IP - 07121-1/2020/196

From GDPRhub
IP - 07121-1/2020/196
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6 GDPR
Article 58 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: n/a
Published: 14. 02. 2020
Fine: n/a
Parties: n/a
National Case Number/Name: 07121-1/2020/196
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): [[:Category:|]] [[Category:]]
Original Source: Informacijski pooblaščenec (in )
Initial Contributor: n/a

The Informacijski pooblaščenec, Information Commissioner of the Republic of Slovenia (IP), provided an opinion pursuant to Article 58 GDPR. The subject matter of the opinion regarded processing of personal data in an employment context.

English Summary

Content of the opinion

The IP starts by referring to Article 6 GDPR as the relevant legal bases for processing personal data. In relation to labor law, the IP highlights the different, sectorial regulations. The inherent power inequalities between employer and employee is highlighted as a reason for implementing more robust protections by the legislator. As such, reliance on consent or contract as a legal basis to process personal data may be problematic.

The IP highlights that the same rules in principle applies to employers in the private and public sector. As such, the processing of personal data by third parties may only be done if it is necessary for the exercise of rights and obligations arising from employment, or if it is in connection to the employment.

Furthermore, the IP stresses the principle of data minimisation, so that even if there is a relevant legal basis, the processed personal data must be relevant and limited to what is necessary for the purposes of the processing operation.

In relation to a specific question of whether the employer could have a legal basis to inspect the locker room of an employee without their presence or consent, the IP stresses that there is generally no legal basis for inspecting the locker room without the presence or consent of the employee. However, the IP highlights that the employer may be able to pre-identify and notify the employers in writing to explain under which exceptional cases such an inspection could take place, and under which strict conditions. A prerequisite of such a check should always be that the purpose for which the inspection is carried out cannot be attained by different and less interfering means.

Comment

Feel free to add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the ***LANGUAGE*** original. Please refer to the ***LANGUAGE*** original for more details.

Date: 02/14/2020 
Title: Employment of OP in employment relationship 
Number: 07121-1 / 2020/196 
Subject matter: Employment, Legal bases 
Legal act: Opinion 

The Information Commissioner (hereinafter: IP) has received your request for an opinion regarding the processing of data by the employer. 

On the basis of the information you have provided, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter: the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter: ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter: ZInfP), we provide our optional opinion regarding your question. 

IP initially points out that the opinion cannot assess the appropriateness of certain processing of personal data in terms of compliance with existing regulations. It may only carry out an assessment of suitability in the context of a specific inspection or other administrative procedure. 

IP generally makes clear that Article 6 of the General Data Protection Regulation sets out different legal bases for the legitimate processing of personal data. Processing is thus lawful only to the extent that one of the following conditions is fulfilled for the specific purpose of the processing and specific personal data: 

a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; 
(b) processing is necessary for the performance of a contract to which the data subject is a contracting party or for the implementation of measures at the request of such individual before the conclusion of the contract; 
(c) processing is necessary to fulfill the legal obligation imposed on the controller; 
(d) processing is necessary to protect the vital interests of the data subject or other natural person; 
(e) processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller; 
(f) processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the data subject, which requires the protection of personal data, in particular where the individual to which the personal data relate, the child. 

Although ZVOP-1 distinguishes between the public and private sectors, the field of labor law is specifically regulated for both sectors in specific laws, notably the Labor Relations Act (ZDR-1; Official Gazette RS, No. 21/13, 78/13 - ex. ., 47/15 - ZZSDT, 33/16 - PZ-F, 52/16, 15/17 - Decree US, 22/19 - ZPosS, 81/19) and the Labor and Social Security Records Act (ZEPDSV Official Gazette of the RS, No. 40/06). Due to the pronounced inequality of clients' power in employment relations, or to the protection of an employee who is certainly a weaker party vis-à-vis the employer, the legislator has made this area more rigorous, which, as a rule, does not allow the autonomy of clients in this field in the sense that the employer would may, without a legal basis, request from the worker any personal data or process it on another legal basis (eg consent, contract,…). Namely, an employee may reasonably expect a certain degree of privacy in the workplace, and in accordance with Article 46 of the ZDR-1, the employer must protect and respect the employee's personality and respect and protect the employee's privacy. 

As regards the processing of personal data of workers, in principle, the same rules apply to employers in the private and public sectors, with individual sectoral rules being relevant for determining the lawfulness of concrete processing. ZDR-1 stipulates in Article 48 that personal data of employees may be collected, processed, used and transmitted to third parties only if it is stipulated by this or another law or if it is necessary for the exercise of rights and obligations arising from employment or in regarding the employment relationship. Article 48 (3) further provides that the personal data of workers whose collection no longer has a legal basis shall be immediately deleted and ceased to be used. 

Pursuant to the provisions of ZDR-1, an employer may therefore process personal data of an employee only if he or she has a statutory basis for this or if it is necessary for the exercise of rights and obligations arising from employment or in connection with employment. The rights and obligations of both the employee and the employer are meant. The latter must therefore prove that the indication of the names of the custodian on the machinery and other inventory is necessary in order to exercise the rights and obligations arising from the employment relationship or in relation to the employment relationship. 

In making the assessment, the employer must always proceed from the principle of minimum data, which provides that, provided that there is a legal basis, the personal data being processed must be relevant, relevant and limited to what is necessary for the purposes for which they process. This principle implies that only as much personal data as is strictly necessary for the legitimate purpose of the processing should be processed. 

Regarding your second question, IP reiterates that the employee rightly expects some degree of privacy in the workplace. In general, the employer thus generally has no legal basis for inspecting the locker room without the presence or consent of the employee. However, the employer may pre-identify and notify in writing the employees in which exceptional cases and under what strict conditions and under what procedure they may exceptionally carry out such a review. Of course, such reasons must be taxing and exceptional, and in such cases it would be necessary to make a case-by-case assessment. It is also essential that the control or inspection of the locker is only permissible exceptionally when the purposes for which the check is carried out cannot be achieved in another, lenient manner, ie with less interference with the employee's privacy. 

IP concludes, therefore, that any processing of personal data must first be provided with an appropriate legal basis. The choice of the appropriate legal basis for individual processing is a matter of assessment of the specific circumstances, and the responsibility for the choice rests with the operator. 

With respect. 
Prepared: 
Matej Sironič, 
Counsel for the proxy 
for the protection of personal data 
Mojca Prelesnik, univ. dipl. right., 
Information Commissioner