III. Compliance with the GDPR
EMPLOYMENT RELATIONSHIP
● Article 88 of the General Data Protection Regulation (“GDPR”) provides an “opening
clause” that permits member states to adopt more specific rules related to the processing of
employee personal data.1 Rules adopted under Article 88 must “include suitable and specific
measures to safeguard the data subject’s human dignity, legitimate interests and fundamental
rights. . . .” Member states are obligated to inform the European Commission of any
legislation adopted pursuant to this provision. Article 88 allows for “more specific”
rules—not a deviation from the established rules of the GDPR. Therefore, employers must
abide by the GDPR, including by permitting employees to exercise their data subject rights,
as appropriate.
● Because the GDPR applies with full force in the employment context, employers must abide
by all standard data protection practices. This includes the transparency and information
provision obligations set forth in Articles 12 through 14 of the GDPR. Employers typically
satisfy this obligation to provide information about how they process employee personal data
by including this information in employee handbooks. Other types of notice, such as
providing employees a separate document, are nevertheless permissible. This information
should include, at a minimum, what type of data is processed, the purpose of processing
activities, and the legitimate interests that the employer is relying upon to process the data
1. LEGAL BASIS FOR PROCESSING OF EMPLOYEE
● Employers must have a legal basis to process personal data of employees
○ Because of unequal bargaining power, consent is usually not an available lawful basis
(i.e., it is not freely given); should only be used as a last resort in this context
○ Processing may be necessary to fulfill an employment contract (e.g., processing banking
info to pay employees); processing must be limited to that which is necessary
○ Recordkeeping laws from member state legislation may provide a lawful basis
○ The legitimate interests of the employer may permit some employee monitoring and other
processing; most flexible lawful basis
● Processing special categories of data is typically dictated by member state laws in this
context under opening clauses of Articles 9(4) and 88
● A clear imbalance—as is often the case in the employer/employee relationship—is unlikely
to satisfy the “freely given” requirement of consent. Indeed, the European Data Protection
Board (“EDPB”) pointed specifically to the employment context as one where an imbalance
of power is likely to exist for purposes of determining whether consent is valid: “Given the
dependency that results from the employer/employee relationship, it is unlikely that the data
subject is able to deny his/her employer consent to data processing without experiencing the
, fear or real risk of detrimental effects as a result of a refusal.”7 For this reason, “EDPB deems
it problematic for employers to process personal data of current or future employees on the
basis of consent as it is unlikely to be freely given.
● When based on the necessity of fulfilling the employment contract, employers must be
mindful to limit the processing of personal data only to the extent of the necessity. The use of
employee email might entail some minimal processing of the employee’s personal data that is
necessary to fulfill the employment contract. For example, the minimal processing necessary
to functionally send and receive email communications. But contractual necessity does not
provide a valid basis for an employer to read an employee’s email messages—though,
depending on the circumstances, this may be necessary to protect the employer’s legitimate
interest.
● Employers may rely on processing necessary to comply with a legal obligation as a valid
basis for processing personal data only if the legal obligation stems from E.U. or member
state law to which the employer is subject.15 Thus, a legal obligation imposed by a third
country, such as the United States, would not qualify as a valid legal basis under Article
6(1)(c), but it may nevertheless qualify as necessary to protect the employer’s legitimate
interests.
● The legitimate interest of the employer is perhaps the most relied upon legal basis for
processing employee data.17 A certain level of employee monitoring, for example, may be
permissible if the purpose of doing so is to protect the employer’s assets (i.e., theft
prevention).
● Employers must also abide by the restrictions on processing special categories of employee
data under Article 9, such as data related to race, sexual orientation, and religious affiliation.19
Article 9 is a flat prohibition on processing sensitive personal data, with a handful of
exceptions.20 Explicit employee consent may serve as an exception to the prohibition on
processing special categories of personal data.21 Again, however, this should only be used as
a last resort.
● Employers collect data on employees across the entire employment life cycle
○ The purpose of processing data will change in each step of this life cycle
● Whether continued storage is permitted must be decided on a case-by-case basis and should
be revisited as underlying facts change
● Data may be retained after employment if there is a valid purpose (e.g., required by member
state law)
● ake, for example, personal data obtained during the hiring process. An employer is likely no
longer to have a valid purpose to process most of the data related to those candidates that
were rejected, while the calculation might be different for those who become employees. In a
similar vein, the purposes for processing employee data are likely to change significantly at
the end of an employment relationship. Ultimately, the determination about what type of data
may be retained will be determined by the unique circumstances of the employing
organization and the purposes for which it initially obtained the relevant personal data.
● There may be valid reasons to retain information related to an employee at the conclusion of
his or her employment. This might include, for example, records related to tax collection or
, employee health and safety. Local laws sometime require the retention of this type data at the
end of the employment relationship.2 Archiving of this data is permissible under Article 5, if
done for purposes in the public interest, scientific or historical research or statistical purposes,
subject to appropriate safeguards.
WORKPLACE MONITORING
● When it comes to monitoring the workplace, employers most commonly rely on their
legitimate interests as the lawful basis for processing employee personal data.
● Under the GDPR, there is room for employers to monitor their workplace for safety and other
business-related reasons, but these legitimate interests must be carefully balanced against
employees’ right to privacy.
● Background screening of prospective employees is done for several reasons, including safety
and security, establishing that candidates are trustworthy, and to confirm information in
application materials. Background screening also helps to ensure employers are hiring the
best and most qualified applicants. Generally, background searches conducted from publicly
available information are considered to be reasonable and acceptable. With the advent of
social media, the amount of information publicly available to prospective employers is
greater than it has ever been. In many cases, however, prospective employers will
nevertheless want to investigate an applicant’s background beyond what is publicly
available—for example, by calling prior employers or references.
● While background screening has many benefits, it must be conducted in a way so as not to
violate applicable laws. Even a search that is legally permitted—such as a search conducted
on a publicly accessible search engine—carries risk if it turns up information about a job
candidate’s race, religion, or other protected category.
● The use of so-called “blacklists” of individuals that an employer will not employ should be
strictly avoided. Such lists are likely to run afoul of numerous rules set out in the GDPR,
including the principles of fairness, purpose limitation, data minimization, and storage
limitation, among others.
● One primary reason that organizations monitor their employees is to protect company data
and infrastructure. Data Loss Prevention (“DLP”) is the term given to the strategies
implemented to avoid the unauthorized access or misuse of sensitive data.4 DLP strategies
often employ the use of information security tools, employee training, and administrative
standards and policies. These DLP techniques normally entail some processing of employee
personal data, and therefore organizations must ensure that any such practices properly
adhere to data protection rules that apply.
● Some forms of workplace monitoring are particularly intrusive, and almost never justifiably
in the employer’s interest. Placing video surveillance cameras in employee changing rooms
or bathrooms, for example, would be nearly impossible to justify as legitimate. In some
cases, local law may require that an employer obtain DPA permission before certain
surveillance activities are allowed. Covert surveillance of employee personal calls is one
, example where this may be the case. These more intrusive practices may, in some cases, also
constitute criminal offenses in some jurisdictions.
● The European Court of Human Rights, in the case Halford v. United Kingdom, held that
personal telephone conversations conducted on an employer’s phone while at work fell
within the scope of one’s private life within the meaning of Article 8 of the European
Convention on Human Rights.5 Workplace monitoring that is encouraged or required in the
United States may not be permitted in countries that are part of the European Union.
Therefore, multinational companies may need to develop several sets of policies regarding
their employee-monitoring practices.´
● According to the Article 29 Working Party, “[b]efore being implemented in the workplace,
any monitoring measure must pass a list of tests,” including: (1) is the monitoring activity
transparent to the employees; (2) is the monitoring necessary; (3) is the processing fair to
workers; and (4) is it proportionate to the concerns it is attempting to address?
● Workplace monitoring must (1) be transparent to employees (i.e., disclosed); (2) necessary
for a legitimate interest; (3) fair to workers; and (4) proportionate to the concerns it is
attempting to address
● The lawful basis for workplace monitoring is most commonly the employer’s legitimate
interests; consent usually not an available lawful basis
○ Some monitoring will be too intrusive to be in the employer’s interest
○ Prevention is more important than detection
● Necessity means that there must be no less intrusive means to protect interests
○ A DPIA is generally required before monitoring the workplace
● Covert surveillance is typically prohibited, except where local law permits
● Formal policies about workplace monitoring should be adopted and disclosed; best practice
to have employees sign an acknowledgement
○ Acceptable Use Policy: A document setting forth rules for accessing an organization’s
internet connection and internal network
● The proportionality principle will typically prohibit blanket monitoring of email or internet
use
WORK COUNCILS
● Work councils are similar to employee unions in the U.S.
● Employers may be restricted from conducting certain processing activities based upon
agreements with work councils
● E.U. law requires that work councils must be permitted for “community-scale
undertakings”—i.e., companies with at least 1,000 employees in the E.U. and where there are
at least 150 employees in each of two member states
○ Local law may also permit the creation of work councils for smaller entities
● Employers may need to:
EMPLOYMENT RELATIONSHIP
● Article 88 of the General Data Protection Regulation (“GDPR”) provides an “opening
clause” that permits member states to adopt more specific rules related to the processing of
employee personal data.1 Rules adopted under Article 88 must “include suitable and specific
measures to safeguard the data subject’s human dignity, legitimate interests and fundamental
rights. . . .” Member states are obligated to inform the European Commission of any
legislation adopted pursuant to this provision. Article 88 allows for “more specific”
rules—not a deviation from the established rules of the GDPR. Therefore, employers must
abide by the GDPR, including by permitting employees to exercise their data subject rights,
as appropriate.
● Because the GDPR applies with full force in the employment context, employers must abide
by all standard data protection practices. This includes the transparency and information
provision obligations set forth in Articles 12 through 14 of the GDPR. Employers typically
satisfy this obligation to provide information about how they process employee personal data
by including this information in employee handbooks. Other types of notice, such as
providing employees a separate document, are nevertheless permissible. This information
should include, at a minimum, what type of data is processed, the purpose of processing
activities, and the legitimate interests that the employer is relying upon to process the data
1. LEGAL BASIS FOR PROCESSING OF EMPLOYEE
● Employers must have a legal basis to process personal data of employees
○ Because of unequal bargaining power, consent is usually not an available lawful basis
(i.e., it is not freely given); should only be used as a last resort in this context
○ Processing may be necessary to fulfill an employment contract (e.g., processing banking
info to pay employees); processing must be limited to that which is necessary
○ Recordkeeping laws from member state legislation may provide a lawful basis
○ The legitimate interests of the employer may permit some employee monitoring and other
processing; most flexible lawful basis
● Processing special categories of data is typically dictated by member state laws in this
context under opening clauses of Articles 9(4) and 88
● A clear imbalance—as is often the case in the employer/employee relationship—is unlikely
to satisfy the “freely given” requirement of consent. Indeed, the European Data Protection
Board (“EDPB”) pointed specifically to the employment context as one where an imbalance
of power is likely to exist for purposes of determining whether consent is valid: “Given the
dependency that results from the employer/employee relationship, it is unlikely that the data
subject is able to deny his/her employer consent to data processing without experiencing the
, fear or real risk of detrimental effects as a result of a refusal.”7 For this reason, “EDPB deems
it problematic for employers to process personal data of current or future employees on the
basis of consent as it is unlikely to be freely given.
● When based on the necessity of fulfilling the employment contract, employers must be
mindful to limit the processing of personal data only to the extent of the necessity. The use of
employee email might entail some minimal processing of the employee’s personal data that is
necessary to fulfill the employment contract. For example, the minimal processing necessary
to functionally send and receive email communications. But contractual necessity does not
provide a valid basis for an employer to read an employee’s email messages—though,
depending on the circumstances, this may be necessary to protect the employer’s legitimate
interest.
● Employers may rely on processing necessary to comply with a legal obligation as a valid
basis for processing personal data only if the legal obligation stems from E.U. or member
state law to which the employer is subject.15 Thus, a legal obligation imposed by a third
country, such as the United States, would not qualify as a valid legal basis under Article
6(1)(c), but it may nevertheless qualify as necessary to protect the employer’s legitimate
interests.
● The legitimate interest of the employer is perhaps the most relied upon legal basis for
processing employee data.17 A certain level of employee monitoring, for example, may be
permissible if the purpose of doing so is to protect the employer’s assets (i.e., theft
prevention).
● Employers must also abide by the restrictions on processing special categories of employee
data under Article 9, such as data related to race, sexual orientation, and religious affiliation.19
Article 9 is a flat prohibition on processing sensitive personal data, with a handful of
exceptions.20 Explicit employee consent may serve as an exception to the prohibition on
processing special categories of personal data.21 Again, however, this should only be used as
a last resort.
● Employers collect data on employees across the entire employment life cycle
○ The purpose of processing data will change in each step of this life cycle
● Whether continued storage is permitted must be decided on a case-by-case basis and should
be revisited as underlying facts change
● Data may be retained after employment if there is a valid purpose (e.g., required by member
state law)
● ake, for example, personal data obtained during the hiring process. An employer is likely no
longer to have a valid purpose to process most of the data related to those candidates that
were rejected, while the calculation might be different for those who become employees. In a
similar vein, the purposes for processing employee data are likely to change significantly at
the end of an employment relationship. Ultimately, the determination about what type of data
may be retained will be determined by the unique circumstances of the employing
organization and the purposes for which it initially obtained the relevant personal data.
● There may be valid reasons to retain information related to an employee at the conclusion of
his or her employment. This might include, for example, records related to tax collection or
, employee health and safety. Local laws sometime require the retention of this type data at the
end of the employment relationship.2 Archiving of this data is permissible under Article 5, if
done for purposes in the public interest, scientific or historical research or statistical purposes,
subject to appropriate safeguards.
WORKPLACE MONITORING
● When it comes to monitoring the workplace, employers most commonly rely on their
legitimate interests as the lawful basis for processing employee personal data.
● Under the GDPR, there is room for employers to monitor their workplace for safety and other
business-related reasons, but these legitimate interests must be carefully balanced against
employees’ right to privacy.
● Background screening of prospective employees is done for several reasons, including safety
and security, establishing that candidates are trustworthy, and to confirm information in
application materials. Background screening also helps to ensure employers are hiring the
best and most qualified applicants. Generally, background searches conducted from publicly
available information are considered to be reasonable and acceptable. With the advent of
social media, the amount of information publicly available to prospective employers is
greater than it has ever been. In many cases, however, prospective employers will
nevertheless want to investigate an applicant’s background beyond what is publicly
available—for example, by calling prior employers or references.
● While background screening has many benefits, it must be conducted in a way so as not to
violate applicable laws. Even a search that is legally permitted—such as a search conducted
on a publicly accessible search engine—carries risk if it turns up information about a job
candidate’s race, religion, or other protected category.
● The use of so-called “blacklists” of individuals that an employer will not employ should be
strictly avoided. Such lists are likely to run afoul of numerous rules set out in the GDPR,
including the principles of fairness, purpose limitation, data minimization, and storage
limitation, among others.
● One primary reason that organizations monitor their employees is to protect company data
and infrastructure. Data Loss Prevention (“DLP”) is the term given to the strategies
implemented to avoid the unauthorized access or misuse of sensitive data.4 DLP strategies
often employ the use of information security tools, employee training, and administrative
standards and policies. These DLP techniques normally entail some processing of employee
personal data, and therefore organizations must ensure that any such practices properly
adhere to data protection rules that apply.
● Some forms of workplace monitoring are particularly intrusive, and almost never justifiably
in the employer’s interest. Placing video surveillance cameras in employee changing rooms
or bathrooms, for example, would be nearly impossible to justify as legitimate. In some
cases, local law may require that an employer obtain DPA permission before certain
surveillance activities are allowed. Covert surveillance of employee personal calls is one
, example where this may be the case. These more intrusive practices may, in some cases, also
constitute criminal offenses in some jurisdictions.
● The European Court of Human Rights, in the case Halford v. United Kingdom, held that
personal telephone conversations conducted on an employer’s phone while at work fell
within the scope of one’s private life within the meaning of Article 8 of the European
Convention on Human Rights.5 Workplace monitoring that is encouraged or required in the
United States may not be permitted in countries that are part of the European Union.
Therefore, multinational companies may need to develop several sets of policies regarding
their employee-monitoring practices.´
● According to the Article 29 Working Party, “[b]efore being implemented in the workplace,
any monitoring measure must pass a list of tests,” including: (1) is the monitoring activity
transparent to the employees; (2) is the monitoring necessary; (3) is the processing fair to
workers; and (4) is it proportionate to the concerns it is attempting to address?
● Workplace monitoring must (1) be transparent to employees (i.e., disclosed); (2) necessary
for a legitimate interest; (3) fair to workers; and (4) proportionate to the concerns it is
attempting to address
● The lawful basis for workplace monitoring is most commonly the employer’s legitimate
interests; consent usually not an available lawful basis
○ Some monitoring will be too intrusive to be in the employer’s interest
○ Prevention is more important than detection
● Necessity means that there must be no less intrusive means to protect interests
○ A DPIA is generally required before monitoring the workplace
● Covert surveillance is typically prohibited, except where local law permits
● Formal policies about workplace monitoring should be adopted and disclosed; best practice
to have employees sign an acknowledgement
○ Acceptable Use Policy: A document setting forth rules for accessing an organization’s
internet connection and internal network
● The proportionality principle will typically prohibit blanket monitoring of email or internet
use
WORK COUNCILS
● Work councils are similar to employee unions in the U.S.
● Employers may be restricted from conducting certain processing activities based upon
agreements with work councils
● E.U. law requires that work councils must be permitted for “community-scale
undertakings”—i.e., companies with at least 1,000 employees in the E.U. and where there are
at least 150 employees in each of two member states
○ Local law may also permit the creation of work councils for smaller entities
● Employers may need to:
