Italy, Luxembourg & the UK – Monitoring employees: biometrics, geolocation and other thorny issues
The monitoring of employees remains an interesting and difficult area of law. Large companies have to grapple with:
- Whether and when new technology – such as biometric and geolocation technology – can legitimately be used for employee management.
- The balance between using reasonable and proportionate measures to protect their interests, while still respecting the privacy of their employees.
- The differing obligations across the EU, given the overlap with employment law (such as the need to consult Works Council in some cases) and the ability of Member States to adopt national data protection law on employee matters.
We consider these issues in light of decisions issued by the Italian and Luxembourg supervisory authorities and recent guidance from the UK Information Commissioner.
Italy – Enforcement by the Garante
The Italian supervisory authority, the Garante per la protezione dei dati personali (“Garante”) has taken action against an employer for the following three breaches:
A biometric alarm system
The company had installed an alarm system that was activated and deactivated by using employees’ fingerprints. This system stored biometric data, such as the employees’ fingerprints, jointly with their names, the environment in which access was enabled and the indication of the fingers used to activate/deactivate the alarm system.
The Garante decided that:
- the company processed employees’ biometric data without a proper legal basis as per Article 6 of the GDPR and an adequate privacy policy as per Article 13 of the GDPR; and
- the processing of biometric data was aimed at activating as well as deactivating an alarm system and was not necessary “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law” (see, art. 9, par. 1, b).
Geolocation of employee’s smartphones
The company installed an application on some employees’ smartphones to locate them via GPS when they worked offsite. However, the application: (i) tracked the employees on a continuous basis; and (ii) collected the time and date of the geolocation detection. Some of these data had been stored since 2014.
The Garante decided this personal data had been collected in violation of the specific employment laws on remote monitoring and of the lawfulness and minimisation principles set out in Article 5 GDPR. In particular, under Article 4 of Law No. 300/1970, remote monitoring of employees may only be carried out: (a) for organisational and production requirements; (b) work safety; and (c) protection of company assets. This can be carried out only with agreement of trade union representatives or the Labour Inspectorate.
Video surveillance of the reception area
The company’s legal representative was able to use his smartphone to access a video camera installed in the reception area and, thus, see all the employees passing by that same area. Not only could he monitor them but also admonish them using a speaker in the camera. It has also been ascertained that access to the video surveillance system was granted not only to the legal representative, but also to his wife, as owner of the subscription to the app installed in the smartphone, and to his two children.
The Garante observed that the company: (i) had not provided employees with a privacy notice regarding the camera, not even the short notice to be placed near the video surveillance area; and (ii) had not obtained any authorisation from trade union representatives or the Labour Inspectorate.
The Garante issued a fine of €20,000 for the breach of Article 114 of the Italian Data Protection Code and Articles 5, par. 1, a and c, 9, 13, 88 of the GDPR.
Luxembourg – Enforcement by the CNPD
The principles laid down by the Garante mirror those in recent enforcement and guidelines by the Luxembourg supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”).
After onsite investigations on geolocation and video surveillance systems, the CNPD issued fines ranging from €200 to €12,500. The CNPD found violations of article 5 of the GDPR – including the principles of: (i) data minimisation (article 5, par. 1, c); and (ii) storage limitation (article 5, par. 1, e). We consider the thematic findings below:
Avoid continuous and permanent surveillance
The CNPD considers that employees have the right not to be subject to continuous and permanent surveillance at the workplace, as that would create considerable psychological pressure for them. In compliance with the principle of proportionality, the controller must use the means of surveillance most protective of the employees’ private sphere and, for example, limit the cameras’ field of view to the area which needs to be filmed for the purpose pursued.
This in principle excludes surveillance cameras in places reserved for employees’ private use, such as canteens or kitchenettes, changing rooms, smoking areas, rest areas, etc.
It also means that monitoring aimed at securing an entry point to the building should not cover the reception personnel. The same applies to cameras filming checkouts, which should be configured in such a way as to ensure that employees behind the counter are not targeted.
This prohibition on permanent surveillance seems to apply even: (i) if there is no intention to monitor employees, but the layout of the cameras allows for such permanent surveillance; and (ii) if the images captured by the cameras are not recorded, but only transmitted in real time to a control monitor.
It is not acceptable for the controller to delegate its responsibility to comply with GDPR to its employees, by asking them to ensure themselves that they are not being filmed during working hours.
In certain cases, the risk to staff security may be so great that it takes precedence over the protection of their privacy. For example, since robberies in banking establishments are often accompanied by violence, it may be necessary for certain employees to be under permanent surveillance. However, to be proportionate the monitoring must be adequate, relevant and not excessive. Consequently, the cameras’ field of vision must not focus on a particular employee’s workstation. If this cannot be avoided, the employee’s face must not be visible (e.g. by using masking or blurring techniques).
Geolocation should only be used when necessary
Furthermore, an employer should only use a geolocation system if there are no alternative means of achieving the desired purpose that are less intrusive on privacy.
Using a geolocation system to permanently monitor employees is objectionable in principle. This is a disproportionate breach of their right to privacy in the workplace. In particular, employers do not have the right to monitor employees outside working hours (which includes days off, lunch breaks, journeys between home and work, medical examinations and weekends).
For this reason, the CNPD distinguishes vehicle tracking where the vehicle can be used for personal purposes and where it can only be used for work purposes. In particular:
- If the vehicle can be used for personal purposes, the employer must offer the employee the option of deactivating vehicle tracking outside working hours. The CNPD considers employees should be able to control the activation and deactivation of the geolocation system. Otherwise, employees would not know whether the system had been deactivated by the employer and could feel that they are being permanently observed, which could create considerable psychological pressure.
- On the other hand, if the vehicle is used exclusively for work purposes, the employer may permanently activate vehicle tracking.
In addition, the CNPD considers that processing data relating to speeding is disproportionate unless it is based on a legal obligation imposed on the employer.
Don’t keep data for too long
The CNPD has also suggested specific retention periods for this type of personal data:
- Geolocation information can only be kept for two months unless it is needed: (i) as evidence for the invoicing of services rendered to clients, in which case the maximum retention period is one year; or (ii) for working time verification purposes where it can be kept for up to three years. In the event of an accident, data may be retained if it needs to be disclosed to the judicial authorities.
- Video surveillance images can be kept for up to eight days. A controller may – exceptionally – keep the images for 30 days. A retention period longer than 30 days is generally disproportionate. In the event of an incident or offence, the images may be kept for longer and, if necessary, be communicated to the police or judicial authorities.
- If a data subject requests access to video surveillance, the controller must keep these images (and provide them to the data subject), even if their retention period expires before the expiration of the one-month deadline to respond to the data subject.
The UK – New guidance from the Information Commissioner
The UK data protection regulator, the Information Commissioner (“ICO”) issued guidance this October on lawful monitoring in the workplace.
The guidance is supported by research commissioned by the ICO that reveals over two thirds (70%) of people surveyed said they would find monitoring in the workplace intrusive and that fewer than one in five (19%) people would feel comfortable taking a new job if they knew that their employer would be monitoring them.
These findings are curious. The ICO includes a broad spectrum of monitoring activities ranging from monitoring clocking in/out times (which for some jobs is routine and unproblematic) all the way through to monitoring employees’ personal phones (which is exceptionally rare and potentially illegal). Arguably, these findings do not reflect the nuance in different monitoring activities.
The guidance itself is generally sensible and provides useful examples to help walk the line between legitimate monitoring and unlawful and disproportionate surveillance. The overall position is arguably more permissive than the position taken by some EU data protection authorities. However, the guidance contains the following points of note:
- Email monitoring involves SCD. All email monitoring exercises should be treated as involving the processing of special category personal data and so must have a special category processing condition. It is not clear if this is the right approach, e.g. where the purpose of the monitoring is not directed at special category personal data and measures are taken to avoid processing that personal data.
- Covert monitoring. There are very detailed and specific criteria for covert monitoring of employees, including that the employer must carry out a DPIA and should consider getting authorisation from senior management.
- Specific types of monitoring. It contains specific guidance on email and telephone monitoring, and CCTV usage. It also specifically addresses vehicle tracking (though is less prescriptive than the CNPD’s advice) and the use of vehicle dashcams.
- Biometric data. There is a specific section on biometric data, such as fingerprints, iris scanning, retinal analysis, facial recognition templates and voice recognition templates. The guidance focuses on the use of this technology for attendance monitoring, noting that a special category processing condition must be satisfied and a DPIA conducted.
The CNPD’s decisions are available here.
The ICO’s guidance is here.