Data protection & privacy at the workplace
To keep companies informed of the most important developments on data protection and privacy in an employment context, Strelia’s Employment & Benefits Practice will share its insights into this subject with you through its Data Protection & Privacy at the Workplace Series.
To kick off this Series, we will discuss three interesting decisions that the Belgian Data Protection Authority (DPA) rendered in the first half of 2023. These decisions are impactful, and we advise every employer to bear them in mind.
1. Can employers announce an employee's dismissal on the company's intranet?
In its decision of February 17, 2023 (no. 14/2023), the DPA confirmed its position regarding how an employer should communicate about an employee’s departure from the company. This case concerned a dispute between an employee and his former employer (which is a public authority). The latter had announced on its intranet that it had terminated the employee on its own initiative and that the dismissal was immediate. The employee complained that the mentioning of the immediate nature of the dismissal implied that he would have committed serious misconduct. He asserted that the employer, in communicating this information, would have breached data protection legislation. The DPA found for the employee and ordered the employer to remove those mentions from the intranet. It also issued a warning to the employer, stating that the entity must not make communication of this type any more.
The DPA’s decision
The DPA analyzed first the actual announcement of the employment termination and then the employer’s mentioning of the immediate nature of the dismissal. The DPA examined these elements according to the principles of lawfulness and data minimization.
The DPA analyzed whether the information regarding the termination that the employer had disclosed was (i) necessary for the performance of a task in the public interest (since the employer is a public authority) and (ii) necessary for the performance of the employer’s task. To do so, it had to examine whether the employer could have obtained the same result without processing the employee’s personal data.
In this respect, the DPA concluded:
- if the data processing in question is part of an employment contract termination process, it would have been appropriate in the context of HR policy to inform employees about new hires and departures. In such context, announcing an employee’s departure is considered legitimate by the former employer.
- On the other hand, announcing on the intranet who initiated the termination as well as the mention of its immediate nature are not considered necessary. For this reason, the DPA concluded that the public authority employer breached the GDPR.
The DPA also held that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The DPA considered that the information relating to the party who terminates the employment contract, and the mention of the immediate nature are not necessary at all for the purpose being pursued, which could have been reasonably achieved by another type of communication. Consequently, this principle is not respected.
After the DPA had rendered this decision, it reiterated its position again at the beginning of June 2023 in another decision. The DPA therefore seems to be firm about its point of view on this matter since it had already stated its reasoning on it in May 2022.
Key takeaways for employers
Employers are allowed to communicate about an employee’s departure but must :
- limit what they say when communicating about employee departure; and
- not mention or disclose any information regarding the immediate nature of any employee termination or the party behind the termination decision.
2. Do you use GPS tracking? Here’s what employers should keep in mind.
In this decision (no. 15/2023 of February 21, 2023), the DPA sets out a framework, based on the principles of lawfulness and transparency, for the lawful use of a GPS tracking system in an employee's vehicle. The case in question pitted an employee against his employer, a local authority. The employer, thanks to a GPS tracking system in the employee’s car, had noticed the fraudulent use of the clock-in /clock-out system, whereby the data showed that the employee had gone home, to his mother's house, to a café, and through various streets during his working hours. The employee was given a record of his movements and the clock-in and clock-out times. The employee asserted that he had no knowledge of the GPS tracking system, nor was the use of any GPS tracking mentioned in the internal rules and regulations. By the time the DPA had reached its decision on the matter, the employer had already updated its geolocation policy.
The local authority (the employer in this case) had indeed already adopted a policy in 2009 before the GDPR’s entry into force on May 25, 2018, and it had also issued a memorandum to all its workers at the time about its policy. However, the policy and the memorandum were not up to date at the entry into force of the GDPR.
The DPA’s decision
The DPA held that there must be legal grounds for the use of GPS tracking. Until 2021, the employer in this case had not stated the legal grounds for such use. It was only during proceedings before the DPA when the employer adapted its policy and decided that using GPS tracking was based on the principle of legitimate interest. However, the DPA considered that the legal basis of necessity for the performance of a task carried out in the public interest was more appropriate, given that the employer was a local authority. Furthermore, the legal basis of legitimate interest could be relied upon only by private entities or by public entities under strict conditions. In this case, the GPS tracking was intended to ensure the efficient management of limited public resources, namely the vehicle fleet, personnel, fraud prevention, and any abuse of services.
The DPA therefore held that interference with privacy in the case here was proportionate to the aim pursued. Moreover, the personal data processed concerned only business travel, which was carried out by means of a company vehicle and during working hours, and there was no other way for the employer to ascertain the purposes pursued.
The DPA held that the employer must communicate to the employees about the public interest pursued, the purposes, the nature of the data collected, and with whom the data is shared, and for how long. During the proceedings, and in the meantime, the local authority has updated their policies and met the legal requirements.
However, the DPA held that the employer did not, at the time of the GDPR’s entry into force, update its policy and that it had waited until the time of the proceedings to do so. As a result, between 2018 and up to 2021, the employer did not comply with the principle of lawfulness and transparency. The DPA therefore issued a reprimand against the employer.
Key takeaways for employers
The Employers can use a GPS tracking system, but must:
- justify the use of any GPS tracking by having a clear legal basis for it (i.e., a legitimate interest) ; and
- ensure that their policies comply with the transparency principle and the GDPR and are communicated to the employees.
3. Can employers disclose the name of an employee who has formally submitted a request for psychological assistance?
In this decision (no. 18/2023 of March 2, 2023), the DPA decided on the disclosure by an employer of an employee’s first and last names in a memo and letter that were displayed at the workplace. The memo and letter were part of the employee’s formal request for psychosocial assistance. As you may know, a formal request for psychosocial assistance is submitted to the external prevention advisor. It consists in asking the employer to take measures that offer a solution to the applicant's psychosocial issues. As part of this procedure, the employer mentioned in a document, which was displayed on the workplace wall, the first and last names of the employee who had submitted this request.
The employer justified its action by stating that it was obliged to publish the external prevention advisor’s recommendations and the public nature of the request for assistance.
The DPA’s decision
The analysis of the employer’s arguments
Regarding the obligation to publish the external prevention advisor’s recommendations, the DPA held that there is no legal obligation for the employer to publish the collective or individual measures issued by the external prevention advisor. Moreover, when reading the memo, it is clear that the employee’s name was provided for information purposes only.
As for the public nature of the origin of the request for psychosocial assistance, the DPA points out that personal data, such as first and last names, even if made public, are still personal data and must be treated as such.
The DPA examined whether the employer could have relied on the principle of legitimate interest. But it turns out that although the displaying of the memo pursued a legitimate aim (i.e., to inform personnel of the external prevention advisor’s opinion and to defend the reputation of the employer), it was not necessary to include the employee's first and last names. The purpose could have been achieved without such mention.
The employer therefore breached the principle of lawfulness since its display of the memo had no clear legal basis. The DPA ordered the employer to delete the employee’s first and last names and warned the employer that this type of disclosure of information, mentioning a staff member's first and last names without any legal basis, could constitute a breach of the principle of lawfulness.
Key takeaways for employers
Regarding psychosocial assistance, employers should:
- be careful when disclosing the recommendations from the external prevention advisor and should comply with the Belgian Wellbeing Code; and
- not publish the first and last names of the employee at the start of the request for assistance, even though the name of that person is well known.