The Data Protection Agency recently completed five inspections focused on employers’ duty to provide information when using control measures towards employees.
It is stated in the General Data Protection Regulation that, no later than at the time of collection, data controllers must inform data subjects of, among other things, the purpose of the data processing, the legal basis for the processing and, whenever possible, the length of time the data will be stored. The duty to provide this information is linked to the GDPR principle of transparency, which includes a requirement that data subjects have easy access to detailed information about the processing of their personal data.
In August 2020, the Data Protection Agency completed five written inspections, all of which focused on the employer's duty to provide information to employees about control measures used towards the employees. All five inspections gave rise to criticism from the Agency, and in three of the cases the Agency even expressed serious criticism of the employers' processing of personal data.
The serious criticism from the Agency concerned, among other things, the lack of clear information about the purpose of the processing of the employees’ personal information. For example, one employer had not sufficiently informed its employees of a number of measures, including access to the employees’ emails and the use of video surveillance, which the employer could use for control purposes in relation to the employees.
In addition, the Agency criticised the lack of information regarding the employers’ legal basis for processing employee data as well as the categories of information collected for control purposes. Thus, the recurring theme of the inspections was whether the employees had received sufficient information and whether they had easy access to that information.
The content of the above is not, and should not be a substitute for legal advice.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.