IP - 07121-1/2020/519
|IP - 07121-1/2020/519|
|Relevant Law:||Article 13 GDPR
Article 49(1)(g) of the Data Protection Act (ZVOP-1)
Article 2 of the Information Commissioner Act (ZInfP)
Article 48 of the Labor Relations Act (ZDR-1)
|National Case Number:||07121-1/2020/519|
|European Case Law Identifier:||n/a|
|Original Source:||IP (SI)|
The Slovenian DPA (IP) issued a non-binding opinion about employees' personal data that an employer can process during work from home. The IP emphasised that the principles of data minimisation and transparency must be respected as well as the information obligations according to Articles 13 and 14 GDPR.
An employee asked the IP to issue an opinion about the personal data that an employer is expected to collect from employees during the period that they work from home.
The employee claimed that the first 14 days the employer asked them to provide a report of their working activity at home. After the first 14 days, if they wanted to continue working from home, the employer asked them to download a specific app which would track their activity on the internet and seems very invasive.
The IP found that the "monitoring report" implies processing of the employee's personal data and a legal basis would be needed according to Article 6 GDPR and the principles of Article 5 GDPR should be respected.
The employer who decides that his employees will work from home is entitled to monitor and supervise the performance and to that end, in accordance with Article 48 ZDR-1, process information might include personal data. It should follow from the principle of data minimisation what personal data should be processed. The employer should collect only the data that is necessary, appropriate and proportionate to the purpose of monitoring the employee's performance at work. To this end any automated and systematic collection and further processing of e.g. screenshots of employees' computers displaying the contents of their screen at a particular moment would not meet the criteria.
As for the app, its characteristics are not mentioned in the request submitted by the employee, but in general such apps can be used in very different ways, depending on the settings selected by the administrator and/or user. The IP emphasises that the employer must comply with his information obligations according to Articles 13 and 14 GDPR and the principle of transparency.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.
Date: 04/22/2020 Title: Opinion of the Information Commissioner regarding the processing of personal data when using an application for monitoring work at home by the employer Number: 07121-1/2020/519 Subject matter: Employment relations, Informing an individual, Legal bases Legal act: Opinion You have been contacted by the Information Commissioner (hereinafter referred to as IP) with a question regarding the collection of personal data of employees which the employer is expected to collect during the course of your work at home through a special application. You indicated that during these times of crisis, your employer ordered you to work from home. He is only supposed to do this by email, so he has given you a written instruction to work from home for the next 14 days. The first two weeks are supposed to be reports in writing by email so that you write down a few paragraphs of what you were doing that day. In order to continue working from home, your employer should ask you to download the app _____ Once you have found out about it on the web, you should find that this application is deeply human rights-intensive (you should keep track of which websites you visit have you been active for how long etc ...). You were wondering if the employer could ask you to do so. On the basis of the information you have provided, in accordance with Article 57 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/2007-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, Nos. 113/2005 and 51/2007-ZUstS-A) provide our non-binding opinion on your question. IP initially points out that, outside of the inspection or other administrative procedure under its jurisdiction, it cannot give specific views on individual issues relating to the protection of personal data or the legality or illegality of the processing of personal data. With regard to the employee home monitoring application you described in your question, IP first emphasizes that its operation, by purpose and nature, undoubtedly also requires the processing of employee personal data. The data collected and further processed by the employer in this way relate to certain individuals and thus correspond to the definition of personal data referred to in the first point of Article 4 of the General Regulation, as well as the employer's behavior with this data corresponds to the definition of the processing of personal data referred to in the second point of the same article. There must be a legal legal basis for any processing of personal data. These are laid down in Article 6 of the General Regulation. Considering that in the present case it is the processing of personal data within the employment relationship (for the processing of personal data of employees by the employer), the provision of Article 48 of the Labor Relations Act (Official Gazette RS, No. 21/13, 78 / 13 - afterwards, 47/15 - ZZSDT, 33/16 - PZ-F, 52/16 and 15/17 - dec. US, hereinafter ZDR-1), which stipulates that the personal data of workers can be collected, processed, use and transmit to third parties only if it is stipulated by this or other law or if it is necessary for the purpose of exercising the rights and obligations arising from the employment relationship or in connection with the employment relationship. Those articles therefore generally set out the cases and conditions under which the law permits interference with an individual's right to the protection of personal data, and the controller of the personal data (in your case, the employer) is the one who must ensure that for the specific processing of personal data, which it wishes to implement, there is one of the legal bases laid down in those provisions. Any processing of personal data must at the same time comply with the fundamental principles of processing as set out in Article 5 of the General Regulation. Personal information must be as follows: processed lawfully, fairly and transparently with respect to the data subject ("legality, fairness and transparency"); collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes ("purpose limitation"); relevant, relevant and limited to what is necessary for the purposes for which they are processed ("minimum data"); accurate and, where necessary, up-to-date ("accuracy"); stored in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed; ("Storage limit"); they are processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against unintentional loss, destruction or damage by appropriate technical or organizational measures ("integrity and confidentiality"). IP, as mentioned, cannot validate the lawfulness of the specific processing of personal data that is or is intended to be performed outside of the inspection procedures, which have previously identified all the relevant circumstances of the case, and have provided us with very general information in your question, citing, that you have also received very little information about the operation of the application yourself. In view of the aforementioned IP, it emphasizes that the employer who directs employees to work at home, in any case, is entitled to monitor and supervise the performance of such work by employees, and to that end, in accordance with the provision of Article 48 of the ZDR-1, also process their work. personal information. In deciding what personal data employees will process for this purpose, and in what way, they must strictly adhere in particular to the principle of the minimum data set out above. If the employer chooses to use the application as you state in your question, it means that with the help of such application it can collect only those personal data of employees, which it proves to be necessary, appropriate and proportionate for the monitoring of work at home and related control of the employer over the work of employees. The definitive answer which information an employer can collect through such an application cannot be given in general, as it depends on the type and nature of the work performed by the individual employee. In any case, the employer is always entitled to information about work tasks performed by the employee during work at home and which the employee enters into such application in the form of daily or weekly reports. If the nature of the work requires that work at home be performed at specific time intervals, the employer could also be entitled to indicate whether the employee actually performed the work at the required interval, but in such a case he must also choose the solution that minimizes the interference. into the information privacy of the employee and strictly adhere to the principle of minimum data. Accordingly, the employer must, in determining the type and extent of personal data of employees, which he or she processes for the purpose of monitoring work at home, and the choice of means by which he or she performs it, so as not to unduly interfere with the information privacy of employees. From this point of view, any automated and systematic collection and further processing of e.g. screenshots (screenshots) of employees' work computers displaying the contents of such a screen at a particular moment, and therefore more of its (easily sensitive) personal information, and the automatic and systematic collection and further processing of data on visits to individual websites Employee implemented during work hours and similar solutions provided by various applications for employee supervision, represented a serious and disproportionate interference with employees' information privacy and processing of their personal data, for which the obligor has no legal basis from the General Regulation or ZDR-1 . Such processing of personal data by employees would not be appropriate, much less necessary for the otherwise legitimate purpose it pursues (monitoring work at home), since the employer has sufficient other means to effectively control employees by which to a lesser extent or at all did not interfere with the protection of personal data of employees. The characteristics and operation of the specific application referenced in your IP memo is unknown, but in general such applications can be used in very different ways, including the processing of personal data, depending on the settings selected by the administrator and / or user. Thus, e.g. the same application can often be used in a manner that complies with the General Regulation and the PDPA-1 in the processing of personal data, and in a way that grossly violates the provisions of these acts, so it is more appropriate than talking about the application itself in the specific case. In the light of the statements in your message, it is also important to emphasize the importance of respecting the principle of transparency by the operators, in your case, of your employer. The principle applies in particular to the relationship between the controller of the personal data and the individual whose data is processed and is derived from the provisions of Articles 13 and 14 of the General Regulation. According to the latter article, the employer should provide you with at least information about the purposes of processing your personal data, the legal basis for processing it, the types of personal data it processes (ie what your data is) the application will collect and be made available to the employer) and users of this information. The second paragraph of Article 14 sets out the additional information that the operator must provide to the individual, if necessary to ensure fair and transparent processing. The allegations in your letter indicate that your employer did not comply with this principle and did not provide you with the information referred to in Article 14 of the General Regulation, although he should have provided this information. In practice, IP notes that ambiguities and misunderstandings between personal data controllers and individuals also arise from the failure of the controller to respect the stated obligation. In the light of the above, you are advised to first remind the employer (operator) of compliance with the provisions of Article 14 of the General Regulation. If this does not respond to your warnings, or if the information provided under this Article indicates that the processing of personal data is not in accordance with the above rules of personal data protection, please file with our authority a report on the basis of which we will execute with the controller inspection procedure.