Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Data Processing at Work

The Article 29 Working Party considers the impact of the GDPR and the changing face of technology as it refreshes its guidance for data processing in the workplace.

In their latest Opinion 2/2017 (Opinion), the Article 29 Working Party (WP29)- tasked by the European Commission to provide independent advice on data protection matters – has built upon its previous opinion (Opinion 8/2001) on data processing in the workplace, providing updates in light of the implementation of the GDPR and identifying how new changes in technology have altered the dynamics of the employer-employee relationship.

Firstly, the Opinion highlights the difficulties faced in balancing the legitimate interests of the employer with the reasonable expectations of privacy for employees. As the employer-employee relationship is fundamentally imbalanced, employees cannot be expected to be able to give free consent.

The Opinion states that because of this imbalance an employer must rely on other justifications when processing personal employee data such as legitimate business interests. When relying on legitimate business interests as a justification of data processing the Opinion recommends that employers comply with established data protection principles, such as those set out in the Data Protection Directive (DPD) – for instance proportionality.

Secondly, the Opinion considered the risks posed by new technological advances and their implementation in the workplace. The main risks in this regard were identified as the potentially invasive yet low cost data processing technologies which have become pervasive as a result of the widespread use of smartphones, wearables and schemes such as ‘bring your own device’ policies, carrying with them the risk of potential tracking or wrongful monitoring of personal employee data, even outside the workplace.

In addressing these risks, WP29 have reaffirmed the current law as set out in the DPD whist mapping out the additional obligations employers will have to comply with following the implementation of the General Data Protection Regulation (GDPR) in 2018.

Under the GDPR however, employers, in their capacity as data controllers will have to carry out a data protection impact assessment in order to ascertain whether the use of a new technology will likely result in a high risk to the rights and freedoms of employees.

This is also complemented by the ‘data protection by design and default’ position adopted by the GDPR, whereby the most privacy-friendly solution should be selected where location and data tracking is concerned.

The Opinion reiterates that, regardless of the data collection medium, employers should only collect employee data when it is not only proportionate to the risks that the employer faces, but the collection should be necessary, for a real and present interest and conducted in a lawful, articulated and transparent manner.

Finally, WP29 offers practical guidance to employer when using new technologies in a workplace context, such as the inspection of social media profiles of both current and prospective employees, the monitoring of ICT usage, monitoring of employees outside of the workplace through mobile devices, vehicle and location tracking, and the disclosure of employee data to third parties.

 WAB Comment:

The Opinion offers no real surprises in regard to the approach employers should be taking when it comes to the processing of personal employee data. Nevertheless, it serves as a welcome updated refresher on previous guidance, offering employers practical directions when dealing with the challenges created by new and emerging technologies in the work place and reminding them of their enhanced obligations under the GDPR.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy