Many activities performed routinely in an HR context entail the processing of personal data of employees. Starting in the recruitment process (background screening, etc.), it continues during the employment relationship (payroll and tax information, performance and evaluation assessment, absenteeism/annual leave records, records related to training, disciplinary matters, surveillance of electronic communications, CCTV, etc.).
The Article 29 Working Party (WP29) has already opinioned on data processing at work in the past. With its new opinion 2/2017 it wanted to address specific challenges that arise from the development of new technologies in HR (see http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083: under Letters, Opinions and other documents). Such development often enables more systematic processing of employees’ personal data and implies more intrusive and pervasive ways of monitoring. Further, the guidance takes into account the changing nature of work: work is for example often not performed in the company, but remote, cloud solutions are used for HR data, HR-processes are being digitalized.
The WP 29 gives some examples of what it considers to be a new technology in HR context:
- monitoring profiles on social media in recruitment process;
- security applications that involve logging employee access to the employer’s systems;
- office applications in the cloud including very detailed logging of employee’s activities;
- monitoring of personal devices (f.i. BYOD), more specifically when working remote or while travelling for business purposes. In such situations the monitoring takes place out of the physical working place and can potentially include monitoring of the individual in the private context;
- use of health devices;
- use of facial recognition devices;
- …
Most of the guidance of the WP 29 is familiar, but it is interesting to note that the WP 29 makes reference to some new aspects of the GDPR:
- Irrespective of the technology used the employer should always verify whether this processing is (a) necessary and based on a legal ground, (b) proportionate, (c) transparent and (d) fair to the employees;
- Employers should not, and in most cases, cannot rely on the employee’s consent to process personal data. Legal grounds for processing of employee’s data in new technologies are for example the performance of the employment agreement (salary payment) , a legal obligation (payroll and tax information, medical records for health and safety requirements) and the employer’s legitimate interest (assessing performance of employees, surveillance of e-mail);
- Processing must be strictly necessary for a legitimate purpose;
- A proportionality test should be conducted prior to the deployment of the monitoring tool to assess how the processing of data can be minimized (privacy by design): the most privacy-friendly solution must be selected;
- Employers should understand their systems, so that employees are clearly and duly informed about processing/monitoring prior to its start and about their data protection rights. Policies on monitoring must be clear and readily accessible. The WP 29 recommends involving a representative sample of employees in the creation and evaluation of such rules and policies;
- Some employee matters might trigger data protection impact assessments.
The WP 29 adds that new technologies induce the necessity to complete a new assessment of the balance between the legitimate interest of the employer and the reasonable privacy expectations of the employees. The opinion lists several of the abovementioned new technologies and gives practical examples as to how this balance assessment should be done. Therefore it is a useful source when preparing your company to being GDPR compliant.