An employer utilizing certain forms of employee monitoring, particularly those based on new technologies, must consider obligations related to ensuring compliance with personal data processing security requirements.
It is essential to recognize that additional obligations may arise, including the often challenging requirement to conduct a Data Protection Impact Assessment (DPIA). Although the European Parliament has described DPIAs as the “essential core of any sustainable data protection plan,” many data controllers still face difficulties in performing them.
Furthermore, to implement monitoring within the meaning of the Labor Code, it must be noted that employee monitoring may only be applied in specific circumstances.
Below are several factors to consider when deciding to implement monitoring within an organization, such as GPS vehicle tracking or email monitoring.
- Employee monitoring may only be implemented when it serves one of the purposes specified in Article 22(3) § 1 of the Labor Code, which includes ensuring the organization of work that enables full utilization of working time and the proper use of work tools provided to the employee.
- This requirement applies to email monitoring, but under Article 22(3) § 4 of the Labor Code, the provision should be applied analogously to other forms of employee monitoring, such as GPS vehicle tracking used by employees or monitoring phone calls made using company phones.
- The Labor Code stipulates that employee monitoring is implemented to “ensure the organization of work” and the “proper use of work tools provided to the employee.” This means that if the purpose is different, such as conducting non-work-related analyses where personal data is anonymized, or processing is not the primary goal (e.g., ensuring high-quality customer service, monitoring routes using GPS, analyzing data, or optimizing costs), the specific form of monitoring may not require compliance with the stringent requirements set forth in the Labor Code. Among the obligations of the employer implementing a specific form of monitoring is, among other things, informing employees about the introduction of monitoring (e.g., email monitoring) in a manner accepted by the employer, no later than two weeks before its implementation, as well as preparing applicable information clauses.
- There is a risk that any data collected in connection with monitoring employee activities may constitute personal data. Can the employer store and analyze this data? Yes, but only if the obligations set out in the Labor Code are fulfilled. The employer may take steps to ensure that employees’ data is not unnecessarily processed (analyzed and stored) when it concerns, for example, ensuring proper customer service procedures or determining the vehicle’s location in the event of theft.
- When an employer obtains certain data from monitoring employees, it should be noted that the implementation of a specific form of employee monitoring (other than video surveillance systems, where the footage is recorded and used only when analyzing legal violations) often results in the obligation to perform a DPIA. This requirement is clearly stated in the Communication of the President of the Personal Data Protection Office (UODO) dated June 17, 2019, concerning the list of types of personal data processing operations that require a DPIA.
- The aforementioned Communication from the President of UODO identifies potential areas where circumstances requiring a DPIA may arise, such as workplaces (monitoring of email systems, software used, access cards, etc.), and circumstances that may pose a high risk to specific types of processing operations, such as vehicle monitoring systems that connect with the environment, including other vehicles.
- As a result, an employer, based on a pre-assessment of a given process implementing monitoring, should conduct an additional analysis (separate and subsequent to the standard risk analysis preceding the implementation of any processing activities within the organization), which should include at least:
- A systematic description of the planned processing operations and purposes of the processing, including, where applicable, the legitimate interests pursued by the controller;
- An assessment of whether the processing operations are necessary and proportionate to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- Measures planned to mitigate the risks, including safeguards and security measures to ensure the protection of personal data and demonstrate compliance with this Regulation, considering the rights and legitimate interests of the data subjects and other affected persons.
- Regarding monitoring, it is also important to remember that the GDPR provides that, where appropriate, the controller consults the data subjects or their representatives about the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
- Conducting the above actions and preparing the necessary documents (the DPIA should be documented in accordance with Article 5(2) of the GDPR on accountability) will ensure that the proper implementation of specific forms of monitoring in an organization employing workers is achieved, in line with the requirements of the Labor Code, GDPR, and the contents of the aforementioned Communication from the President of UODO.
