The EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018, seeks to protect individuals with regard to the treatment of their personal data.
At the heart of the GDPR is the increased responsibility of data controllers, which is enshrined in the principle of accountability. As such, upstream controls imposed by the supervisory authorities have been eliminated.
Thus, the requirement for employers to notify and submit requests for prior authorisation with the National Commission for Data Protection (CNPD) has given way to an obligation to:
- continuously document the legality of their data processing;
- analyse its impact; and
- adapt their procedures accordingly.
Employers must ensure that they comply with the specific provisions introduced by the Law of 1 August 2018(1) when implementing measures to monitor employees in the context of an employment relationship.
Thus, although the new legal framework appears to provide greater flexibility with regard to employee surveillance, employers must first fulfil a number of conditions.
Evolution of surveillance regime
In accordance with Article 88 of the GDPR, Luxembourg has adopted more specific rules on the processing of employee personal data in the context of employment relationships.
The new provisions of the Labour Code testify to the profound changes that have been made to the legal framework surrounding employee surveillance.
Concept of surveillance
The amended Act of 2 August 2002 on the Protection of Individuals with regard to the Processing of Personal Data (now repealed) clearly defined 'surveillance' as:
any activity which, by means of technical instruments, consists in the non-occasional observation, collection or recording of personal data of one or more persons relating to behaviors, movements, communications or the use of electronic and computerized devices.(2)
According to this definition, surveillance constituted the use of technical tools (including electronics or computers) to observe, collect or record personal data on a regular basis. Manual and occasional controls were therefore excluded from the statutory regime applicable to surveillance.
As such, in a dispute involving an employee who had been dismissed for misuse of the Internet at his place of work, the Court of Appeal held that the rules applicable to surveillance in the workplace did not apply to controls that were neither regular nor non-occasional.(3)
Previously, workplace surveillance required, among other things, prior authorisation from the CNPD. In the absence of proper authorisation, evidence from such surveillance was inadmissible in the labour courts.
In this case, the Court of Appeal, noting that the surveillance had not been undertaken on a regular or non-occasional basis, concluded that:
- the activity did not constitute 'surveillance' within the meaning of the amended Law of 2 August 2002; and
- as a result, the lack of prior authorisation from the CNPD did not undermine the validity of the evidence collected through such surveillance.
The legal qualification of surveillance is therefore important for employers and the lack of a clear legal definition can fuel legal uncertainty. Despite this, the Law of 1 August 2018, which repealed the previous law, contains no definition of surveillance, despite criticism from the House of Employees in the preparatory parliamentary work.(4) Further, the notion of surveillance is defined in neither the GDPR nor the Labour Code.
However, it can be assumed that employers can continue to rely on a similar definition as that set out in the previous law to determine whether their processing activities are covered by the legal framework regarding employee surveillance.
The work(5) of the former Article 29 Working Party(6) on workplace surveillance generally combines the use of technologies or technical equipment with the activities of monitoring, observing or controlling the behaviour, movement and communications of employees, which evokes the criteria posed by the old legal definition of surveillance.
Further, in case of doubt as to the qualification of their processing activities, employers can seek the opinion of their council or the CNPD.
In any event, before setting up surveillance in the context of the employment relationship, employers must ensure that they can rely on one of the new legal grounds introduced by national legislation.
Lawfulness of surveillance
Prior to the Law of 1 August 2018, the monitoring of employees was strictly governed by an inflexible and restrictive regime. Under such regime, employers could use surveillance measures only in one of the five cases listed in the Labour Code (former Article L 261-1) and subject to obtaining prior authorisation from the CNPD. Thus, surveillance could take place only if it was necessary:
- to protect employee health and safety;
- to protect the employer's property;
- to control the production process (as regards machines);
- to control the production or the employee's performance but only where this control was temporary and the only way to determine their exact salary; and
- within the framework of the organisation of work according to the mobile schedule under the Labour Code.
Any surveillance system implemented for a purpose other than one of the above was unlawful and exposed the employer to criminal penalties.
The new Article L 261-1 of the Labour Code no longer limits the possibilities of undertaking surveillance. As such, employers can now undertake surveillance for any purpose, provided that one of the following conditions is met:
- the employee has consented to the processing of their personal data for one or more specific purposes;
- the processing is necessary to perform a contract to which the employee is a party or pre-contractual measures taken at the employee's request (eg, an employment contract);
- the processing is necessary to enable the employer to comply with a legal obligation;
- the processing is necessary to safeguard the vital interests of the employee or another natural person;
- the processing is in the public interest or falls under the power of the employer's relevant public authority; and
- the processing concerns the legitimate interests of the employer or a third party, unless the interests or the fundamental rights and freedoms of the employee which require the protection of personal data prevail.
The scope of possibilities is therefore broad, with employers able to implement a surveillance system for a purpose for which they would previously have been exposed to criminal penalties.
By removing the previous restrictions while referring to the legal grounds listed in Article 6 of the GDPR, the Luxembourg legislature seems to have given employers greater flexibility to resort to surveillance in the context of an employment relationship. However, this flexibility goes hand in hand with greater responsibility, as employers must be able to justify both the legal basis for surveillance and its conformity with the GDPR.
Specifics of employment relationships
While the processing of employee personal data will not generally pose any difficulties when it is necessary to execute an employment contract (eg, the calculation of remuneration) or fulfil legal obligations (eg, deduction at the source of income tax), employers must be particularly vigilant with respect to their legitimate interests and obtaining employee consent.
Employee consent
The previous Article L 261-1 of the Labour Code excluded employee consent from the legal grounds that justified the processing of personal data for surveillance purposes, stating that "the consent of the person concerned does not make the treatment implemented by the employer legitimate".
The new Article L 261-1 no longer provides for such an exclusion and expressly cites Article 6(1)(a) of the GDPR, which lists consent as a potential legal ground for data processing.
'Consent', as defined by the GDPR, can be invoked by employers only in exceptional situations and is unlikely to be considered valid in a supervisory context. Indeed, consent given in the context of personal data processing must stem from a clear positive act. The abstention or silence of the individual does not satisfy this requirement.(7)
Further, consent must be informed, specific, unambiguous and freely expressed. Thus, it must also be revocable(8) and based on a genuine alternative. This implies that employees should be able to refuse to be supervised or be entitled to withdraw their consent at any time without being exposed to harmful consequences, such as the exclusion of a benefit (eg, refusal of a bonus). More importantly, in such cases, employers should immediately cease surveillance.
Under the GDPR,(9) 'consent' does not constitute a valid legal basis for treatment where there is a clear imbalance between the data subject and the controller. However, an employment contract is characterised by a legal and economic imbalance resulting from the employee's subordination to the employer. The expression of free consent in the context of the employment relationship therefore seems to be compromised while the relationship of dependence is likely to influence the employee's choice to refuse or revoke their consent. For example, it is unlikely that a probationary client adviser would feel free to refuse the recording of professional phone conversations when the bank uses them to prove commercial transactions.
This does not mean that employers can never rely on the consent of employees for the processing of their personal data. However, they can do so only if this consent meets all of the criteria imposed by the GDPR and, more specifically, constitutes free consent.
In any case, recourse to consent as a legal basis for treatment should be a residual choice (ie, the employer can resort to it only if no other legal basis is likely to apply).
Legitimate interests pursued by employer or third party
When it is impossible to invoke the performance of a pre-contractual or contractual measure or the fulfilment of a legal obligation, employers often justify the use of surveillance in the context of the employment relationship on their legitimate interests or those of a third party.
'Legitimate interests' are not specifically defined by regulation and thus have a broad and relative meaning depending on the activities of the employer or third party. However, this legal basis must not be perceived as a catch-all and must be the subject of a thorough preliminary examination.
It is clear from Article 6(1)(f) of the GDPR that employers must systematically balance their legitimate interests with the interests or fundamental rights and freedoms of their employees (eg, respect for privacy and the right to confidentiality of communications). If the employee's interests or fundamental rights and freedoms prevail over the legitimate interests of their employer or a third party, surveillance is illegal. The preliminary task of comparing interests and rights and freedoms is therefore essential.
According to the GDPR, the interests or fundamental rights and freedoms of data subjects are analysed in light of the reasonable expectations that data subjects may have regarding the treatment of their data in relation to their relationship with the data controller. In other words, in order to determine whether the legitimate interests of an employer justify a supervisory measure, the latter must determine whether, at the time of collection and having regard to the employment relationship, the employee can reasonably expect their personal data to be subject to such surveillance. For example, it is reasonable for a jewellery shop employee to expect their employer to use video surveillance in the workplace.
Further, even where based on an employer's legitimate interests, surveillance operations must comply with all other GDPR requirements, including the obligations of loyalty and transparency and the principle of minimising data processing. Thus, only data that is relevant and limited to what is strictly necessary for the purpose of surveillance can be collected and processed.
Accordingly, employers cannot, under the pretext of pursuing their legitimate interests, implement disproportionate surveillance measures, such as the continuous video surveillance of employees.
In any case, employers must favour the least intrusive surveillance measures for the sake of employees' fundamental rights and freedoms wherever possible.
In view of the challenge of protecting employees' interests and fundamental rights and freedoms, the new legislation has maintained preliminary steps that employers must take before they can undertake employee surveillance.
Measures to take prior to surveillance
The abolition of the system of prior authorisations has not removed employers' procedural burden. In addition, the new legislation gives employees a right of inspection over their employer's supervisory system.
Prior information to be provided to employees and staff representatives
Like any other data controller, employers must provide certain information to employees before processing their data.
In the specific context of employment relationships, this prior information must also be communicated to the staff delegation or, failing that, the Labour and Mines Inspectorate.
This obligation to provide prior information at the individual and collective levels already existed under previous legislation; the novelty lies in the scope of the prior information, which has been expanded and calls for greater transparency regarding the envisaged surveillance device.
In addition to the minimum information set out in Article 13 of the GDPR, the preliminary information must now contain a detailed description of the purpose of the surveillance as well as the modalities of its implementation. More importantly, the information must contain a formal commitment from the employer that the data collected will not be used for a purpose other than that explicitly specified in the prior information.
This requirement of formal employer engagement is somewhat surprising in that, by virtue of the GDPR purpose limitation principle, employers are prohibited from using data for a purpose other than that for which it was initially collected. It will be interesting to see the weight which the CNPD and the labour courts give to this formal commitment in the event that an employer takes disciplinary action against an employee for behaviour detected through surveillance.
Companies to which a co-decision applies must still reach an agreement with their staff delegation if they plan to undertake surveillance based on one of the three purposes specifically referred to in Article L 261-1 of the Labour Code. A common agreement is also required in companies organised under a flexible working model where the surveillance is implemented within the framework of the work organisation according to the mobile schedule under the Labour Code.
Intervention upstream of CNPD: prior notice of compliance
Providing employees and their representatives with prior information is not just a formality. Such notification sets out the starting point for the procedure introduced by the new legislation, whereby the delegation of staff (or, failing that, the employees concerned) may submit to the CNPD a request for a prior opinion on the surveillance's legality.
The introduction of such a procedure, prior to the implementation of surveillance, seems to contradict the accountability of data controllers, which is a cornerstone of the GDPR.
The abolition of prior authorisation is supposed to be offset by employers' obligation to document the conformity of their processing so that its legality can be ascertained retrospectively in the event of a review.
By requesting the supervisory authority to assess the conformity of surveillance before its implementation, the Luxembourg legislature indirectly confers on it the power to approve the proposed activity.
If CNPD decisions do not bind employers, they will have a similar value and scope to that of a validation or an invalidation procedure. For example, how could an employer implement surveillance for which the CNPD has issued a prior notice of non-compliance, knowing that the same authority may, once the surveillance system has been implemented, impose high financial penalties against the employer for the irregularities mentioned in this prior notice?
In this respect, it is notable that the Luxembourg legislature has maintained the repressive measures established in the Law of 2 August 2002. Thus, any surveillance that contravenes the Labour Code would expose the employer to a correctional fine or even, for natural persons, imprisonment.
This effectively reinforces the value of the CNPD's advance notice of compliance, which from a theoretical point of view is not intended to bind the employer.
Notably, in addition to criminal penalties, employers are liable to administrative penalties (including fines) issued by the CNPD, as well as damages that employees may claim before the labour courts in case of prejudice established on their behalf.
Impact analysis
Employers wishing to undertake surveillance in the context of an employment relationship must evaluate whether to carry out an impact analysis beforehand.
The principle of accountability requires employers to demonstrate that their activities are consistent with the GDPR and the relevant national legislation.
Under Section 35 of the GDPR, any treatment whose nature, scope, context or purpose is likely to create a high risk for the rights and freedoms of individuals should be analysed for its potential impact on data protection. The involvement of the data protection officer, where one exists, is required.
It is difficult to determine whether an activity falls within the scope of Article 35 based solely on the criteria set out therein. The supervisory authorities of the member states have therefore been asked to prepare and publish a list of activities for which an impact assessment is required. The list published by the CNPD includes processing operations that consist of or involve the regular and systematic monitoring of employees' activities (provided that they produce legal effects for employees or significantly affect them) and those that consist of the systematic tracking of a natural person's location.
In addition, the former Article 29 Working Party defined a set of nine criteria to which processors can refer in order to determine whether an impact assessment should be carried out (including the use of new technologies and the processing of data of people qualified as 'vulnerable', as is the case for employees). Such an obligation is considered to arise when at least two of these nine criteria are met.
Further, the use of surveillance within an employment relationship based on new technologies will in theory require a prior impact assessment.
The abolition of employers' obligations to notify and receive prior authorisation from the CNPD to undertake surveillance in the context of an employment relationship has not reduced the burden on employers – rather, their obligations in this regard have increased.
While the CNPD's prior authorisation guaranteed a form of 'compliance in principle', each employer must now establish, evaluate and document their surveillance system's legality to lessen the risk of exposing themselves to significant penalties.
As the stakes are now far higher, employers must take special care to respect the rules in this regard.
Endnotes
(1) The Law of 1 August 2018 on the Organisation of the National Commission for Data Protection and the General Rules on Data Protection.
(2) Article 2(q) of the repealed law of 2 August 2002.
(3) Court of Appeal, Judgment 41245, 12 November 2015.
(4) Chamber of Employees, Opinion 7184/01, 5 December 2017.
(5) In particular, Opinion 2/2017 on data processing in the workplace.
(6) The Article 29 Working Party (now the European Data Protection Committee) was an independent European working group which dealt with privacy and personal data issues until 25 May 2018.
(8) Opinion 2/2017 on data processing in the workplace, Article 29 Working Party, 8 June 2017.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
