuupplýsinga 2018 nr. 90 27. Júní Lagasafn. Íslensk lög 1. október 2020. Útgáfa 150c.
Ireland Number 7 of 2018 Data Protection Act 2018
Italy Codice in materia di protezione dei dati personali (d.lgs. 196/2003) modificato dal Decreto Legislativo 10 agosto 2018, n. 101, Dispozioni per l’adequamento della normativa nazionale alle dispozioni del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonche’ alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati) G.U. 4 settembre 2018 n. 20 PERSONAL DATA PROTECTION CODE Containing provisions to adapt the national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Act CXII of 2011 on the right to informational self-determination and on the freedom of information
Act no. 90/2018 on Data Protection and the Processing of Personal Data
n/a
Member State National law implementing the GDPR Unofficial English Translation
Latvia Fizisko personu datu apstrādes likums (Publicēts: Latvijas Vēstnesis, 132, 04.07.2018. OP numurs: 2018/132.1)
Liechtenstein Datenschutzgesetz (DSG) vom 4. Oktober 2018 LGBl-Nr 2018.272 LR-Nr 235.1
Lithuania ASMENS DUOMENŲ TEISINĖS APSAUGOS ĮSTATYMO NR. I-1374 PAKEITIMO ĮSTATYMAS 2018 m. birželio 30 d. Nr. XIII-1426 Personal Data Processing Law
Data Protection Act of October 4, 2018
Law of Republic of Lithuania on Legal Protection of Personal Data (integrated Law Amending Personal Data Protection Law no. I-1374)
Member State National law implementing the GDPR Unofficial English Translation
Luxembourg Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en oeuvre du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), portant modification du Code du travail et de la loi modifiée du 25 mars 2015 fixant le régime des traitements et les conditions et modalités d’avancement des fonctionnaires de l’État MÉMORIAL A - N° 686 du 16 août 2018
Malta Chapter 586 Data Protection Act ACT XX of 2018 The Act of 1 August 2018 on the organisation of the National Data Protection Commission, implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), amending the Labour Code and the amended Act of 25 March 2015 stipulating the rules of remuneration and the terms and conditions for the promotion of State civil servants
n/a
Member State National law implementing the GDPR Unofficial English Translation
Netherlands Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) Wet van 16 mei 2018, houdende regels ter uitvoering van Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van Richtlijn 95/46/EG (algemene verordening gegevensbescherming) (PbEU 2016, L 119) (Uitvoeringswet Algemene verordening gegevensbescherming)
Norway Lov om behandling av personopplysninger (personopplysningsloven) LOV-2018-06-15-38 General Data Protection Regulation Implementation Act
Not available
Member State National law implementing the GDPR Unofficial English Translation
Poland Ustawa z 10 maja 2018 o ochronie danych osobowych Dziennik Ustaw 2019 r. Poz. 1781
Portugal Lei n.º 58/2019, de 8 de agosto que assegura a execução, na ordem jurídica nacional, do Regulamento (UE) 2016/679 do Parlamento e do Conselho, de 27 de abril de 2016, relativo à proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados (RGPD) Diário da República, 1.ª série. No. 151 pag. 3 The Act of 10 May 2018 on the Protection of Personal Data
Not available
Member State National law implementing the GDPR Unofficial English Translation
Romania LEGE nr. 190 din 18 iulie 2018 privind măsuri de punere în aplicare a Regulamentului (UE) 2016/679 al Parlamentului European şi al Consiliului din 27 aprilie 2016 privind protecţia persoanelor fizice în ceea ce priveşte prelucrarea datelor cu caracter personal şi privind libera circulaţie a acestor date şi de abrogare a Directivei 95/46/CE (Regulamentul general privind protecţia datelor) MONITORUL OFICIAL nr. 651 din 26 iulie 2018
Slovakia Zákon č. 18/2018 Z. z. o ochrane osobných údajov a o zmene a doplnení niektorých zákonov
Slovenia Zakon o varstvu osebnih podatkov (ZVOP-1) Uradni list RS, št. 94/07 - uradno prečiščeno besedilo Predlog novega Zakona o varstvu osebnih podatkov (ZVOP-2) – EVA: 2019-2030-0045 Law No. 190/2018 on implementing measures to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
Act no. 18/2018 on personal data protection and amending and supplementing certain Acts
Personal Data Protection Act
Member State National law implementing the GDPR Unofficial English Translation
Spain Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales BOE-A-2018-16673
Sweden Lag med kompletterande bestämmelser till EU:s dataskyddsförordning SFS 2018:218
United Kingdom (transition) Data Protection Act 2018 Ch. 12 Not available
Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218)
n/a
About the editors
Lina Jasmontaitė-Zaniewicz is a doctoral candidate at the Vrije Universiteit Brussel. Her PhD research concerns primarily the data breach notification obligations foreseen in the General Data Protection Regulation. Lina is a Certified Information Privacy Professional (CIPP/E, IAPP). She has served as an advisor for European projects on regulatory and ethical questions concerning the use of personal data. After obtaining an LLM in Law and Technology (cum laude) at Tilburg University, she completed the traineeship program at the European Data Protection Supervisor. She worked as a legal intern in a Brussels-based European privacy and data security practice in 2013. She worked as a legal researcher at the Leuven University (CiTiP) in 2014-2016.
Alessandra Calvi is a doctoral candidate at the Vrije Universiteit Brussel (VUB). Alessandra holds an LLM in International and European law – Data law (summa cum laude) awarded by the Institute of European Studies of the VUB. After obtaining a law degree from the Università Cattolica del Sacro Cuore of Milan (2015), she completed a law clerkship at the Tribunal of Pavia, in the Labour law section in 2016-2017). She also completed traineeships in a criminal law firm and at the European Data Protection Supervisor. Her research interests include the interrelationships between law and technology, in particular between data protection and the circular economy.
Renáta Nagy has been working at the Hungarian DPA (NAIH) since 2017. She has been responsible for the administrative management of the STAR II project, as well as for liaising between Hungarian SMEs and SME associations. She coordinated the operationalization of the SME hotline set up at NAIH’s premises, also being actively involved in replying to the enquiries received. She has delivered presentations about the SME hotline and the most common enquiries received during the awareness-raising and informational events for SMEs organized by NAIH in partnership with the Chambers of Commerce and Industry.
David Barnard-Wills has over a decade’s experience in research on privacy and data protection. He has designed and delivered GDPR training for multiple clients, and his research work has explored the way in which data protection authorities work together; how data protection can best be communicated to different audiences; cyber security; and practical ways to undertake privacy-by-design. He is a Senior Research Manager in the Policy, Ethics and Emerging Technologies team at Trilateral Research. David holds a PhD in Politics from the University of Nottingham and has previously been a Research Fellow at the University of Birmingham, Cranfield University, and the UK’s Parliamentary Office of Science and Technology.
