November 21, 2023
Debt and Asset Recovery Legal Secretary
We are looking for an experienced Legal Secretary to join our busy and friendly Debt and Asset Recovery Team, based in Dublin 2. Responsibilities will include but are not limited...
On the 8th June 2017, the EU’s Article 29 Working Party published an Opinion which sought to provide guidance on data processing in the employment context. This Opinion was designed to cover the position under the EU Data Protection Directive, but also covers the changes brought about by the EU General Data Protection Regulation (“GDPR”) which will come into force on the 25th May 2018.
The key parts of the Opinion are as follows:
i) Legal Grounds for processing Employee Data
In order to process employee data lawfully, employers must comply with fundamental principles of data protection and ensure that there are legal grounds for the processing of employee data, such as the following:
The WP29 Opinion explicitly states that consent will not be considered a valid legal ground for the processing of employee data except in exceptional circumstances. This is because employees are seldom in a position to freely give, refuse or revoke consent given the dependency that results from the employee/employer relationship. In addition, the GDPR sets out the position that consent may only be relied upon by employers where that consent can be freely withdrawn by the employee, and where the employee will not suffer any disadvantage as a result.
iii) Social Media
In order for an employer to access a candidate’s social media account during the recruitment process, an employer is required to justify such processing with a legal ground for doing so, even where such an account is in the public domain. It is not enough to assume that the employer may process data on a candidate’s public social media account purely on the basis that the information is public.
Employers will also need to determine whether the social media profile is related to business purposes, such as a LinkedIn profile, or for personal purposes, such as a Facebook account. Candidates must be informed in advance that such screening will take place as part of the recruitment process.
In addition, the screening of social media profiles of existing or former employees should not be performed in the absence of a legal ground for doing so.
iv) Monitoring IT Use
The WP29 Opinion sets out that the monitoring by employers of employee email, internet use and phones may be used in the legitimate interests of the employer (or on the basis of one of the other legal grounds), but that employers must consider the proportionality of the measures taken and whether any additional or alternative measures could be taken to alleviate the resultant data processing. Employers also need to ensure that any monitoring in place does not cross the line from an employee’s IT use in a business context to their personal IT use.
The WP29 recommends a Data Protection Impact Assessment (“DPIA”) be undertaken by every employer prior to implementing monitoring technology, and ensure that acceptable use policies are drawn up with employee input. In addition, “Privacy by Design” should be implemented in every new monitoring technology introduced into the workplace to ensure that employee’s data is processed in the least intrusive method possible.
Bearing the above changes in mind, employers should consider the following steps:
For more information please contact Marc Fitzgibbon, Partner in our Employment Law Department.
Contact our office
Make an enquiry