On April 28, 2021, the Dutch Data Protection Authority published a guide for Dutch works councils on how to exercise their right of consent with regard to processing and protection of employee personal data and digital employee tracking systems (the "Works Council Privacy Booklet"). We also notice from our clients that companies are processing employees’ (personal) data more and more, and are considering using employee tracking systems as a new norm after the pandemic. Consequently, these topics will be on employers’ and works councils’ agendas more frequently, which is why the Dutch Data Protection Authority created a guide for works council members.
This alert provides you with an overview of the Dutch works council’s role and the Dutch Data Protection Authority’s main guidelines for a works council’s involvement in respect of privacy on the work floor. This alert is both relevant for employees (appointed as works council members) and employers aiming to introduce or amend company regulations in this respect.
Employers process a lot of personal data of their employees. Arrangements for the use of employee data are present in every organization, for example the registration of absenteeism, payroll administration and data that are kept in personnel files. As working from home becomes more widespread as a result of the COVID-19 pandemic, employers may consider turning to more enhanced methods to monitor their employees and use more invasive technology – both at work and at home to observe employees, monitoring their attendance, behavior and performance. For example, a system that records attendance, time and access. Or a tracking system, such as a CCTV system, or a GPS tracker in company vehicles. But also a system that supports the handling of work, a system that tracks customer contacts, or shows when an employee consults a certain record and at what time. The works council plays a role in this respect.
Works council’s rights
Pursuant to the Dutch Works Council Act ("WCA"), the works council’s endorsement shall be required for every proposed decision to establish, amend or withdraw regulations relating to (i) the handling and protection of personal data of persons working in the company (article 27 paragraph 1, section k of the WCA), and (ii) measures aimed at monitoring or checking the attendance, behavior or performance of persons working in the company (article 27 paragraph 1, section l of the WCA).1
Apart from this right, the works council can also speak on its own initiative about the use of employee data, without the employer having requested it. This is the so called "initiative right" of article 23 paragraph 3 of the WCA. The works council also has the right to ask for all information reasonably required to carry out its duties, i.e. to exercise its statutory powers. This may involve the right to endorse, but also the right of initiative on the basis of which it can proactively submit proposals to the employer.
In order to properly assess the regulations proposed by the employer, the Dutch Data Protection Authority ("the DDPA") finds it important that the works council is well prepared. Where necessary, the works council may also ask the employer critical questions. In order to assist the works council in this respect, the DDPA has produced a guide: the Works Council Privacy Booklet. It is also recommended for employers to take note of this guide in order to be well prepared when submitting a request for consent to the works council.
Works Council Privacy Booklet
The guide addresses the following topics:
- How to determine whether the works council has a right of consent? What is personal data exactly, and when is it being processed?
- What are the most important General Data Protection Regulation ("GDPR") privacy rules? Which questions can be asked to check whether the employer’s plans are GPDR-proof?
- Which question can a works council ask if the employer intends to use an employee tracking system?
Processing personal data
When processing personal data, employers must make sure that the purpose of processing data is specified, explicit and legitimate. Employers should determine what the most appropriate lawful basis is, which should be analyzed on a case-by-case basis. In doing so, the employer must always explicitly weigh the privacy interests of the employees against its own interests as an employer. Please note that in the employment context, the DDPA is of the opinion that the employer cannot rely on an employee's consent to process employee’s personal data (generally considered an appropriate lawful basis), given the imbalance of powers between an employee and an employer and the fact that consent is generally not given freely by the employee. In principle, it is prohibited to process special categories of personal data, such as employee data on absenteeism due to illness, unless one of the exceptions in the GDPR applies.
The concept of "processing" covers everything that can be done with personal data, including collecting, storing, amending, combining with other data, sharing with third parties and deleting. Any personal data that the employer is processing must be adequate and relevant for the processing purposes. Employers must ensure (and must be able to demonstrate) that personal data is protected and GDPR requirements are respected, even if the processing is done by another party under the employer’s instruction. This is the principle of accountability and this is one of the core principles underpinning the GDPR. Where an employer engages a processor for (part of) the data processing, it should enter into a written data processing agreement.
Employers need to choose the least intrusive technology that will collect, by default, the minimum amount of personal data required to achieve the processing purpose. In general, employers should only process the data that is strictly necessary for the predefined purpose. Personal data must be processed in such a way that appropriate security of the personal data is ensured by carrying out a risk analysis, and the personal data should not be kept longer than is necessary to achieve the purposes for which they were collected.
Employee tracking systems
According to the DDPA, using an employee tracking system is always an invasion of employees’ privacy and this should not be undertaken lightly. The tracking system should be reasonable in relation to the employer’s intended purpose for using such system and the employer should be able to demonstrate that it is not possible to achieve this purpose in a way that is less intrusive for the employees. In particular, employees should be given prior information about the purpose of the tracking system, the timing and use of the personal data collected and how long the personal data will be stored. One of the employer’s obligations under the GDPR is to inform the employees about the tracking system, for example in the employee privacy notice.
Please note that structural covert observation is not permitted. Occasional covert surveillance may be justified, provided strict conditions are met.
The GDPR provides that a Data Privacy Impact Assessments ("DPIA") is required if the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In other cases, (a light version of) a DPIA is (expected) good practice. A DPIA is a process designed to describe the processing activity, assess the necessity and proportionality of this activity, and help manage the risks to the rights and freedoms of data subjects resulting from the processing of their personal data.
A DPIA is in any event required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of personal data (article 9 GDPR); or
- systematic monitoring of a publicly accessible area on a large scale.
In addition, the DDPA published a list of processing activities always requiring a DPIA. Large- scale or systematic processing of personal data to monitor activities of employees is included in this list. Consequently, before employers may roll out an employee monitoring tool they should conduct a DPIA.
Employee individual (information) rights
Regardless of the work council’s right of consent, individual employees should be able to oversee who is processing their personal data and for what purpose. The employer therefore has an obligation to provide information in a concise, transparent and easily accessible form, using clear and plain language. This means that the employer must inform employees before the employer starts to processes their personal data. For new systems, this means before their roll-out. For existing systems, new joiners should be informed before the system starts processing their data, so before or upon onboarding.
Moreover, employees have several privacy rights (i.e. the right to access, rectification, erasure, restriction, portability and the right to object to further processing) under the GDPR. These allow them to maintain control over their personal data. For example, they have the right to access their personnel file. They can also request rectification, restriction or deletion of their data. This allows them to defend themselves against incorrect or incomplete data in the file.
Examples of questions
The DDPA gives several examples of questions that a works council may ask when assessing a request for consent from the employer, including:
- Does the employer make sufficient use of the possibilities to make personal data anonymous?
- Does the employer need to collect the personal data at the individual level or can the employer suffice with data at the level of a department or of the company as a whole (aggregate level)?
- Has a procedure been established to test whether the security measures are (still) effective?
Examples of questions that a works council could ask with regard to employee tracking systems include:
- Why is the employer considering to use this employee tracking system?
- Is there a legal or contractual obligation? If not, is it for some other reason necessary to implement or use the employee tracking system?
- If there is necessity, can the employer prove that it has a legitimate interest to use the employee tracking system?
- Is it possible to achieve the employer's purpose in a way that is less intrusive for the employees?
- Who has access to the personal data being processed?
- Is it known in the organization what behavior will not be tolerated and have employees been warned about it?
We have vast experience in works council procedures and related data protection matters, and are happy to guide this process, and assist in implementing regulations related to employee tracking systems and/or processing employee data, drafting regulations/protocols in this respect, assisting in carrying out a DPIA, and meeting the information obligation (for example, by preparing the privacy notices).
- Please note that the works council also has an advisory right in the event an employer wants to introduce or change a technological provision (article 25 paragraph 1 section k of the WCA), but the booklet does not cover this situation. ↩