GDPR and surveillance at the workplace
Hi,
surveillance at the workplace is generally allowed, and is also handled in GDPR, however there are now some additional restrictions, like the additional transparency rules. I wanted to ask the following:
- does the data controller have to register surveillance data, or at least the surveillance data of incidents?
- do the affected employees have the right to access this surveillance data?
- does the employer have to inform the employees about all possible surveillance practices it does (or can) carry out? How would that happen normally?
- in which cases is invasive surveillance (or longer term more or less permanent) surveillance allowed? Does the employer have to disclose such cases? Or keep a register of them?
- if invasive surveillance is proven, which information can the employee request from the data controller (beginning, end, time period, people involved, decision makers involved, whom it was forwarded to, which kinds of surveillance techniques were employed [electronic, video, audio...], etc.)?
Thank you
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
does the data controller have to register surveillance data, or at least the surveillance data of incidents?
Not sure understand what you want to say by surveillance data. If you mean the logs of a security incident you can store and register them an use them in you incident investigation if you want.
do the affected employees have the right to access this surveillance data?
Yes, but only the date concerning them, date relating to other persons should be removed.
does the employer have to inform the employees about all possible surveillance practices it does (or can) carry out?
Yes, you need to inform your employees about the processing activities that their employees is carrying out. You need to describe the activity, its purpose and its lawful ground in an Employee Privacy Notice. If you want to find out more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)
How would that happen normally?
For new employees the Privacy Notice could be communicated when they sign the work contract and for the rest it can be either sent via email or uploaded on the intranet so is available to all employees.
in which cases is invasive surveillance (or longer term more or less permanent) surveillance allowed?
You would need to perform a Legitimate Interest Assessment (LIA) to determine which activities would be infringing upon the rights and freedoms of the employees.
Does the employer have to disclose such cases? Or keep a register of them?
If the LIA shows that the activity is too intrusive than it should either limit it to what would not be considered intrusive/excessive. Eg. less information could be collected, date could be anonymized, data could be deleted after a shorter period of time etc.
if invasive surveillance is proven, which information can the employee request from the data controller (beginning, end, time period, people involved, decision makers involved, whom it was forwarded to, which kinds of surveillance techniques were employed [electronic, video, audio...], etc.)?
The employees can ask you to provide all information about himself which was collected by the monitoring system such as images, recordings, logs etc. the only limitation regards the information about other individuals which must be removed.
Comment as guest or Sign in
Dec 05, 2019