Employee Privacy Rights in Belgium: Are You Ready?
After a somewhat slow start, the General Data Protection Regulation (GDPR) is now more alive than ever. It has moved from being that new buzzword legislation with those extremely high fines to a real-life challenge that is rating high on organizations’ risk radar.
Individuals have started to exercise their GDPR-related rights, the Belgian data protection authority (DPA) has started investigations and the DPA’s Litigation Chamber is more active than ever. The Litigation Chamber’s decisions, which can be found on the DPA’s website (NL / FR), help us to understand how GDPR requirements should be put into practice, as do the judgments of the Belgian Market Court (NL / FR), which is the court of appeal for GDPR-related litigation.
The GDPR is all about rights and obligations. “Consent” and the “right to be forgotten” are the concepts that everyone seems to remember, but the GDPR is much more than that. In many cases, these concepts do not even apply, which makes GDPR-related discussions even more confusing.
GDPR in the HR context
The HR context is a good example of an area where such confusions often arise. Imagine an employee who has just received his yearly performance review, and imagine that the review was not good at all, for the second year in a row. A third bad review could mean reorientation, or even dismissal. Now imagine that the said employee goes to HR asking for his performance reviews, or at least the last two, to be removed from his employee file, because “he has the right to be forgotten.” How should you react?
Or imagine another employee refusing to use his badge when leaving the building to smoke his seventh cigarette of the day, because “you are monitoring his behavior” and “he never gave his consent for you to do that.” How should you react?
Or just imagine either of these employees asking you to show them the notes you made about them during the last management meeting in which their behavior and attitude were discussed, because they wish to “exercise their right of access” and are “entitled to see it all.” How should you react?
HR departments struggle with this kind of question quite frequently. Add wanting to store the CV of a job applicant or wanting to access the mailbox of an ex-employee and you have some of the most frequently asked GDPR questions related to both ends of the employment relationship.
While GDPR compliance is very nuanced and requires you to document every step, there is a way to get a solid initial idea of your GDPR compliance position. While it cannot be compared to an in-depth legal analysis, carrying out the following high-level assessment will put you in good stead. It is based on the following three questions: (1) Do you have a solid legal basis? (2) Have you been transparent about what you are doing? and (3) Is what you are doing proportionate to why you are doing it?
Solid legal basis
The processing of personal data is not lawful unless it has a solid legal basis. Whereas the list of possible legal grounds is already limited, these grounds are even more reduced in the HR context, where you basically have only three options: (a) entering into or executing the labor agreement; (b) complying with a legal obligation or (c) the employer’s legitimate interests.
If you know that rights of individuals are directly linked to the legal basis, and if you realize that consent is not mentioned in the above list, you will understand why the abovementioned “I never gave my consent to do that”-discussion can cause more than a little confusion.
Indeed, consent is, in general, not considered to be a valid legal basis for the processing of employee data because of the very stringent requirements for valid consent: it has to be freely given, specific, informed and constitute an unambiguous indication of an individual’s wishes. Due to the imbalance between the position of employer and employee, consent can hardly be “freely given.” Or, in other words, the employee often doesn’t really have an option to say “no”.
While there might be situations where the employee does have a real choice, using consent as the go-to legal basis is an absolute no-no in the HR context, as was demonstrated by the €150,000 fine imposed by the Greek data protection authority on one of the Big Four consultancy firms for relying on consent as the legal basis for the processing of employee data. The processing of the data was not per se unlawful, but processing it based on consent (instead of, for example, necessity to execute the labor agreement or complying with a legal obligation) was.
European privacy rights saw the light largely as a reaction to the covert monitoring of individuals and the complete lack of privacy under the Nazi regime, and it is against that backdrop that privacy, and the protection of personal data a few decades later, became fundamental rights. Knowing who knows what about you and what they do with that information is key, also in the HR context.
This is when questions like “What notes and comments are in my employee file?”, “What did manager X or colleague Y say about me?” and the abovementioned “I am entitled to see it all”-discussions come into play.
“We cannot give you that information, because X and Y also have a right to privacy”, was the standard reply that many organizations used to deny such access.
In its Decision 70/2020, the Belgian DPA confirmed that the right of access should indeed not adversely affect the rights or freedoms of others, but added that such considerations should not result in a refusal to provide the requested information. In other words, it is indeed the employer’s responsibility to anonymize information and/or delete personal data of other persons where required in order to protect their GDPR rights, but these GDPR rights cannot be used as a reason not to provide access to the employee file in a timely manner.
Another decision that is relevant to the HR context is Decision 15/2021, as it paints a good picture of how an employee’s access request can be pushed to the limit.
A former employee requested a copy of all his performance reviews, a copy of all the pictures in which he appeared (pictures taken at corporate events, pictures on the intranet, etc.), a copy of all the emails in his inbox, a transcript of every comment about him in his employee file, and a copy of all IT log entries related to him.
The Litigation Chamber confirmed that the information should not be an exact copy of the original documents as they might contain personal data related to other individuals, but again underlined that there is no reason not to provide the requested information after appropriate anonymization. And the Litigation Chamber even added a takeaway: everyone making notes in an employee file should be aware that the employee in question can always request access to such information.
While in this case the Litigation Chamber agreed that the protection of trade secrets was a good reason not to provide a copy of all the emails, it should be noted that it did not agree with denying such access based on the fact (i) that the employee had access to his own emails and, thus, already knew what was in those emails, or (ii) that the rights of senders or addressees could be harmed (as these data could be anonymized), or (iii) that the secrecy of electronic communications protects the emails from having to be disclosed (as the employee was a party to these communications).
In this case there was no proof that pictures existed in which the employee could be identified, but one could imagine how, for example, team building pictures on the intranet could become an issue in a similar type of litigation. Does your organization have such pictures?
Furthermore, providing a copy of all IT logs was, in this case and under these specific circumstances, considered a disproportionate effort for the employer.
There are a number of GDPR principles, with well-sounding names like purpose limitation or data minimization, but meeting these principles is always somehow linked to meeting the proportionality test: is the processing of the data proportionate to the purpose(s)? For example, it is the proportionality test that determines the appropriate retention time for a CV, what information you can put on an employee badge, and whether you can use the email address of former employees or obtain access to their emails for business continuity purposes.
While there is rarely a one-size-fits-all for GDPR compliance, regulatory guidance at least gives organizations an indication of how to apply the proportionality test in certain circumstances.
While the Belgian data protection authority provides detailed guidance (NL / FR) on the processing of personal data in the context of recruitment, it is the Dutch DPA that provides specific guidance on data retention with respect to CVs of non-accepted applicants, stating that it is usual for an organization to delete all the information regarding non-accepted applicants at the latest four weeks after the closure of the recruitment process. If you think about how CVs end up in mailboxes and on the desks of the different decision makers and how such information is, thus, easily duplicated, meeting such requirement is certainly no mean feat.
And if you ask for consent (yes, an example of where it could work as a legal basis in the HR context) to keep the CV in your recruitment pool? A maximum retention period of one year is reasonable, according to the Dutch DPA. You might want to take this type of guidance into account before sending a job posting to all the people in your recruitment database…
And what could go wrong with the data on an employee badge? Name, picture, etc. – all obvious information, no? Well, apart from basic security requirements like not having a branded employee badge (which looks nice, but you wouldn’t put your home address on the key hanger of your home keys, right?) you will need to come up with a very good explanation of why an employee’s name must be put on the badge if you are not entitled to ask him to show you his ID.
Or, in other words: what’s the purpose of having a name on the badge if you can’t compare it with an official document? Or, from a GDPR mindset point of view: why would you increase the risk of having more data if it is not strictly necessary for the purposes of control and security, purposes that can be met by having only a picture on the badge.
Another good example of how the principle of proportionality is applied in practice is provided by Decision 64/2020, which considers the use of an email address of a former employee and access to his emails for business continuity purposes.
The Decision, which is in line with guidance from the Privacy Commission, the predecessor of the DPA, confirms that the email address should be blocked at the latest on the last day of employment and that, during a reasonable period (one month, and certainly no longer than three months), an automated message should be sent informing the sender (i) that the person is no longer carrying out the function and (ii) whom should be contacted instead. Note that an automated message is not the same as forwarding messages automatically to another email address.
An employer might need access to the mailbox, or part of it, for business continuity purposes, but the employee must be given the opportunity to select personal messages and forward them to a personal email address and/or delete them.
Within the HR context, there are a number of standard data processing operations, ranging from recruitment to the monitoring of post-employment data usage. It is therefore possible, and recommended, to draft a clear FAQ document that addresses the most common HR-related situations. It can serve as a one-stop-shop document and be the single source of truth for everyone who has access to employee data.
Such FAQ will not only help keep you out of trouble, it will also show your employees – after all your most valuable asset – that you care about their fundamental rights. This will provide a level of comfort and trust that should not be underestimated.
And lastly, but perhaps most importantly: review your HR-related policies, such as an Acceptable Use Policy, to make sure that all aspects are covered: from the private use of email to post-employment use of data – and make sure that all procedures are in place to put these policies into practice. Better safe than sorry…
More Partner Blogs
The new impact of the Brussels I regulation on arbitrators: analysis of the latest ruling of the European Court of Justice
In a judgment rendered on June 20, 2022, the Grand Chamber of the European Court of Justice (ECJ) ...
Sinds 1 juni 2022 is de nieuwe garantieregeling voor consumenten in werking getreden, waardoor de...
The competent jurisdiction for international workers: how to find the place where the employee habitually works.
The concept of the “place where the employee habitually works” is an essential concept for...
Is een werkgever verplicht om een werknemer die wegens een handicap zijn oorspronkelijke functie...