The widespread development of remote and hybrid working during the pandemic has led organisations to increase their use of new technology to closely monitor the daily tasks and activities of their employees. Monitoring of employees, especially using technology, presents significant regulatory challenges across the EU (and in the UK). Compliance and legal officers not only have to navigate a complex regulatory framework under both EU and national law, but also to work closely with IT and operational stakeholders to ensure that the implementation of monitoring tools and measures within their organisation complies with applicable rules.
The risk of regulatory scrutiny should not be under-estimated. The French Data Protection Authority, the CNIL, named IT monitoring in the context of remote working as one of its top three priority areas in 2022.
The regulatory challenges faced by organisations in the context of monitoring and surveillance of employees is not just an issue for large businesses with sophisticated IT. The same regulatory constraints exist for small companies with very basic surveillance measures. In its 2021 annual report, the CNIL details that 83% of the complaints received for abusive monitoring of employees are related to CCTV devices within SME companies that do not always have a legal department or Data Protection Officer.
If the range of employee monitoring methods adopted by organisations is broad, the main principles followed by authorities and courts to assess compliance are generally consistent. Transparency and purpose limitation are two core principles of the GDPR which are particularly important in the context of surveillance and monitoring of employees.
Employee monitoring and transparency
In accordance with article 5(a) of the GDPR, any data processing shall be processed lawfully, fairly and in a transparent manner in relation to the data subjects. In the context of monitoring and surveillance of employees, this transparency principle is key to achieving compliance. Employers must ensure employees are adequately informed before the actual implementation of the surveillance tool or measure. This may sound straightforward, but transparency requirements are likely to be supplemented by additional regulations and require a number of steps to be properly carried out before communication with employees can take place.
To be in a position to provide relevant information to employees, organisations need to implement privacy by design. They will almost certainly need to complete a Data Protection Impact Assessment. Even if a DPIA is not strictly necessary under the particular circumstances, it will be good practice to do one – monitoring, profiling and the use of innovative technologies are all elements which regulators consider could give rise to a high risk to individuals. This means that the more invasive the technology and/or surveillance measure, the more complex the project will be.
In addition to the GDPR, employers may also need to navigate national employment legislation requirements. In many Member States, this creates additional transparency steps. The French Labor Law Code, for example, prohibits the collection of any personal data from an employee through a device without prior notification and also requires consultation with the Works Council before any introduction of new surveillance technologies. In Germany, the Works Council not only has to be informed in advance but also has a right of co-determination with the employer in the context of any technical surveillance measures monitoring the behavior and performance of employees. In the Netherlands, the prior consent of the Works Council is also required for arrangements related to the tracking or monitoring of employees.
Employee monitoring and purpose limitation
In accordance with article 5(b) of the GDPR, any data may be processed subject to specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This purpose limitation principle should not be taken lightly by employers using surveillance technologies to monitor their employees as different processing purposes can arise from the same monitoring tool, including the security of premises, security of IT systems, management of IT tools, and employee performance checks. Each purpose carries different accountability and compliance requirements under the GDPR which need to be taken into consideration by the employer before implementation.
The importance of purpose limitation can be seen in a recent judgment handed down by the Irish Court of Appeal in May 2022, around the unlawful use of security CCTV footage to monitor employees (albeit one based on pre-GDPR legislation). The CCTV device had been installed by an Irish Hospice in an employee team room for security purposes but revealed numerous unauthorised breaks by an employee, triggering disciplinary proceedings. When the data subject complained to the Irish Data Protection Commissioner, the complaint was rejected on the basis that the images were not processed beyond the original security purposes. The hospice argued that the evidence used to bring proceedings against the employee was based on key fob records. The Irish regulator's view was upheld by the Circuit Court but both the High Court and the Court of Appeal found that the CCTV images were used for a purpose other than one compatible with the original specified purpose. The employee had not been notified that the CCTV could be used for disciplinary proceedings and ought not to have reasonably expected such use.
Getting it right from the start
Transparency and purpose limitation are just two of the elements employers need to consider when using CCTV footage, geolocation, or other advanced software monitoring tools. They may well provide employers with valuable information on the performance and behavior of employees but getting compliance wrong will limit their use and may also expose the organisation to sanctions, including administrative and criminal fines, not to mention reputational damage. Misuse of data collected by monitoring devices may also create significant challenges with Works Councils and other employee representative bodies.
For obvious reasons, monitoring and surveillance of employees is highly sensitive. Employers need to consider whether, why and to what extent they need to do it, and then plan carefully to ensure compliance with a complex regulatory framework spanning both data privacy and employment law.
