In this post GDPR era, employers should be more aware of the restrictions on the processing of employees’ personal data and the need to respect their right to privacy. Employees’ do not lose their right to privacy as soon as they walk through the doors of their workplace but rather the right to privacy is enshrined in the Charter of Fundamental Human Rights and the European Convention on Human Rights. Data protection principles place stringent restrictions on the obtaining, recording and holding of personal information on individuals. These principles apply to employers as “data processors”. That said however, case law continues to demonstrate that employees’ do not have an absolute right to privacy, but rather a “reasonable expectation of privacy”.
A September 2017 judgment by the European Court of Human Rights, in which it overturned its lower court, is crucial to the understanding of European law with regard to employee rights to privacy in the workplace.
The case concerned an engineer, Mr Barbulescu, who was dismissed by his employer after using the company’s instant messenger system for personal purposes, after he was asked to set up the account for work purposes. The company stated that this was a violation of their internal regulations.
Mr Barbulescu failed to overturn the employer’s decision in the domestic courts of Romania, and the Chamber of the European Court of Human Rights (ECHR) in January 2016 upheld the court’s ruling, stating that the domestic courts had maintained an appropriate balance between the privacy rights afforded under Article 8 of the European Convention on Human Rights and the employer’s interests. This decision was appealed and the Grand Chamber of the European Court of Human Rights eventually overturned the decision.
The court ruled that the lower court had failed to take account of a number of key considerations, such as the notice period of the monitoring activity; the breadth and depth of the monitoring; the reasons for the monitoring; whether less intrusive methods could have been used; the consequences and impact of that monitoring; and adequate safeguards afforded to the employee as a result of the monitoring.
In practice this means that employers should review existing policies on monitoring employees’ communications. In light of GDPR requirements, policies should be explained to employees’ in respect of the processing of personal data. Such monitoring should explain:
- the scope and type of monitoring employed;
- the reasons such monitoring is deemed necessary; and
- the possible consequences of using results of the monitoring e.g. could data be used during a procedure that could result in the termination of a contract?
This is not a binding decision; however, it could well guide similar cases in the future. Employers would be advised to ensure their policies are up to date and reflective of current European law.
Article by: Marie Hynes, Associate Solicitor at Augustus Cullen Law Solicitors. Augustus Cullen Law is based at 7 Wentworth Place, Wicklow. If you would like more information on this topic, call +353 404 67412 or email firstname.lastname@example.org
19 November 2019