Can organizations monitor employees under the GDPR?

Introduction

Do we have the right to privacy and can we enjoy it as a right especially upon our personal data when we are at our workplace? This is the fundamental question that this blog would be dealing with, from the perspective of the General Data Protection Regulation also known as GDPR.

Coming to the next important question as to what will come under the ambit of ‘personal data’? The simple answer would be- A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data-

Physical or mental health condition;
Sex life and sexual orientation;
Racial or ethnic origin;
Political opinions, religious beliefs;
Trade union membership;
Biometric data.

When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation, as we know that it’s an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary.

Since we are living in the age of digitalization, we need to understand that anything we do either professionally or in our private sphere, we tend to leave our digital footprints on the internet which means that we can easily be traced by anyone and also we are opening doors to potential scammers and other related risks as our data is scattered everywhere on the internet that is also the reason why our ‘Data’ is the new gold/fuel for today’s businesses and organizations.

How is monitoring done on employees?

Monitoring of employees can be done easily through CCTVs, softwares and now we have spywares too. But what exactly will constitute ‘monitoring’ ? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people.

There are softwares and spywares made in the market that allows people to achieve all of this in split seconds.. An employee might fall into such traps of getting monitored by his/her employer in the name of employment contract and obligations.

Pre-GDPR

Before the implementation of the GDPR in the European Union (“EU”), most of the monitoring was done through consent obtained from the employees through contracts, policies and through notifications in order to bind the employees into such obligations.

Now if we try to understand the employer’s perspective or justification regarding monitoring of his/her employees, one of the many reasons or factors could be that in order to foresee and avoid fraudulent activities, irregular transactions or to detect potential risks that could arise from leak of any confidential data by an employee, or keeping a track of the employees and their working hours and how much time is spent on unproductive activities by an employee, etc. This could be a few such reasons as to why employers might want to continue on with monitoring of their employees.

But it is essential that such monitoring should have a legal grounding and basis because without it, it would simply be an arbitrary rule to put such obligations upon employees and treat their data so casually as such processing activities might have high risk involved too. This could have been one of the possible scenarios or reality when the GDPR wasn’t implemented before 2018, and employers or data controllers and/or processors were free to decide upon the personal data of the employees all of it in the name of contractual obligation or tracking of their productive hours.e

Now the question arises from the above discussion is that how much monitoring can be done and/or is necessary as such monitoring can eventually become extreme which would not only be a matter of privacy but would also bring in potential risks related to the data being processed as data breaches and cyberattacks are quite common in this day and age. The question still remains: who will be liable under such scenarios? But this question was answered after the adoption of GDPR by the EU in 2018.

Monitoring of employees: Post-GDPR

After May 25th, 2018, all the organizations and businesses had no choice but to comply with the GDPR requirements. Coming back to the fundamental question as to what is the status of privacy rights of a data subject or employees in this scenario, post GDPR implementation? If we talk about monitoring of the employees through their consent, it w won’t be considered valid as we discussed earlier that there will always remain an imbalance of power between an employee and an employer, hence claiming it as a valid would not be appropriate because of reasons such as- employees are working under the control of their employer, so there will always be a constant fear of losing the job.

But it is quite surprising that the GDPR doesn’t expressly state anything regarding monitoring of employees by an organization as ‘Illegal’. Instead, the GDPR mandates that collection, processing and transfer of personal data should be done in consonance and in harmony with the 7 principles of the GDPR.

The GDPR further mandates as per Article 35 that any type of data processing activity which involves ‘high risk’ to the data subjects (employees in this case), the controller (employer in this case), prior to such processing, will have to conduct a Data Protection Impact Assessment (DPIA).

It’s essential to understand the 7 principles of the GDPR along with how organizations and businesses can protect and ensure the privacy rights of their employees in order to stay away from hefty penalties which are there in case of any violation of provision(s) of the GDPR.

After the implementation of the GDPR, now organizations and businesses cannot rely on implied consent in order to justify the arbitrary and excessive monitoring. GDPR invalidates such consent where there is an unequal or imbalance of power in a relationship.

Organizations and businesses now either will have to rely on-

Legal requirement- Where processing of data is mandated in order to comply with some regulations.
Legitimate interests- This means that private-sector businesses and organizations have a legitimate or genuine interest with respect to their employees’ data provided that such processing doesn’t cause harm to the employees and respect their privacy rights. That is why GDPR mandates organizations to conduct a DPIA in order to assess potential risks.

The principles of the GDPR are as follows-

Physical or mental health condition;
Sex life and sexual orientation;
Racial or ethnic origin;
Political opinions, religious beliefs;
Trade union membership;
Biometric data.

Let’s discuss these principles in accordance with the current issue-

Transparency, fairness and lawfulness – Businesses and organizations need to be transparent and open if they are monitoring their employees. This can be done by providing notice to their employees beforehand. Further, in order to fulfill fairness and lawfulness, organizations are required to provide reasons about why they are collecting such data, and how they will use such data, etc.
Purpose limitation– According to this principle, if an organization is processing the personal data of their employees, such activity needs to fulfill the legitimate interests of the organization as well as it should be specifically and explicitly conveyed to their employees without causing any confusion or vagueness. Organizations need to understand and state the purpose as to how their legitimate interest by monitoring the employees protects not only the organization’s interest but also respects their employees’ rights guaranteed by the GDPR.
Data minimization– According to this principle, organizations must focus on data minimization by minimizing the amount of data being processed (in this case-by monitoring), and should focus on how to minimize the monitoring of their employees in order to avoid violating their privacy. Collection of personal data through monitoring should be done only for the intended purpose of such data as for which they were initially required by the organization. Thus, minimizing excessive monitoring of the employees.
Accuracy– According to this principle, organizations and businesses need to maintain accurate personal data of the people as well as need to ensure that old and outdated personal data is not retained by them. Further, the GDPR mandates that all the incorrect personal data of the people collected by the business must be either erased or rectified within a span of 30 days.
Storage limitation– According to the principle, organizations and businesses which are involved in the processing of the personal data, in the present case by monitoring of their employees, must ensure that the personal data collected or processed shouldn’t be retained after the completion of the intended purpose behind such processing. Otherwise, it would not only defeat the purpose behind the collection of the personal data, but would also defeat the principle of data minimization.
Security, integrity & confidentiality– According to this principle, businesses and organizations which are involved in the processing of the personal data need to ensure that they take all the appropriate measures in order to safeguard the personal data of the individuals. That is why the GDPR mandates organizations to conduct DPIA, whenever there is a high-risk involved, so that businesses and/or organizations can foresee and take necessary precautions to protect the individuals personal data from potential threats.
Accountability– The final principle makes it clear as to who needs to be accountable all the time. Organizations and businesses need to be accountable for any breach or other related activity that leads to the compromise of the personal data of the individuals. Businesses and other entities involved in the processing of personal data need to comply with the GDPR requirements as well as fulfill all the seven core principles and take all necessary measures in order to secure the personal data of the individuals.

Conclusion

Hence, it is clear that monitoring of the employees in itself is not illegal or unlawful if businesses sincerely comply with the GDPR requirements. Organizations and businesses in the private-sector need to keep this in mind and must ensure that if they are monitoring and processing the personal data of their employees, then it must be in accordance with the core principles of the GDPR as discussed above, failing to do so can lead to fines up to €20 million or 4% of their annual global turnover, whichever is higher.