Do we have the right to privacy and can we enjoy it as a right especially upon our personal data when we are at our workplace? This is the fundamental question that this blog would be dealing with, from the perspective of the General Data Protection Regulation also known as GDPR.
Coming to the next important question as to what will come under the ambit of ‘personal data’? The simple answer would be- A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data-
When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation, as we know that it’s an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary.
Since we are living in the age of digitalization, we need to understand that anything we do either professionally or in our private sphere, we tend to leave our digital footprints on the internet which means that we can easily be traced by anyone and also we are opening doors to potential scammers and other related risks as our data is scattered everywhere on the internet that is also the reason why our ‘Data’ is the new gold/fuel for today’s businesses and organizations.
Monitoring of employees can be done easily through CCTVs, softwares and now we have spywares too. But what exactly will constitute ‘monitoring’ ? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people.
There are softwares and spywares made in the market that allows people to achieve all of this in split seconds.. An employee might fall into such traps of getting monitored by his/her employer in the name of employment contract and obligations.
Before the implementation of the GDPR in the European Union (“EU”), most of the monitoring was done through consent obtained from the employees through contracts, policies and through notifications in order to bind the employees into such obligations.
Now if we try to understand the employer’s perspective or justification regarding monitoring of his/her employees, one of the many reasons or factors could be that in order to foresee and avoid fraudulent activities, irregular transactions or to detect potential risks that could arise from leak of any confidential data by an employee, or keeping a track of the employees and their working hours and how much time is spent on unproductive activities by an employee, etc. This could be a few such reasons as to why employers might want to continue on with monitoring of their employees.
But it is essential that such monitoring should have a legal grounding and basis because without it, it would simply be an arbitrary rule to put such obligations upon employees and treat their data so casually as such processing activities might have high risk involved too. This could have been one of the possible scenarios or reality when the GDPR wasn’t implemented before 2018, and employers or data controllers and/or processors were free to decide upon the personal data of the employees all of it in the name of contractual obligation or tracking of their productive hours.e
Now the question arises from the above discussion is that how much monitoring can be done and/or is necessary as such monitoring can eventually become extreme which would not only be a matter of privacy but would also bring in potential risks related to the data being processed as data breaches and cyberattacks are quite common in this day and age. The question still remains: who will be liable under such scenarios? But this question was answered after the adoption of GDPR by the EU in 2018.
After May 25th, 2018, all the organizations and businesses had no choice but to comply with the GDPR requirements. Coming back to the fundamental question as to what is the status of privacy rights of a data subject or employees in this scenario, post GDPR implementation? If we talk about monitoring of the employees through their consent, it w won’t be considered valid as we discussed earlier that there will always remain an imbalance of power between an employee and an employer, hence claiming it as a valid would not be appropriate because of reasons such as- employees are working under the control of their employer, so there will always be a constant fear of losing the job.
But it is quite surprising that the GDPR doesn’t expressly state anything regarding monitoring of employees by an organization as ‘Illegal’. Instead, the GDPR mandates that collection, processing and transfer of personal data should be done in consonance and in harmony with the 7 principles of the GDPR.
The GDPR further mandates as per Article 35 that any type of data processing activity which involves ‘high risk’ to the data subjects (employees in this case), the controller (employer in this case), prior to such processing, will have to conduct a Data Protection Impact Assessment (DPIA).
It’s essential to understand the 7 principles of the GDPR along with how organizations and businesses can protect and ensure the privacy rights of their employees in order to stay away from hefty penalties which are there in case of any violation of provision(s) of the GDPR.
After the implementation of the GDPR, now organizations and businesses cannot rely on implied consent in order to justify the arbitrary and excessive monitoring. GDPR invalidates such consent where there is an unequal or imbalance of power in a relationship.
Organizations and businesses now either will have to rely on-
The principles of the GDPR are as follows-
Let’s discuss these principles in accordance with the current issue-
Hence, it is clear that monitoring of the employees in itself is not illegal or unlawful if businesses sincerely comply with the GDPR requirements. Organizations and businesses in the private-sector need to keep this in mind and must ensure that if they are monitoring and processing the personal data of their employees, then it must be in accordance with the core principles of the GDPR as discussed above, failing to do so can lead to fines up to €20 million or 4% of their annual global turnover, whichever is higher.