Privacy and the working relationship. The European Supervisory Authority Guidelines
By Damiana Lesce, Valeria De Lucia and Paola Lonigro
Under article n. 267 of June 15, 2017, of the Italian Personal Data Protection Authority rejected the request of an employer, aimed at processing the personal data of employees in compliance with the terms of a commercial contract, whereby the employer undertook to notify to its clients the name of its employees with criminal records.
– RIGHT TO RESPECT PERSONAL LIFE, THE LIBERTY AND DIGNITY OF THE WORKER. Every worker has the right for his private life, freedom and dignity to be respected; every worker must be adequately informed about how to treat personal data in a clear, simple and exhaustive manner.
– BALANCE BETWEEN CONTROL AND PURPOSE. Each treatment must be proportionate to the purpose pursued and the use of personal data as limited as possible. For example, geolocation tools can be used strictly for business purposes and the worker there must be possibility to disable the locator.
– EMAIL AND INTERNET CONTROLS. It is legitimate to introduce tools and technologies to reduce the risks of computer attacks and the spread of confidential information, but you cannot spy on employees’ mail or their internet browsing.
– SOCIAL NETWORK. Any consultation or monitoring of social networks should be limited to professional status, excluding the private lives of employees or candidates for recruitment.
– PRIVATE SPACE OFFER ON COMPOUNDS AND CLOUD SERVICES. To encourage the correct use of corporate tools and policies while respecting the privacy of employees, Data Protection Officer invite employers to dedicate, for example, WIFI connection areas and to define reserved spaces on computers and smartphones, cloud and e-mail, where documents can be stored or personal communications can be made which are not accessible to the employer except in absolutely exceptional cases.
– WORKERS’ CONSENT IS NOT SUFFICIENT TO LEGITIMIZE TREATMENT. To be considered valid, consent to treatment, must be voluntary. Therefore, it will not be enough for companies and public entities to acquire employee consent for the processing of their data. Data Protection Officer suggest resorting to common normative or contractual arrangements in a balance-of-arms relationship with workers’ rights and freedoms. Apart from being voluntary, the consent must of course be informed. Once again then, corporate policies remain and will be important.