October 13, 2020
1 361
9 min read
12 most asked questions on EU employee monitoring laws
Employee monitoring is legal in most EU countries.
Regulatory differences do exist. However, most European countries have a few regulations that apply to every business. Firstly, employers must have legitimate reasons to monitor their employees. Second, employees must be made aware of the type of monitoring that is taking place. In all cases, the principles of legality, legitimacy, and proportionality apply irrespective of location.
1. Is employee monitoring legal in the EU?
Yes, employers in the EU have the right to
monitor employees at work as long as there is a legitimate business interest. That said, it is crucial to balance an employer's right to lawfully monitor and manage the work process and an employee's right to privacy. It is within the employee's right to be notified before any monitoring is carried out. Direct consent is not required everywhere, but in some places, it is mandatory, and so it is important to know what rules apply in your area. Most importantly, the monitoring process must comply with the
EU General Data Protection Regulation (GDPR). The GDPR maintains that consent, transparency, and data protection are essential. These rules apply to organizations (public and private) in the EU and those based outside the EU that offer the EU services.
2. Is it legal to monitor company's computers?
Yes, employers in the EU have a legitimate interest in
monitoring the use of the computers they have provided and ensuring that the use remains related to business. However, employers also need to balance the monitoring of use while respecting the privacy of their employees. Employers should take the following approach:
- Ensure that employees are notified in advance of the monitoring through a clear monitoring policy.
- Ensure that monitoring is for legitimate business purposes only and does not interfere with the employee's fundamental right to privacy.
- Ensure that data protection rights are respected.
3. Is it legal to monitor employee internet and social media activities?
Yes. Although legislation on monitoring social media and
internet activities varies across the EU, in most EU countries, monitoring the use of the internet and social media depends on its purpose (business-related or private use). According to
article, 29 of the Data protection working party, a legal ground such as legitimate interest is required for processing an employees’ social media profiles. Employers are only allowed to collect and process personal data relating to employees to the extent that the collection of those data is necessary and relevant to the performance of the job for which is being applied. Employers may monitor employees to restrict the use of the internet and social media during working hours. Employers are also recommended to establish well-defined policies on social media and internet usage so that employees know what is acceptable or not.
4. Is it legal to monitor screen contents and keystrokes?
Yes. Although businesses operating in the EU can use
screen capture and keylogging software to monitor their employees, such monitoring must serve a legitimate business purpose, and employees must consent. It is worth mentioning that this kind of monitoring may be seen as a violation of privacy in most cases. Therefore, before choosing to do so, employers should identify the issues they intend to address and determine whether this form of monitoring is necessary. Most importantly, they should take into account and comply with GDPR requirements.
5. Is it legal to monitor email content?
Yes, an employer may monitor email content received or sent on the company computer, provided that the information is not private and the monitoring is justified on legitimate grounds. It is also crucial for businesses to distinguish between private and work-related emails. Conversely, employees should also avoid accessing personal emails on devices provided for professional purposes. To balance the monitoring of email content while respecting employees' privacy, employers should:
- Ensure that the employee is aware of and has agreed to the monitoring.
- Ensure that personal data collected or connected to the employee e-mail accounts are not accessed, and where such situations arise, data should only be shared with their consent.
- Ensure that they retain emails and delete them after the period is up.
6. Is it legal to monitor or record phone conversations?
Yes. Under the Personal Data Protection Act, monitoring and recording phone conversations may be permitted under certain conditions. For example, if the party has given explicit consent or monitoring/recording is necessary to protect the employer's legitimate interests. A company with a works council must get permission from the works council before phone monitoring or recording is carried out. Employers intending to record telephone conversations are obliged to comply with this code.
7. Is it legal to use video monitoring systems in the workplace?
Yes. In the EU, video monitoring systems are permitted provided:
- There is a legitimate purpose for the surveillance.
- The surveillance is appropriate for this purpose.
- The monitoring is necessary and less intrusive.
The bottom line, the monitoring must be reasonable, and employers must consider the employee's privacy rights. Under the GDPR, employees must be notified of:
- The fact that they're being monitored.
- The purpose of monitoring.
- How long monitored data will be stored.
- Who has access to the monitored data.
The use of hidden video surveillance is considered a violation of Article 8 of the European Convention on Human Rights ('ECHR'). Also, monitoring in sensitive areas, such as restrooms, religious spaces, and break rooms, is prohibited.
Aside from video surveillance systems, there are various employee-friendly options to consider if the primary goal is to monitor overall productivity and ensure that company resources are properly utilized.
Employee productivity monitoring software is a great way to balance the benefits of monitoring with the risks of invading employees' privacy.
8. Is it legal to monitor private messages and email content?
Yes. Employers are justified in controlling certain activities such as sending or receiving private messages or emails, to ensure that employees perform their duties during working hours, particularly on the company device. The
ECHR sets clear guidelines on the extent of how and when such monitoring is permitted. Businesses must develop policies that allow employees to know the extent of the monitoring. Private messages and emails fall within the category of personal data (as described in
Article 4 of the GDPR). Therefore organizations must prove that they have the legal basis to collect and monitor such information.
9. Is it legal to monitor employees' personal devices?
Yes. There are some valid reasons why employers may need to monitor their employees' personal devices. For example, with more employees working from home in the EU and worldwide, many employers want to keep up with work processes. Monitoring is, therefore, reasonable in such cases, but there are limits to the monitoring. The GDPR requires the employer to explicitly inform the employee of what information they intend to collect and how they intend to use it. Additionally, the GDPR requires the employer to be transparent about the monitoring process and provide the employee with ample information on how and for what purpose they'll be monitored. It is recommended that employers
implement BYOD policies and understand where to draw the line with employee privacy and best practice when developing such policies.
10. Is it legal to monitor employees' personal computers?
Yes, if the employee performs work duties on a personal computer, monitoring such devices may be considered to serve a legitimate interest in the protection of business information. However, if such monitoring also captures data relating to the employee's private life, it is considered unlawful. Appropriate measures should be taken to distinguish between personal and business use of the device and the implementation of BYOD policies should be created to strike a balance.
11. Is it required to inform employees of the monitoring?
Yes. In the EU, this is a crucial step. Many EU countries require employers to inform their employees and discuss any monitoring process issues before monitoring. Article 29 data protection working party (WP249) emphasizes that
transparency should be applied to data processing at work. Employees must be aware of the monitoring, the purposes for which personal data are to be collected, and any other information necessary to ensure fair processing. Two legal approaches arise across the EU when it comes to co-determination rights. In some countries, employees have the right to agree to the monitoring or not. In other jurisdictions, employees have less power. They must be notified of the monitoring, but consent is not required.
12. Employee monitoring policy - mandatory or not?
Yes. Nothing beats a good, clear policy about the monitoring process. Monitoring policies, handbooks, e.t.c must be carefully tailored to show an organization’s legitimate purpose behind the monitoring and what is acceptable or not. With a comprehensive and easily accessible workplace monitoring policy, employees will be aware of the monitoring. All these must be included in the policies:
- The nature and extent of the monitoring process.
- The reason for the monitoring.
- The impact of the monitoring on the business.
- How confidential or sensitive information is handled. (If any is taken)
- Point out acceptable and unacceptable uses.
Employers must ensure that their monitoring policies are compliant with legal requirements.
Our monitoring experts have developed ready-to-use policies, announcement samples, and employee monitoring handbooks for direct use or a sample to create future employee monitoring policies. Request a copy now. It's free!
Are there laws in the EU that protect employee workplace privacy?
Yes. In the EU, employee privacy is of fundamental importance. Although the EU acknowledges that employers have a legitimate interest in maintaining smooth business processes and protecting against situations that can lead to liability, the EU is very clear about privacy. Article 8 of the
European Convention for the Protection of Human Rights and Fundamental Freedoms recognizes the right to private and family life.
Article 5 of the
GDPR requires data controllers (employers) to enforce data protection measures by design and default. Personal data should be:
- Processed lawfully, fairly, and transparently concerning the data subject.
- Collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.
- Adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Accurate and, where necessary, up-to-date; every reasonable step must be taken to ensure that inaccurate personal data are deleted or corrected without delay.
- Personal data may not be stored for long periods.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- Personnel responsible for the data must be able to be held accountable for the data.
The GDPR requires employers to carry out a Data Protection Impact Assessment (DPIA), taking into account the nature, scope, context, purposes of the monitoring process.
Is there professional lawyers’ advice on monitoring?
Yes. Professional lawyers advise employers to follow these seven fundamental principles suggested by the Working Party, so the monitoring is considered lawful and justified under EU laws. The regulations include Necessity, Finality, Transparency, Legitimacy, Proportionality, Accuracy, and data security retention. These rules ensure that employers understand the legitimate business need for monitoring, that employees are aware of the monitoring and reasons for the monitoring, that employees' rights are not violated, and that employees' personal data is protected.
- The necessity principle requires that the monitoring be "necessary" for business purposes.
- The finality principle requires that data be collected only for specific, explicit, and legitimate purposes and not be processed in any way incompatible with that purpose.
- The transparency principle requires an employer to be open and clear about the monitoring. (No covert monitoring is allowed) The transparency rule stipulates that the monitoring and reasons behind it must be fully and explicitly disclosed to all employees in written policies .
- The legitimacy principle indicates that the processing of employees' personal data must be legitimate and necessary for work performance, without violating the employees’ fundamental rights.
- The proportionality principle states personal information must be adequate, relevant, and not excessive.
- The accuracy principle requires that all records be accurate, up to date, and retained for no longer than necessary given the employer's legitimate purposes. As a guideline, the Working Party suggests that data retention shouldn't exceed three months.
- The data security principle necessitates that the employer takes appropriate technical measures to ensure that employees' personal data is safe.
What is the bottom line?
All employee monitoring processes must comply with data protection laws. The
monitoring process should be carried out on legal grounds and fair to the employees, and, most importantly, transparent.
Disclaimer
The information provided in this article is for general understanding only and not to be used as legal advice. To receive professional legal advice, please consult your lawyer.