HR Compliance
GUIDE in compliance with the recommendations of the DPA:
Should your business seek to be complied with <law-in-business>, concerning with the usage of Employee Productivity Logging Tool(software), ensuring legal specifications/licensing? At below you could find some basic guidelines & recommended policies:
Data Protection’s National Authority(DPA)
- Decision 34/2018
“…The Business should bring to the attention of the Business an easy to understand, clear and accurate statement of the Surveillance Policy and Procedures. In this context, the European Court of Human Rights in its judgment of 05-9-2017 in case Barbulescu v. Romania (op. cit.) held in a broad composition that the worker’s right to privacy under Art. 8 ECHR in a case where the employer monitors the employee’s electronic communications, without having been informed beforehand both of the possibility of such monitoring and of the circumstances in which such monitoring is carried out (purpose, nature, extent, degree of restriction of the individual right), which must be the last resort in order to achieve the objective pursued.
…It directs the company … to recommend that the company … ensure that it draws up and implements internal rules for the proper use and operation of the information and communication equipment and network by employees (data subjects), the content of which should include, inter alia:
Α. Acceptable Use Policy for corporate computers (or other related equipment), corporate communications network (or other related infrastructure) and corporate e-mail accounts, as well as the relevant conditions, terms and procedures. If the use of the corporate computer for personal use by employees is prohibited, consider the possibility of granting the use of digital storage space for personal use, to which the employer is not permitted access.
Β. A policy on access and control of company computers (or other related equipment) used by employees that describes, at a minimum, the following:
i. the relevant purposes (justifiable reasons) for access and control, subject to the principle of proportionality,
ii. the nature and extent of the control,
iii. the procedure, method and conditions for access and control, both in the presence and in the absence of the worker,
iv. the procedural guarantees relating to access and control, in particular with regard to ensuring and proving its correctness and objectivity, and the presence or absence of the worker,
v. the way in which the worker is informed of the findings of the check,
vi. the procedure to be followed after the completion of the check, whereby any personal data on the findings are processed in order to achieve the purposes of the check and the information to be given to the worker,
vii. the procedure and conditions under which it is possible to avoid access to and control of all stored records, data and information by adopting another, less burdensome, method,
viii. prior notification to employees of the possibility of access to and control of the company computers (or other related equipment) they use and of the cases in which they may be exempted from the obligation to provide information, subject to the principle of proportionality,
ix. the possibility for employees to seek redress as provided for in the legislation,
The DPA recommends that “… ensure that it takes appropriate organisational and technical security measures for its information system pursuant to Art.10 par. 3 L. 2472/1997.
- Decision 26/2019
In the case of a Complaint against the Company
“…the Authority requested clarifications from the company regarding the reported installation by the company of a control and monitoring system for the means of communication and electronic equipment provided to its employees (time of start of operation of the system, technical characteristics-capabilities, software specification, written internal documentation on the operation of the system, etc.) “
The complainant company inter alia claimed:
” …v. That the company does not monitor the communications of its staff, whether by telephone or electronically, that the minimum possible information sufficient for the operation of the systems in question is recorded, while providing the Authority with relevant information on the use of software concerning the installation of a digital certificate for the connection of telephones to the corporate network, on statistical data applications, on the use of software ensuring the secure sending of electronic messages, on the use of DLP, antivirus and antimalware software(The principle of data minimization to subjects) … the company provided a number of internal policies in the context of the organization of internal compliance, requested by the Authority during the hearing (Accountability).
…………………………. Business Lawyer
Summarizing up…
The general spirit of the interpretation of the provisions is as follows
The satisfaction of the legitimate interest pursued by the employer may consist, inter alia, in the employer’s exercise of the managerial right, from which the concomitant duties of loyalty and of providing information to him derive, as well as the control of leakage of know-how, confidential information or commercial and/or business secrets. In particular, such a legitimate interest may consist of:
the employer’s need to ensure the proper functioning of the business by establishing mechanisms to control employees, as well as its need to protect the business and its property from significant threats, such as preventing the transmission of confidential information to a competitor or ensuring confirmation or proof of criminal actions by an employee.
However, employees should be informed in advance by the data controller employer in a suitable and clear manner of the introduction and use of control and monitoring methods at the stage of collection of their personal data, the supervision of their work, the purpose of the processing of their data and other information necessary to ensure fair and lawful processing.
In other decisions & newsletters it is mentioned that providing demonstrable training to staff on how to process and use Personal Data lawfully in the workplace is a Powerful Measure that works in favour of Management and stimulating evidence that they are cultivating and operating in the spirit of adherence to the GDPR. It is good to have such Actions!!!
Thus, the better a company is prepared to adopt such policies as mentioned above, the more protected it will be from the risk of falling into legal shortcomings. Everything is judged on a case-by-case (ad hoc) basis, with the invocation and investigation by the DPA of the principles of compliance with the principles of Proportionality & Necessity of the Measures adopted!