(Reading time: 2 - 3 minutes)

workplace monitoring

An employee still has right to privacy, even in their workplace. But there is of course a balance between the privacy of the employee versus the legitimate interests of the organization to protect itself from any insider threats or questionable actions of employees that could result in high risks for the organization and/or data subjects.


WP29 / EDPB & their role in the GDPR

Simply put: all the Data Authorities in the EU come together and have meetings and collectively call themselves WP29 - Working Party 29. Nowadays they’re called EDPB which stands for the European Data Protection Board. Back when they were still known as WP29 they provided (among many other things) guidance on what information employers should provide employees with regards to monitoring.

What information should employers provide employees?

  • The company email and internet policy should describe in detail the extent to which employees may use communication facilities owned by the organization for personal and/or private communication. For example, any limitations of the amount of time or duration of the use, etc.
  • Reasons and purpose for certain surveillance (if applicable).
  • If the employer has allowed the use of company devices for express private purposes, those private communications may (under very limited circumstances) be subject to surveillance. For instance, if an organization would need to check the security of the information system and for other ransomware prevention.
  • Any details about the who, where, how and when need to be explained
  • Any information about enforcement procedures that outline about how and when employees will be notified of breaches of internal policies and given the opportunity to respond to any claims made against them.

Specific guidance with regards to email monitoring

  • The arrangements in place to access the contents of a worker’s email, for example when the worker is unexpectedly absent. And specifically, for what purposes access could / would be needed.
  • The storage period (retention period) for any backup copies of messages
  • Information about what happens to emails that are definitively deleted from the server and what emails may not be deleted.
  • What if any involvement of worker’s representatives in formulating the policy

Specific guidance with regards to internet monitoring

  • Clear description of conditions about when private internet use is allowed
  • Clear description of material that cannot be viewed or copied
  • Clear description of material that cannot be downloaded
  • Information regarding certain systems that prevent access to certain sites and to detect misuse (example: software that can detect a large number of downloads of files onto pc or external device)
  • It must be made clear on what level these monitoring takes place. Whether it’s on an individual level, department level or organization-wide.
  • It must be made clear if there is any kind of recording/logging of sites viewed by the individual and in which circumstances this would happen.
  • What if any involvement of worker’s representatives in formulating the policy