DP News – Week 42. Developments in the employee monitoring sphere.

On 12 October, the UK’s ICO published draft guidance “Employment practices: monitoring at work”. As the ICO explains, while “the UK GDPR and the DPA 2018 do not prevent monitoring”, “the draft guidance aims to provide practical guidance about monitoring workers in accordance with data protection legislation and to promote good practice”.

The guidance is further supplemented by the “impact scoping document”, the purpose of which is “to provide a high-level outline of some of the context and potential impacts of the draft guidance” – for employers, workers, ICO itself and the society at large. Later on, ICO expects to transform this document into a more detailed impact assessment.

The public consultation on the draft guidance and draft impact assessment will remain open until 11 January 2023.

In the guidance, ICO reiterates that “any decision to monitor workers should involve a careful balancing between the business interests of an employer and the workforce’s rights and freedoms in relation to their personal data”. Altogether, the guidance covers general and specific considerations of employee monitoring, touches on automated decision making and the processing of biometric data for time and attendance control and monitoring.

Interestingly, the guidance covers the international data transfer aspect, mentioning that “if you are sending [employee] personal data to someone employed by you or by your company or organisation, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your company or organisation”. This might be taken as the next logical step in the development of the position taken by the EDPB in its Guidelines 05/2021 (see paragraph 14), according to which there will be no international data transfer in those cases where an employee travels to a third country for a meeting and then gets an access to the personal data processed by employer. ICO makes the next logical step and factually says that there will still be no international data transfer in those cases, where an employee permanently sits in a third country (literally, ICO does not distinguish between those two scenarios).

Employee monitoring has also recently been brought to limelight in the Netherlands where a remote employee of an U.S.-based company was dismissed for the refusal to activate his webcam during the entire workday. Zeeland-West Brabant court in Tilburg decided in favour of the ex-employee, stating that “instruction to leave the camera on is contrary to the employee’s right to respect for his private life” and citing Article 8 of the European Convention on Human Rights.