Employers are concerned to protect the company’s assets, premises, clients, trade secrets, as well as the employees. For this reason, employers usually implement various security measures like badge access systems, CCTV monitoring systems in the workplace, Data Loss Prevention or other systems of monitoring the devices used by employees, GPS, drug and alcohol testing policies.
Both company security and employee safety usually represent a priority for the employer, and employee privacy should be on the front burner as well. Employers must have a clear overview and understanding of the appropriate actions it must undertake to comply with data protection rules and protect the employee’s right to privacy.
What should employers do in order to keep the balance between security measures and employee privacy? Is it necessary to compromise one in favor of the other or can employers have both by striking a balance based on moderation and correct actions?
Before implementing any security measure that may affect the employees’ privacy, companies should first analyze the need for the intended security measures; the legal grounds for personal data processing activities involved and whether it is likely to affect the employees’ rights and freedoms. While the law may require certain security measures, the employers’ legitimate interests could determine others. When the employer relies upon its legitimate interests, a prior assessment must be carried out pursuant to the European Union’s General Data Protection Regulation (‘GDPR’), the guidelines issued by Working Party Art. 29 and other recommendations released by data protection authorities.
Once the need for security measures (including personal data processing activities involved), is assessed, the employer must analyze, inter alia the employees’ expectations, whether and how the security measures will affect them and must provide the employees with information on the processing activities and their rights, especially on the right to object.
The employer will also determine if it is necessary to conduct a Data Protection Impact Assessment (‘DPIA’) for the processing activities. Where certain types of processing activities carried out following the security measures are likely to result in a high risk to the employees’ rights and freedoms, especially when using new technologies, the employer shall undertake an assessment of the impact of the envisaged processing activities.
Working Party Art. 29’s guidelines on DPIA included employees in the category of vulnerable data subjects. Both Working Party Art. 29’s guidelines and Romanian data protection authority’s decision on the list of processing operations which are subject to the requirement for a data protection impact assessment listed systematic monitoring of employees as a process that may trigger a DPIA. For example, CCTV, monitoring of the workstations and internet activity is usually an instance of systematic, rather than occasional monitoring.
Employers shall inform the employees on the security measures implemented and on how their personal data is processed. They should also set clear and comprehensive procedures defining the security measures and details on personal data processing (e.g., HR and IT procedures) that should also be provided to the employees.
National Law No. 190/2018 on the application of GDPR sets additional requirements for monitoring employees in the workplace based on the employer’s legitimate interests. The most sensitive of these requirements are that the employer must justify that less intrusive measures were not effective and that the employer shall consult the labor union or employees’ representatives before introducing the monitoring systems.
The Romanian data protection authority decided in a specific case that using biometric data of the employees (fingerprints) for access on the company’s premises is excessive since for the same purposes the employer has the possibility to implement less intrusive measures, such as the badge access systems. The employer must justify and prove the necessity of a security measure on a case-by-case basis.
Some employers set through their policies as a security measure the possibility to administer drug or alcohol tests to employees. There are additional actions the employer should consider in this case – e.g., whether these measures involve special categories of personal data and if one of the safeguards provided by Art. 9 of GDPR applies.
The European Court of Human Rights (‘ECHR’) assessed this measure in several cases and decided that there was no violation of the right to privacy where drug or alcohol tests were administered to employees. ECHR held that, inter alia, the employer has the right to control and manage work, such tests being set by the internal policies which were communicated to the employees.
A fair balance shall be struck between company security and employee privacy even if there are actions which employers will undertake before implementing control or security measures.