The Data Protection Agency recently completed five inspections which focused on employers' duty to provide information when using control measures to monitor employees. The decisions emphasise that employers should be diligent in informing employees about measures that allow the monitoring of employees and, to the greatest extent practicable, ensure that the information required by Articles 13 and 14 of the EU General Data Protection Regulation is given to employees in an easily accessible form.
Under the EU General Data Protection Regulation, data controllers must provide data subjects with access to all of the personal data that the data controller processes about them if the data subject requests it. In a recent case, the Data Protection Agency considered whether an employer was entitled to refuse to provide access to all of the contents of a former employee's work email account.
The Data Protection Agency recently issued a decision seriously criticising an employer which did not respond adequately after receiving a deletion request from a former employee relating to video content. The decision demonstrates that employers must carefully consider whether a request for deletion constitutes a withdrawal of consent, as any personal data processed on the basis of the consent must be deleted without undue delay, unless the employer (already) has another lawful basis for the processing.