The WP29 Opinion 2/2017 on data processing at work


Article 29 Working Party (WP 29), consisting of data protection authorities from all EU and EEA states and the European DP Supervisor, has recently issued an Opinion 2/2017 on data processing at work ("the Opinion").

Main highlights of the Opinion

The Opinion reiterates the position and conclusions of an earlier Opinion 8/2001 and working document WP55, inter alia that:

  • The employees' consent "is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence";
  • Performance of a contract (e.g. employment contract) and legitimate interests can sometimes be invoked as legal basis for processing at work, "provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity";
  • Transparency: employees should receive effective information about the processing, in particular, about any monitoring that takes place. 

Article 88 of the General Data Protection Regulation allows member states to, by law or collective agreement, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the context of employment. This Opinion is, therefore, meant to provide guidelines for the legitimate use of new technology in a number of specific situations in the context of an employment relationship and to detail suitable and specific measures to safeguard human dignity, legitimate interest and fundamental rights of employees. 

The GDPR introduces new obligations for data controllers, including employers:

  • Data controllers are required to implement data protection by design and by default. Thus, where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved. Data minimisation must also be taken into account.
  • Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing itself, is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must carry out a Data Protection Impact Assessment. Where the identified risks cannot be sufficiently addressed by the controller—i.e., that the residual risks remain high—then the controller must consult the supervisory authority prior to the commencement of the processing. 

The Opinion then describes and analyses a number of data processing at work scenarios in which new technologies and/or developments of existing technologies have, or may have, the potential to result in high risks to the privacy of employees. The scenarios examined are the following: processing during the recruitment process; processing operations resulting from screening of employees (e.g. employees' social media activities); processing operations resulting from monitoring ICT usage at the workplace as well as outside the workplace; processing operations relating to time and attendance; processing operations using video monitoring and surveillance; processing operations involving vehicles used by employees; the disclosure of employee data to third parties; international transfers of HR and other employee data. 

For each scenario examined, WP29 stated that employers should consider whether:

  • the processing activity is necessary, and if so, the legal grounds that apply;
  • the proposed processing of personal data is fair to the employees;
  • the processing activity is proportionate to the concerns raised; and
  • the processing activity is transparent. 

As nearly all companies have employees, the Opinion provides useful guidelines for any company working to implement the principles of the GDPR in its governance systems.