GDPR Fundamentals: Is It a Problem for Employers?
Photo by Glenn Carstens-Peters
Originally Posted On: https://www.workexaminer.com/blog/gdpr-fundamentals.html
The GDPR implementation in May of 2018 made many employers reevaluate and bring in some alternations to their policy of employee monitoring. For many corporate leaders, it is specifically important to keep track of employee software in order to improve the quality of work, develop new business strategies or prevent fraud and information leak. The adoption of the General Protection Data Regulation actually set certain limitations on personal data monitoring. However, it cannot be considered a problem for employers if they meet all the necessary requirements.
What Should You Know about GDPR?
The GDPR that is short for the General Data Protection Regulation is a document specifying conditions of collecting personal information of people inside the EU, even if they are not its citizens. It means that all people on the territory of the European Union are protected from illegal collecting their personal data by employers or any other people. However, such an explanation leads to two questions arising: what information is considered to be personal and in which cases its collecting becomes illegal.
According to the GDPR, any information can be personal in case it can help identify a certain person. The most apparent examples include a phone number, name and surname, address, passport data, card number, logins and passwords of social media profiles, etc. It is clear that it is impossible to hire people without asking them at least some basic data. In a strict sense, personal data can also include Internet activity, video or audio monitoring records. But this backstory can tell a lot about a person as an employee and help improve productivity in a company.
When Can an Employer Monitor Your Personal Data?
According to Employee Monitoring Practical Note, it is possible to collect some information about workers only if there are serious reasons related exclusively to the employment process. It means that personal data can be collected with the following purposes:
- Hiring somebody for a certain position;
- Signing some agreements or contracts;
- Terminating a contract.
From another point of view, personal data can be collected if a person is suspected of committing a crime. But it should be mentioned that it is illegal if done without documented reasons proving that it can really help investigate a certain crime. In addition, monitoring of data can be necessary for the protection of an employer’s legitimate interests, but it should not overweigh the interests and rights of an employee.
What Obligations Does an Employer Have?
The GDPR does not raise special difficulties for employers. But there are certain rules which they have to follow. In general, employers are obliged to receive their employees’ permission for data monitoring. However, if an employer allows using communications systems for personal purposes, it is not compulsory to ask for permission. Employees, in this case, can object to monitoring their data but they will not have access to communications systems.
According to the GDPR, employers should inform their workers about collecting, processing and storing their personal information. It is necessary to primarily clarify what data will be monitored. Understanding the purpose of information collecting is no less important for employees. In most cases, a well-timed and detailed explanation of purposes and reasons declines the level of strong human dissatisfaction and flat rejections.
Another employer’s obligation is to inform employees about a regulatory framework on the base of which he or she acts. They can share Employee Monitoring Practical Note, GDPR, various laws related to this issue and demonstrate that they meet all the requirements and do not infringe on their staff’s rights. However, it is always compulsory to give employees the right to choose. They have a legal ability to reject having their personal data monitored.
The GDPR obligates employers to make specific notices for employees with the following information:
- Contact data of an employer;
- Contacts of a data protection officer, if such a position is represented in the company;
- The aim of personal information collection;
- The regulatory basis;
- The type of information which will be collected;
- Explanation of who will receive these data;
- Period of data storage;
- Possible consequences in case of employee’s refusal.
What Rights Does an Employee Have?
The GDPR has been developed specifically to protect the rights of people to have personal information. As a result, all individuals are eligible:
- To be initially informed about personal data collection;
- To reject data monitoring while being aware of possible consequences;
- To limit their personal data processing;
- To have access to the collected data;
- To demand data deletion or rectification.
According to Articles 13 and 14 of the GDPR, an employee has the right to control data portability. It means that personal information cannot be processed by or transmitted to other recipients without employee’s permission. In addition, all workers are entitled to the withdrawal of their consent to personal data collection at any moment.
If an employer is breaking the legislation or rules of the GDPR, an employee has a right to make an official complaint to local authorities. For instance, it is allowable to appeal to data protection authorities if an employer monitors, processes, stores or transmits your personal information without your permission.
How Can Employees Be Monitored?
Employers can use several ways of collecting necessary information about their employees. First of all, some data are required in the process of hiring, including a phone number, scans of passport and ID code, medical clearance if necessary, etc. These data can be saved during all the time a person works for that company. In most cases, there are no objections concerning collecting such information because, otherwise, it would be impossible to hire someone on a legal basis.
However, employees can speak out against checking their own devices or CCTV monitoring during a working day. As far as these aspects are concerned, the GDPR also contains certain rules and limitations.
It is allowable to monitor employees’ devices only if this corresponds to the requirements of using communications systems and devices owned by employers. In addition, it is possible to make an agreement between an employer and employees about implementing a BYOD program that is short for Bring Your Own Device. This program permits monitoring of employees’ devices since they are used for working purposes. But it should be clearly identified what information can be monitored in order to avoid collecting private messages or recording calls that are not connected with work.
CCTV monitoring is a widely used way of collecting employees’ personal information. It is possible to set a video surveillance system in public areas in order to maintain general order on the territory of the company, prevent possible crimes or improve the performance of employees. But the main rule is to inform employees about CCTV monitoring. This process can be covert only in case of investigating some crimes. In addition, it is prohibited to set cameras in rest rooms, changing rooms or other private locations.
Employers are also obliged to mark a zone of CCTV monitoring by special signs which contain:
- A clear and noticeable message about using cameras on the territory;
- A purpose of CCTV monitoring;
- Contact information of an employer;
- Contact information of a data protection officer;
- Regulatory basis;
- The period of camera records storage.
It is prohibited to monitor any actions of employees in their free time, especially if they are at home. Such conduct of an employer can be justified only in rare cases when his or her interests do not overweigh the private interests of employees. For instance, an employer can check a JPS tracker in order to make sure that a worker does not use a company car for personal purposes.
What Penalty Can an Employer Get for GDPR Violation?
According to Article 83 of the GDPR, an employer can obtain an administrative punishment in the form of a fine in case of certain violations. In general, this fine can reach the sum of €20,000, which can lead to considerable material losses for many companies. Furthermore, the processing of information that has not been in general access without permission of its owner or carrier can be considered as a criminal offense and result in up to two years of imprisonment.
In addition, a person can be sentenced up to five years in case of illegal monitoring, processing or using information taken from private dialogs or phone calls since it violates the secrecy of communication. It is also considered to be a criminal offense in case an employer sets a system of CCTV monitoring in private zones such as changing or rest rooms. In this case, he or she can be sentenced up to two years.
So, GDPR contains a large number of different rules and limitations related to the protection of personal information. Respectable employers have no problems with meeting all the necessary requirements because they take care of their reputation. All the rules are based on the principle of transparency and mutual respect. It means that employers should inform workers about all possible types of data collecting, processing and storing before starting the cooperation. Monitoring can take place only if an employee agrees with its conditions. In case of any violations, an employer will be forced to undergo some penalties and sanctions.