The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).
The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.
The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.
The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.
WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include:
Continue Reading Article 29 Working Party releases detailed opinion on data processing in the workplace