More and more employees are working remotely or from home. For many employers the question arises to what extent they are allowed to monitor their employees. In this article, we will show you under what conditions monitoring technologies can be used and which limits are set by data protection law.
Remote work: a challenge for employers
The COVID pandemic has profoundly changed the way we work. Following March 2020, many employers were forced to enable working from home for their employees. Remote work – previously only common among certain freelancers – became the norm for everyone. It has now become an integral part of many professions and will continue to be in the future.
To ensure data security and the productivity of employees, and to prevent misconduct when working outside the office, many employers began to use monitoring technologies. This raised concerns among employees about possible violations of their privacy. To protect the privacy rights of individuals, the General Data Protection Regulation (GDPR) sets strict limits on the use of monitoring technologies.
Legal requirements for employee monitoring under the GDPR
If you monitor remote working employees, this will in most cases involve the processing of their personal data. Any processing of personal data has to be compliant with the GDPR, and thus lawful, transparent and fair. Moreover, the data you collect must be collected for specified, explicit and legitimate purposes and data processing has to be limited to what is strictly necessary for the specified purposes. Your collection of employee data has to be minimized to what is strictly necessary to achieve the purpose of the monitoring, e.g., preventing specific kinds of misconduct.
Consent is not a suitable legal basis
For the monitoring to be lawful, you need to have a legal basis for the processing. Due to the imbalance of power between you as an employer and your employees, consent is often not an appropriate basis for the processing. According to Art. 4 (11) GDPR for consent to be valid, it has to be “freely given, specific and informed”. As the European Data Protection Board’s (EDPB) guidelines on consent
note (p. 9), it is unlikely that employees’ consent to their monitoring will be “freely given”. There is a certain degree of dependence of employees upon their employers. Therefore, there usually is a fear and/or real risk of detrimental effects if they refuse consent, thereby putting pressure on the employee to consent to the employer’s request.
In addition, it does not seem to be suitable to use employee consent as basis for the processing of data in the context of monitoring activities, as consent can be revoked at any time. If employees make use of this right the purpose of the monitoring as a control mechanism would be undermined.
Legitimate interest must be carefully weighed
Therefore, the processing will usually have to be based on the “legitimate interest” of your company. The legitimate interest pursued in most instances of monitoring would your company´s legitimate interest in the prevention of misconduct and the protection of data security.
Your company can only use legitimate interest as a basis for processing personal data, if your interest in monitoring the employees’ work outweighs the employees’ right to privacy. To assess this, you should undertake a legitimate interest assessment (LIA). This is not specifically required by the GDPR, however, an omission to do so may make it difficult for you to comply with the accountability principle. Generally, the more intrusive the monitoring is, the more difficult it will be to show that your interest in monitoring the employees prevails.
In cases where the processing activity is likely to result in a high risk to the rights and freedoms of individuals, the GDPR requires you to perform a Data Protection Impact Assessment (DPIA)
. This is always the case, if you systematically and extensively profile employees, if you use sensitive data on a large scale or if you engage in public monitoring. In the remaining cases, you must assess whether the processing activity involves a high risk. The WP29 set out some criteria
which can indicate that a processing activity is high risk. Generally, the more criteria are met, the more likely the processing activity is high risk. If at least two criteria apply, it is likely that a DPIA is necessary.
Transparency is essential
Another very important prerequisite for the use of monitoring technologies is transparency. Art. 13 and 14 GDPR contain information rights of data subjects (in this case your employees), which obligates you to inform them, amongst other things, about:
- The name and contact details of the data controller (and, if applicable, the contact details of a representative and/or data protection officer).
- The legal basis for, and a comprehensive description of, the purpose of the processing. In the context of monitoring activities this means, that you have to inform your employees that monitoring activities take place, the legal basis and purpose of the monitoring activities and how you carry them out. Secret monitoring is only lawful in exceptional circumstances.
- Your legitimate interest pursued, if legitimate interest forms the legal basis of the data processing. This is usually the case for monitoring activities by employers.
- The recipients or categories of recipients of the personal data.
- Whether a data transfer to third countries or international organisations outside of the EU or EEA will take place, in advance of such a transfer.
- The retention period for the employees’ personal data collected through monitoring activities. If this is not possible, detailed information on the criteria for determining this period has to be provided.
- The data subject rights under Art. 15-21 GDPR.
It is usually not sufficient to provide this information by merely changing your privacy notice. You must also specifically point out to your employees that such changes have taken place (e.g., through an e-mail including the updated privacy notice). Your privacy notices and policies should be updated regularly, and any changes regarding the monitoring activities should be included. Art. 12 (1) GDPR specifies that privacy information should be provided, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Minimising the legal risks for your company
Ultimately, to minimise the legal risks for your company when using monitoring technologies the following steps should be taken:
- You must ensure that any monitoring you perform is in compliance with the requirements of the GDPR, as explained above.
- In order to ensure this, we advise you to perform a DPIA before you deploy any employee-monitoring program. Even though, this might not always be required by law, an in depth assessment of the processing risks mitigates the risk of fines and reputational damage for your company.
- You must comply with the national data protection and employment laws of the countries you operate in. These are often stricter than the GDPR. Use our free data protection comparison to evaluate national deviations from the GDPR .
Last update: 2022-06-30