The Works Council Privacy Booklet – new guidance published by Dutch DPA

Hogan Lovells
Contact

Hogan Lovells

The Dutch Supervisory Authority (Autoriteit Persoongsgevens or "AP") has published a privacy booklet that primarily aims to support Works Council in its role with regard to privacy under the GDPR. Whilst the booklet provides some helpful clarifications on the AP’s interpretation of “employee monitoring systems,” it also contains statements that are not in line with the Dutch Works Council Act (WCA) and the General Data Protection Regulation (GDPR), resulting in new discussions on the Works Council’s role and responsibilities. This has created legal uncertainties and may lead to conflicts between employers and Works Council.

The Council’s role and responsibilities

Most importantly, the AP states that Works Council is closely involved in the arrangements concerning processing of employee data and employee monitoring systems, and that Works Council has a joint responsibility for the processing and protection of personal data at work. With these statements the AP seems to create a kind of internal supervisory role for Works Council in the field of privacy. However, this is not a role or responsibility that follows from the WCA nor the GDPR and in our experience is not a role Works Council is equipped to fulfil. In essence, the responsibility with regard to the processing of personal data and demonstrating GDPR compliance lies solely with the employer, being supervised by the Supervisory Authority. From a GDPR perspective, Works Council cannot be held liable in case of non-compliance with the GDPR and fines may only be imposed on the employer or its processor, but not on Works Council.

Based on the WCA, Works Council has a right to be informed of and to (withhold) consent to intended decisions of the employer to lay down, amend or withdraw, policies or internal regulations on the processing and protection of employee personal data, employee monitoring systems and the attendance or the performance of employees among others. For instance, if an employer plans to amend its employee privacy policy, implement software to keep track of workflows, customer interactions or access to documents (logging), Works Council must be informed and asked for consent according to the WCA. Works Council however does not need to consider or assess compliance with the basic principles of the GDPR, for instance the lawfulness and proportionality. Works Council furthermore is not obliged to carry out or review data protection impact assessments, records of processing activities, incident registers, international transfer mechanisms or (other) documents prepared for GDPR compliance by the employer.   

Employee monitoring systems

Unsurprisingly, the AP interprets the notion of “employee monitoring system” broadly, making reference to obvious examples such as track & trace systems, CCTV, GPS trackers, wearables and smart watches. Whilst the AP recognized logging of access as an example for appropriate security measures, it also states that “the use of employee monitoring systems always constitutes an infringement of the employee’s privacy”. To help Works Council making an informed decision on whether or not to consent to intended decisions of the employer to lay down, amend or withdraw, policies or internal regulations that lead to employee monitoring, the AP recommends Works Council to consider asking the following questions:

  • Is the policy or regulation considered an employee monitoring system?
  • Is it necessary for the employer to use an employee monitoring system?
  • Will employees be informed of the purposes, use and retention prior to the monitoring?
  • Will performance reviews solely be based on data collected via employee monitoring systems?

Despite the points outlined above, the privacy booklet provides some helpful guidance, particularly on the basic principles of the GDPR and the AP’s view on employee monitoring systems. However it should treated as guidance only, keeping in mind that it is not the role of Works Council to act as internal supervisory for employee privacy matters, and that Works Council have no joint responsibility in this respect.

 

Andreas Hauselmann, a Paralegal in our Amsterdam office, contributed to this entry.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.