Control measures: duty to provide information and transparency

The Data Protection Agency recently completed five inspections focused on employers’ duty to provide information when using control measures towards employees.

Norrbomvinding 10237

It is stated in the General Data Protection Regulation that, no later than at the time of collection, data controllers must inform data subjects of, among other things, the purpose of the data processing, the legal basis for the processing and, whenever possible, the length of time the data will be stored. The duty to provide this information is linked to the GDPR principle of transparency, which includes a requirement that data subjects have easy access to detailed information about the processing of their personal data.

In August 2020, the Data Protection Agency completed five written inspections, all of which focused on the employer's duty to provide information to employees about control measures used towards the employees. All five inspections gave rise to criticism from the Agency, and in three of the cases the Agency even expressed serious criticism of the employers' processing of personal data.

The serious criticism from the Agency concerned, among other things, the lack of clear information about the purpose of the processing of the employees’ personal information. For example, one employer had not sufficiently informed its employees of a number of measures, including access to the employees’ emails and the use of video surveillance, which the employer could use for control purposes in relation to the employees.

In addition, the Agency criticised the lack of information regarding the employers’ legal basis for processing employee data as well as the categories of information collected for control purposes. Thus, the recurring theme of the inspections was whether the employees had received sufficient information and whether they had easy access to that information.

Norrbom Vinding notes

  • that the Agency’s very detailed decisions emphasize that employers should be diligent in informing employees about measures that allow the monitoring of employees and, to the greatest extent practicable, ensure that the information required by articles 13 and 14 of the GDPR is given to employees in an easily accessible form.

The content of the above is not, and should not be a substitute for legal advice.

More about the subject