01 May '20
In these times of crisis, one of the most important changes is the mass working from home. Early this morning, on Labor Day, , a message appeared (a little hidden in a NOS live blog) that employers are buying and installing "spy software" en masse, in order to be able to follow their employees at home. A good time to write a short blog: is that allowed?
Monitoring employees is, in principle, not prohibited, but strict conditions apply and therefore, possibilities are limited. Covert peeking is usually not allowed. The monitoring of employees often involves the processing of personal data. The General Data Protection Regulation (GDPR) and related privacy legislation apply to this. Furthermore, art. 7: 611 of the Dutch Civil Code is important: employer and employee will behave as good employers resp. employees. This includes respecting the employee's privacy and private life. Below, we provide a brief overview of the options and conditions for the control of employees who work from home. We leave aside the (employment law) question of what could possibly be done with the outcome.
The employer must have a legitimate interest (read: a legitimate reason) to monitor employees through a personnel tracking system. This interest must outweigh the privacy interests of its employees. One of the most important questions to be asked is: is it necessary to monitor employees in this way? Are there other, less drastic ways to achieve the purpose in question? This has to be assessed on a case-by-case basis and may lead to a negative outcome in this context. As a rule, it will perhaps suffice to 'anonymously' monitor computer use (first). An employer is more likely to have a legitimate interest if there are strong indications that a home-based employee does not perform his or her work for no good reason. A follow-up question may then be whether it would be better to ask the employee for clarification in a conversation, or whether (secret) monitoring is still necessary in this case. Trust is always paramount. It is also important to note that it is currently accepted that employees should also be able to spend some time on private matters during working hours. Want to "Facebook" for a while? Sure, if in moderation. In addition, some view having more breaks while working from home and taking a shorter working day as important or completely normal.
If the employer has this test , it is important to inform employees about the fact that checks are being carried out or can take place, as well as about the rules that the employee must observe. In the context of the GDPR, it is important to also inform the employee about which personal data are processed, how long they will be stored, what the employee’s rights are, etc.. This could be done, for example, through the personnel handbook or a privacy statement for employees, and is very important in the context of the lawfulness of employee monitoring. In short, covert monitoring is only permitted if there is a reasonable suspicion of, for example, theft or fraud, and may only be incidental. Therefore, we believe that it is generally necessary to provide clear information about the (possibility of) control prior to the use of espionage software.
Monitoring should be limited to what is necessary for the purpose in question. Therefore, as an employer, you should set the boundaries well in advance. Also, you should ensure that only a limited number of authorized persons can view the data obtained from monitoring. An employer should also refrain from viewing messages (e.g. email) that have been marked as private. While not a fully perfect solution, it can help employees and employers if an employee creates a “Private” folder in his / her email box. And, how often is monitoring really necessary for the purpose in question? The following is also important here.
When going through the aforementioned test, the employer must take into account what exactly the software in question does. If only screen time is measured, the test will easily be passed if - as stated in the aforementioned message on nos.nl - screenshots are made of open web pages every so often, as this also means that there is a much greater chance that (more) personal data will be processed or private information will be collected. It is highly questionable whether this is not a disproportionate infringement of the privacy of employees. The news report also mentions taking photos of the employee, which definitely seems to be a bridge too far to us. Software supplier agreements Of course, good agreements must also be made with the software supplier: a processing agreement will usually be required. Employers should also pay attention to the supplier’s privacy policy and should keep in mind that customer data / sensitive data are potentially being processed by using the espionage software. Therefore, your external privacy policy may also need to be updated.
Can an employer not just simply ask for consent during this time of crisis? No, in order to be able to process data on the basis of consent, consent must be freely given. We have already written a bit more about it this week, but in short it is assumed that there is no possibility to give "free consent" in an employment relationship.
Depending on the degree of monitoring, a Data Protection Impact Assessment (DPIA) might have to be carried out before the employer can deploy the software. This is also relevant for accountability under the GDPR; in any context, we recommend that you report on the aforementioned test and keep the report. Furthermore, an entrepreneur will first have to ask the works council for their consent before introducing "peeping software" or a comparable control system (personnel tracking system), but also if a work-from-home protocol is introduced or adjusted.
Monitoring is usually possible, but within certain limits and under strict conditions. Before you, as an employer, purchase software, we recommend applying the aforementioned assessment and documenting this analysis properly. As stated, it will often be sufficient to collect "anonymous" data, while only conductingmore extensive research if there are suspicions of a violation of the work-from-home protocol. The wish to monitor more during this crisis situation is understandable, but at least keep the use of "peeping software" within limits. If you use this software - with due observance of the aforementioned - please also adjust your privacy policy where necessary and send it, including the work-from-home protocols, to the employees once again.
Need help? Our team of privacy and employment law specialists is happy to assist you. Please contact us via the details listed in the sidelines or via privacy@ploum.nl.
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.