GDPR and employee privacy in the workplace

JUDr. Ondřej Preuss, Ph.D.
23. November 2023
6 minutes of reading
6 minutes of reading
Labour law

TheGDPR has brought a number of changes to protect personal data. How should employers approach their obligations under the GDPR? And when and how can employees be monitored in the workplace? Find out in this article.

What the GDPR brings

TheGDPR, or the new legal framework for data protection, haunts a lot of people, including businesses. The GDPR was created to protect the rights of European Union citizens against unauthorized handling of their personal data, including employees, to the maximum extent possible. In practice, however, it is more about consolidating and deepening the existing regulation. Moreover, the Czech regulation has always been stricter than the EU average, so it is not a revolution. Nevertheless, businesses should be careful, as the new regulation can be abused by competitors to make specific disclosures.

Businesses should first of all focus on adjusting their terms and conditions, they should create at least a basic internal directive on how to handle data, and they should also clearly inform their clients and employees about new rights under the GDPR, such as the right to be forgotten or data portability.

Tip na článek

Tip: Whether you own an e-shop or a business, you shouldn’t miss the terms and conditions. We can modify your existing terms and conditions or create them tailored to your business.

On the contrary, it is a myth that it would no longer be possible to send out marketing communications (e.g. in the form of newsletters sent to email) to long laboriously created client databases without new explicit consent under the GDPR and that it is not possible to collect, for example, employees’ birth numbers. In fact, marketing communications can be sent if the entrepreneur has obtained the contact information on the basis of a past order. In this case, however, customers must be able to easily and free of charge opt-out of receiving further marketing communications. Similarly, employees’ birth numbers can also be collected, even without their consent. This is because the employer needs the birth number in order to comply with the reporting obligation to the employee’s health insurance company.

How to handle data under the GDPR

It is important to note that the employer must treat the employees’ personal data as employee property, which it only has on loan for certain, pre-determined and statutory purposes and can therefore only use it for these purposes, such as calculating wages, communicating with the employee or evaluating cooperation (e.g. for the purposes of promotion or termination of employment). The employer must therefore take such measures to prevent unauthorised access to personal data.

Tip na článek

Tip: We can help you lay off employees. Validly, permanently and unquestionably. You can resolve everything with us in just two days, conveniently and online.

An unauthorised person is anyone who is not obliged to handle personal data. Thus, personnel files should be kept, for example, in locked cabinets, accessible only to authorised persons. The possibility of accessing their electronic processing must be limited to a small number of employees and all processing of personal data must be logged (a record kept), where processing includes consultation. This is particularly the case for large companies that process hundreds of thousands of personal data (often very sensitive) and yet there is no record of who, out of a possible 25 people, has accessed it.

For smaller employers, again, there may be a problem of data being passed on in a sort of completely informal way. For example, the distribution of pay slips to employees, which is often done in a way where other employees can read each other’s pay and bonuses. However, salary and bonus information is personal information that can be the envy of others.

Are you solving a similar problem?

GDPR audit for businesses

Our GDPR audit for entrepreneurs will reliably prepare you for everything that the Data Protection Regulation brings. We guarantee that you will be able to find the right solution according to the current legislation. We’ll get everything done quickly and so that you don’t have to worry about a thing. You can pay only after the service has been provided.

I want to help

  • When you order, you know what you will get and how much it will cost.
  • We handle everything online or in person at one of our 5 offices.
  • We handle 8 out of 10 requests within 2 working days.
  • We have specialists for every field of law.

Is it possible to monitor employees in the workplace?

However, what is even more important for employees than the protection under the GDPR, which is generally rather overestimated, is the fact that the law provides that an employer may not, without a serious reason based on the specific nature of its activities, violate the privacy of an employee, not only in the workplace, but also in public areas. For example, by subjecting the employee to overt or covert surveillance.

Tip na článek

Tip: Learn when you ‘re breaking the law with a home surveillance camera.

Nor is the protection of property automatically a ground justifying surveillance. However, if it is a workplace where, for example, frequent thefts occur or where compliance with a technological procedure needs to be checked, it is possible to monitor certain areas. However, there must be genuinely compelling reasons for doing so. For example, in a chemical plant, security is more important than privacy and the progress of an employee in the laboratory must be monitored. Recording can be used here. However, the same does not apply in an office or gym. In any case, monitoring should definitely not be secret.

If an employee does not agree to monitoring in the workplace, he or she should make his or her objections known to the employer. If the employer does not accept the objections and continues the monitoring, it would be possible to contact the State Labour Inspectorate or the Office for Personal Data Protection. Such unauthorised handling of personal data is punishable by fines of up to hundreds of thousands of euros. Moreover, if an employer has any evidence against an employee taken illegally , it cannot stand up, for example, in a dispute over the validity of an employee’s dismissal “caught” by such a camera.

Tip na článek

Tip: Want to file a lawsuit and not sure if you will win? We will assess your chances of success in court and suggest a solution that will lead to the desired outcome.

The employer cannot even look at the emails of its employees, even if they are sent and received with a work address. It can only look at them if there is a suspected breach of work duties. But even in this case, it can only check the subject line of the recipient, not the content. Even if he finds some misconduct in this way, it may not be valid evidence or a defensible reason to dismiss the employee.

There is, however, an interesting case where the European Court of Human Rights dealt with the dismissal of a Romanian employee who was dismissed for enormous private chatting during working hours. He was in charge of customer support and his employer asked him to create an official Yahoo! Messenger account where he was tasked with responding to customer queries. However, the employee used it for personal purposes and not to a very small extent.

The employer later began to suspect that something was wrong, but the employee refused everything in writing. Whereupon the employer then produced a transcript of very personal erotic conversations. On this basis, the employee was given notice of termination, which he then sought to defend against in court. However, he was unsuccessful in this case. The court acknowledged that personal rights had been infringed, but gave priority to the protection of the employer in this case. However, it is important to emphasise the word this time, because this is not always the case.

Employers have the right to control the use of their work resources, but they cannot arbitrarily invade the privacy of their employees. It’s pretty thin ice a court might not always rule in favor of the employer. Particularly in the age of mobile devices, it is virtually impossible to supervise employees not to leave during working hours, which is why even most employers today are moving away from strict prohibitions.

Sdílejte článek


Are you solving a similar problem?

GDPR audit for businesses

Our GDPR audit for entrepreneurs will reliably prepare you for everything that the Data Protection Regulation brings. We guarantee that you will be able to find the right solution according to the current legislation. We’ll get everything done quickly and so that you don’t have to worry about a thing. You can pay only after the service has been provided.

I want to help

Author of the article

JUDr. Ondřej Preuss, Ph.D.

Ondřej is the attorney who came up with the idea of providing legal services online. He's been earning his living through legal services for more than 10 years. He especially likes to help clients who may have given up hope in solving their legal issues at work, for example with real estate transfers or copyright licenses.

Education
  • Law, Ph.D, Pf UK in Prague
  • Law, L’université Nancy-II, Nancy
  • Law, Master’s degree (Mgr.), Pf UK in Prague
  • International Territorial Studies (Bc.), FSV UK in Prague

You could also be interested in

We can also solve your legal problem

In person and online. Just choose the appropriate service or opt for an independent consultation when you are unsure.

Google reviews
4.9
Facebook reviews
5.0
5 200+ people follow our Facebook
140+ people follow our X account (Twitter)
140+ people follow our LinkedIn
 
We can discuss your problem online and in person

You can find us in 4 regional towns

Quick contacts

+420 775 420 436
(Mo–Fri: 8–18)
We regularly comment on events and news for the media