Data Processing at Work: New Challenges towards Compliance

by Alston & Bird

The Article 29 Working Party (“WP29”) recently issued an opinion that discusses the processing of employee personal information (Opinion 02/2017). WP29 focuses on the use of new technologies by employers and assesses requirements in light of the upcoming General Data Protection Regulation (“GDPR”).

Consent and legal bases to process personal information

The WP29 has historically asserted that employees’ consent should not be a legal basis for processing employees’ personal information. The power imbalance between employer and employee leads to an uneven situation where consent is not freely given. Even if consent were to be considered valid, it must be specific and proactive, and the employee can withdraw it at any point.

Consent should therefore not be treated as a legal basis for processing in most cases. Instead, the majority of the processing should be based in the context of performance of a contract (e.g. salary payments), legal obligations (e.g. fraud prevention) or legitimate interest.

Employee monitoring

The Opinion extensively discusses monitoring of employees’ behavior. Several technologies allow employee monitoring, such as GPS-tracking of smartphones, monitoring IT usage, Data Loss Prevention (DLP) tools, eDiscovery, Bring-Your-Own Device (BYOD) and the use of CCTV.

The WP29 reminds employers to adopt a monitoring policy explaining monitoring details such as time and location. Employers should provide notices stipulating the purposes of monitoring and possibilities for employees to prevent their data captured by monitoring technologies. The WP29 also recommends involving a representative sample of employees in the creation and evaluation of such policies and notices.

Main types of employee monitoring

IT usage monitoring

IT usage monitoring can generate large data amounts. Data analysis and cross matching techniques create the risk of incompatible further processing. The WP29 warns that the risk is not limited to the analysis of the contents of employee communications, but even to wider communications.

To mitigate risk, prevention through technical means should be prioritized over detection. For instance, if prohibited use of communication services can be prevented by blocking certain websites, then blocking should be the preferred option.

In cases of internet traffic monitoring, the WP29 believes that employers should provide an alternative for unmonitored access for employees, such as a free Wi-Fi network or specific devices where employees can access the internet for personal use

Data Loss Prevention (DLP)

The use of Data Loss Prevention tools, which monitor outgoing communication to prevent data or confidentiality breaches, are permitted. However, unnecessary processing of personal information must be avoided through a number of ways (e.g. by delivering a warning message before the e-mail is sent to give the sender the option to cancel it). Further, the employer should implement and communicate a specific acceptable use policy for DLP.

Cloud Services

When an employer requires employees to use cloud services in the context of their work, they must also designate private cloud folders (e.g. a cloud folder named “Private”) to which the employer may not gain access unless under exceptional circumstances.

Bring Your Own Device (BYOD) policies

Employers must avoid monitoring private information in BYOD devices. At the same time they need to protect their business and personal information. This can only be done if there are adequate means to distinguish between privacy and business uses of the BYOD device. As a result, they must have methods in place to ensure that the employee’s own data on the device is securely transferred.

Wearable devices

As for wearable devices, the Opinion reiterates that the employer cannot use the employees’ consent as a basis for processing this information due to their sensitive nature (e.g. health data). It would be generally prohibited for employers to receive any sensitive personal information in the context of wearable devices (e.g. employees’ sleeping and exercise patterns).

Geo-location monitoring

The deployment of vehicle telematics to collect geo-location data is permitted for a number of purposes (e.g. efficiency of service delivery, safety of employees). However, the employer should first assess whether the processing for these purposes is necessary and whether the implementation satisfies the principles of proportionality and subsidiarity. In any event, the employee should be aware of such monitoring and should have the option to temporarily deactivate this option, for instance when he/she drives to attend to a personal matter.

Recruitment and in-employment screening

The employer is not by default allowed to process publicly available information from the social media profile of a job applicant. To process such information the employer should evaluate:

  • Whether there is a legal ground that justifies processing (e.g. legitimate interest)
  • Whether this is a private or a business social media account
  • Whether the processing is necessary and relevant to the performance of a task (e.g. to assess the qualifications of a candidate).

In any event, such personal information should be deleted if the candidacy does not move forward, and the individual must be informed of the processing before the start of the recruitment process.

While in employment, screening of employees’ social media profiles should not occur on a generalized basis and employers should not require employees to use a corporate social media profile.

Data Protection Impact Assessment- a Useful Ally

WP29 suggests that the employer should consider running a Data Protection Impact Assessment and take measures to minimize impact on employees’ privacy and secrecy of communications.

WP29 refers to a DPIA as good practice when employers wish to roll out monitoring technology, automated decision making, and profiling that involves employees. The Opinion also mentions that employers should conduct a DPIA to introduce Mobile Device Management (MDM) that allows them to locate devices remotely.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird

Alston & Bird on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.