The Data Protection Agency recently completed five inspections which focused on employers' duty to provide information when using control measures to monitor employees.

GDPR

The EU General Data Protection Regulation (GDPR) states that, no later than at the time of collection, data controllers must inform data subjects of, among other things:

  • the purpose of the data processing;
  • the legal basis for the processing; and
  • the length of time that the data will be stored, wherever possible.

The duty to provide this information is linked to the GDPR's principle of transparency, which includes a requirement that data subjects have easy access to detailed information regarding the processing of their personal data.

Data Protection Agency inspections

In August 2020 the Data Protection Agency completed five written inspections, all of which focused on employers' duty to provide information to employees regarding control measures used to monitor employees. All five inspections gave rise to criticism from the agency, and in three of the cases the agency even expressed serious criticism of the employers' processing of personal data.

The serious criticism from the Data Protection Agency concerned, among other things, the lack of clear information regarding the purpose of the processing of the employees' personal information. For example, one employer had not sufficiently informed its employees of a number of measures, including access to the employees' emails and the use of video surveillance, which the employer could use for control purposes in relation to the employees.

In addition, the Data Protection Agency criticised the lack of information regarding the employers' legal basis for processing employee data, as well as the categories of information collected for control purposes. Thus, the recurring theme of the inspections was whether the employees had received sufficient information and whether they had easy access to that information.

Comment

The Data Protection Agency's detailed decisions emphasise that employers should be diligent in informing employees about measures that allow the monitoring of employees and, to the greatest extent practicable, ensure that the information required by Articles 13 and 14 of the GDPR is given to employees in an easily accessible form.