Legal For

LAW FIRM

 

Focused on relationships, driven by results

 

Contact us to learn more about LEGAL FOR services and about how we can help you reach your business goals.

 

 

E-mail: office@legal-for.ro
17 Virgil Madgearu street
300019 Timisoara, Romania

ARTICLE 6 lit. f – MONITORING INTERNET AND EMAIL USE AT THE WORKPLACE. LIMITS TO BE OBSERVED BY EMPLOYERS

18 Nov ARTICLE 6 lit. f – MONITORING INTERNET AND EMAIL USE AT THE WORKPLACE. LIMITS TO BE OBSERVED BY EMPLOYERS

Posted at 12:53h in by

Without losing sight of the recommendations of WP29 set out in Opinion No. 2/2017 on the processing of personal data in the workplace, the practical question frequently arises as to how employers may monitor and supervise employees’ use of the internet and email.

In this regard, it must be emphasised that employees are recognised as having a right to privacy even during working hours. Even if they are carrying out an activity for the benefit of a controller during a given time period, this does not mean that all of their actions can be monitored by the employing company. Therefore, the mere fact that monitoring employees’ electronic communications is useful to the employer cannot be a sufficient ground to permit such an intrusion into the private lives of its employees. Well-known case law1 confirms this assertion. As an illustrative consequence, it is worth noting that the EDPB considers unjustified the installation of cameras in the cab of trucks or in offices, the installation of GPS systems in company vehicles that do not allow monitoring to be interrupted, etc.

Furthermore, the aforementioned right must be respected regardless of whether employees carry out their activities online or offline, as neither the Regulation nor European case law provides for any distinction in this respect.

In this context, it is therefore necessary that before installing measures to monitor and supervise employees’ electronic communications in the workplace, the employer carries out an assessment to find a balance between the employees’ recognised right to privacy and the employer’s right to manage its business and to protect itself against employees’ actions that may negatively affect its legitimate interests (such as breach of confidentiality obligations or the installation of computer viruses in the company’s IT system). This assessment shall determine the following aspects:

  1. Ensuring transparency for employees regarding the manner in which monitoring will take place

It is mandatory to provide employees with prior information about the monitoring, specifically regarding:

  • the fact that monitoring will take place
  • the purpose pursued by the employer and the applicable legal basis

Using employee consent as the legal basis for monitoring their electronic communications is not a recommended practice, due to the imbalance of power between the parties and the resulting difficulties in ensuring that consent is freely given.

Therefore, the legal basis best suited for such data processing is the legitimate interest pursued by the employer.

  • the data being processed

Efforts should be made to process only the personal data that is strictly necessary. Monitoring specifically targeted at special category personal data is not an encouraged practice by the EDPB;

  • which equipment is monitored and which is not — the latter being available for personal communications as well

A complete prohibition on internet access throughout the entire working day may be impractical, since for the vast majority of work activities, access to information available online is necessary. Alternatives such as prohibiting the use of professional email for personal matters, blocking access to certain websites, or installing software to block access to the employer’s database from devices other than company devices are preferred, as they are less restrictive.

  • the manner in which monitoring results will be interpreted

Evaluating employees solely on the basis of monitoring results is not considered good corporate practice;

  • the hours during which monitoring takes place

Continuous and automatic surveillance is rarely justified. Equally, monitoring employees’ activities outside their normal working hours should be avoided entirely or limited to specific, well-founded situations;

  • the duration for which data is retained

The EDPB’s recommendation for the retention period of employees’ emails is a maximum of 3 months following the termination of the employment relationship. In this context, to reduce the risk of subsequent communication issues with clients or colleagues who were accustomed to addressing a former employee, companies may include in their internal policies and company practices the obligation to copy the direct line manager in Cc on all communications;

  • the persons who will be able to access the monitoring results
  • the manner in which improper use of the equipment involved will be flagged (for example, through pop-ups or immediately visible alerts that allow urgent action to be taken)
  • employees’ rights with regard to such monitoring
  • the security measures adopted by the employer.

Without diminishing the importance of the above, it must be emphasised that informing employees about such processing of their personal data does not constitute a sufficient condition (but merely a necessary one) for the lawfulness of monitoring, since, as stated above, employees are permanently entitled to the presumption of respect for their right to privacy (including in the context of employment relationships), as well as the fundamental right to confidentiality of correspondence1 even if that correspondence takes place on the employer’s equipment.

  1. The absolute necessity of employee monitoring in order to achieve the intended purpose, or whether less intrusive means of data processing would be sufficient
  1. The fairness of monitoring in relation to the principle of equity regulated by the Regulation
  1. The proportionality of monitoring in relation to the purpose pursued by the controller

Finally, it should be noted that consulting employee representatives prior to implementing measures to monitor employees’ electronic communications is not only mandatory under the Regulation but also extremely useful for controllers, as it would allow for a much easier assessment of the impact.

1. Reference is made to Niemietz v. Germany 13710/88, Halford v. United Kingdom, Copland v. United Kingdom and Bărbulescu v. Romania
2. Right provided for in Article 8 of the European Convention on Human Rights and analysed extensively in the Guide of the European Court of Human Rights of 31.12.2018