Restructuring legislation

In practice, video surveillance can be applied if it is necessary to protect persons or property in the business due to violations of rights that have already occurred (e.g., theft or damage to property) or a particular potential danger inherent in the nature of the location. Such a potential danger is always assumed, for example, in the case of tobaco stores, jewelry stores and banks. Therefore these stores are allowed to install surveillance and do so. Control measures that violate human dignity are absolutely inadmissible. Such measures include, for example, secret tapping of telephone conversations, surveillance cameras in washrooms or toilet facilities, body searches as a rule, the examination of private life, etc. Due to the technical circumstances, the monitoring of e-mail and Internet use not only allows access to the connection data, but usually also monitoring of the content (content of the e-mails and the www pages selected). This typically affects human dignity and leads to a duty of consent on the part of the works council or the employee. The duty of co-determination does not depend on whether the private use of the Internet and e-mail is permitted or not. It applies in any case. For example, recently, the city of Klagenfurt dismissed the municipal director Peter Jost with immediate effect because he had illegally monitored the e-mail correspondence of city employees.

Since it is a National level collective agreement, all social partners had to formally agree with the CA before signing.

Regarding this issue, during a relevant seminar organised by the Cyprus Bar Association and the Office of the Commissioner for Personal Data Protection of Cyprus, Cyprus' Commissioner for Personal Data Protection stated that at present the matter is largely dependent upon the specific facts of each independent incident. Examined, as such, on a case-by case basis, the resolution of relevant issues in an employment relationship on the one hand requires compliance with national and European Union law, and on the other hand it is highly dependent on the discretion of the Commissioner. Recognising the understandable confusion, the Commissioner provided the following guidelines, aiming to avoid any kind of violation of human rights and the law, while also to provide necessary information both to the employer as well as to the employee regarding their duties and rights respectively: 1) The company/employer should have a handbook referring to its established policy with exact precision on the regulation of data protection at the workplace and whether such company/employer allows the possibility to use their email account for personal or work use only. 2) In the cases where there is such an employment dispute/issue, it will be taken into account whether the employer is the owner of the computer and the email account while also whether the email account was solely used for work purposes. If a company’s policy indicates clearly that any email accounts (in the workplace) shall be solely and strictly used for work purposes and that employees or use it for any other private purpose, then this will weigh in favour of the employer. 3) In cases where there are suspicions of criminal or unlawful use of the email, the employer has an obligation to inform the employee about accessing their email and in such a case the employee must be present. If the employee does not consent and/or approve such an act, then the employer may need to go to court in order to obtain a court order for accessing the email account.

The State Labour Inspection Office (SUIP) is responsible for monitoring the violation of employees' privacy by wiretapping, recording telephone calls, checking e-mail or letters in the workplace. According to SÚIP's statement, the mentioned cases of privacy violations are not frequent in inspection practice and do not cause difficulties to recognise them. The use of camera systems, on the other hand, is more frequent and their application is very variable. The methodology of the Office for the Protection of Personal Data is used to determine which camera system meets legal requirements and which does not. This is a test of adequacy, which takes into account three points of view: suitability (if the chosen means will be capable of achieving the intended purpose - technical parameters and number of cameras, sufficient recording retention time, etc.), necessity (if it is not possible to ensure the intended purpose by others, objectively in a comparable way with the same or lesser interference with the protected values) and adequacy (whether the level of interference with the rights of employees is not disproportionate to the values that the employer protects with the camera system). Based on the Annual Summary Report on the results of control actions for 2018, the office detected 39 cases, 40 cases in 2019, 97 cases in 2020, 26 cases in 2021 and 27 cases of violation of employee privacy in 2022. The amendment to Act No. 251/2005 Coll., on labour inspection, which entered into force on July 29, 2017, allows the SUIP to fine employers for unreasonable interference with the privacy of employees according to § 316 of the Labour Code. SUIP can impose a penalty for violation of an employee's privacy up to CZK 1,000,000.

.

The processing and protection of an employee's private information has been the main area of concern for the Data Protection Inspectorate in Estonia. In the case of unavoidable data processing due to the contract or the law, the lines for asking for consent get very blurry. For example, processing data about an employee's child for childcare leave purposes does not require consent, even if the child is a minor. For further processing of the data related to the employee's children, consent is required. In addition, due to increased demand for telework due to the COVID-19 pandemic, the relation to monitoring at work has also changed. In many cases the employers started to use extra monitoring tools for employees working from home to control their working activity and productivity. In most cases automatic, AI related tools were used, which is often failing to identify between personal and work-related data while collecting. Also, even though the pandemic has ended, many companies have continued to use the surveillance tools, which still leave ambiguous situations in relation to the Data Protection Act. Overall, there is currently very little data collected on this topic in Estonia. In the case of privacy invasion or other guideline violation, the Labour Inspectorate should be contacted and they will look at every case separately.

Compliance with the law on Occupational Safety and Health Act is monitored by labor protection authorities, which is the relevant region's Regional State Administrative Agency. Compliance with the Act on the Protection of Privacy in Working Life is supervised by the occupational safety and health authorities in accordance with their competence, together with the Data Protection Ombudsman. Occupational health and safety authorities monitor compliance with The Employment Contracts Act. In their supervisory role and, in particular, when monitoring the observance of general binding collective agreements, the labor protection authorities must work in close cooperation with the employers' and employees' associations whose provisions of the general binding collective agreements entered into by the employers must be complied with according to Chapter 2, Section 7.

A survey (https://www.softwareadvice.fr/blog/3625/controle-de-l-activite-des-salaries-avis-employeurs-managers) by Software Advice, carried out among 239 managers and company directors in April 2023 and entitled "Nearly 7 out of 10 companies want to continue investing in employee monitoring tools", reveals that, contrary to popular belief, the Covid-19 pandemic is not the origin of workplace monitoring tools. "In fact, 36% of the professionals questioned were doing so before the pandemic, whereas today 63% are doing so". Companies' relative confidence in their employees, therefore, is largely based on the very presence of employees at work. "More than a third (35%) mainly monitor employee presence (whether they are online or offline, or active or inactive)", the study reveals. Of the managers and business leaders surveyed, 27% monitor time management, 23% monitor IT activity (Internet access, searches carried out, etc.) and 21% monitor workload management.

This right to co-determination is, at least in form, comprehensive, as almost all digital technologies collect data and are therefore suitable for monitoring employees. Further, related rights of works councils concern - among others - the right to be informed and consulted in due time in case of any plans regarding technical plants as well as operations including the use of artificial intelligence (Section 90 of the Works Constitution Act). According to the Federal Data Protection Act, the personal data of employees may be processed for employment-related purposes insofar this is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and staff council. Employees’ personal data may be processed to detect crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason. If personal data of employees is processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given (Section 26 of the Federal Data Protection Act). Also for employees the principle of telecommunications secrecy for private communication according to the Telecommunications Telemedia Data Protection Act applies at the workplace (Paragraph 3 of the Telecommunications Telemedia Data Protection Act).

One of the most important regulations in Law 4808/2021 is that, for the first time, the 'right to disconnect' is regulated, which essentially consists in the self-evident observance of the schedule. It is defined as the right of the teleworker to abstain completely from the provision of his work and, in particular, not to communicate digitally and not to respond to phone calls, emails or any form of communication outside of working hours and during his legal holidays. Unfavourable discrimination of the teleworker due to the exercise of the right to disconnection is not allowed. The employer must identify technical and organizational means to satisfy the right to disconnection. These means are recorded in an individual or collective agreement or disclosed by the employer to all employees. In addition, the Greek Data Protection Authority (DPA) responding, in a timely manner, to the extensive remote working during the COVID-19 pandemic, the issuance of Law 4808/2021 that, among others, regulates telework, and the risks lurking for employees’ privacy through the use of information and communication technologies, issued its Guidelines 1/2021 on the protection of personal data in the context of teleworking; the employers' right to control their employees' performance, without circumventing the employees' individual and labour rights, is of pivotal importance to DPA and, as such, is extensively analysed. It remains to be seen how it will be possible to exercise control -monitoring and surveillance of the employees' performance, without violating personal data requirements.

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) is authorised to impose fines for breaches of these rules. The largest fine related to data protection imposed in 2022 was HUF 250 million (€658,000). This case was related to the data handling and analysis of Budapest Bank related to recordings of telephone calls received by its call centre between May 2018 and September 2021. NAIH found it especially problematic that the analysis of the calls included examining the emotional states and reactions of participants in the call, which is in breach of handling data of clients as well as employees and rules on obtaining informed consent.

The main Italian trade unions (CGIL, CISL and UIL) have clear positions regarding the monitoring and surveillance of employees. They emphasise the importance of oversight to reduce risks, accidents, and occupational diseases. They promote access to new digital technologies, workers' participation in company management, and continuous training. The common goal is to ensure the health and safety of workers, respecting their rights and actively involving them in company management.

2021-2023 The State Data Protection Inspectorate together with Mykolas Romeris University is implementing the "SolPriPa 2 WORK" project "Resolving privacy paradox 2: promoting high standards of data protection as a fundamental right in the workplace". The two-year project is partially financed by the European Union Rights, Equality and Citizenship Program (2014-2020). This is a project to increase the awareness of employers and employees about the protection of personal data in the context of labour relations. Project goals: 1. Give employers the opportunity to create a work environment that meets the principles of personal data processing. 2. Help employees defend their right to personal data protection as a fundamental right in the workplace. Target audiences are employees who are the weaker party in labour relations, and employers, especially specialists such as data protection officers, personnel, communication, information technology specialists, other administration employees. During the project, great attention is paid to small and medium-sized businesses, as well as public sector organisations, such as ministries and their subordinate institutions, municipalities, courts. Activities. During the implementation of the project, trainings are conducted, guidelines, scientific articles, podcasts are prepared, and the mobile application "ADA guide" is further developed. The SolPriPa 2 WORK project is partially financed by the European Union Rights, Equality and Citizenship Program (2014-2020) and is for the period 2018-2020 continuation of the implemented awareness raising project "SolPriPa" about personal data protection.

No more information available.

The decision usually involves a balancing of the employer's legitimate interest and the employee's right to privacy. For example, [IDPC’s Data Protection Guidelines for Banks (2018)](https://idpc.org.mt/wp-content/uploads/2020/07/Data-Protection-guidelines-for-banking.pdf) specify (in line with Article 29 of the Data Protection Working Party’s Opinion 2/2017, adopted 8 June 2017), that employers should consider whether any processing operation in relation to employees’ use of technologies is: necessary; fair; proportionate; and transparent (p. 10). In August 2019, the bank HSBC was fined €5000 by the IDPC, in a case where a bank employee's personal data was being monitored. HSBC had investigated the employee’s bank account and social media posts without the employee’s consent and without notifying the employee, to find out whether the employee (an active trade unionist) was receiving another salary for part-time work, which they suspected was being undertaken in breach of the conditions set out by the bank. The Information and Data Protection Commissioner found in favour of the employee in relation to the scrutiny of his bank account, noting that the bank had abused its position of power and access, and saying that the access ‘exceeded what would generally be expected in the conduct of a relationship between a bank and an account holder.’ The processing was found to be outside lawful grounds, and the purpose for which the data was accessed was found to be in violation of the Data Protection Act. No violation was found in relation to the monitoring of social media posts, since these were available to the group and the bank was found to have a legitimate interest in them, because of disputes between the employee and the bank that were ongoing at the time ([Agius, 2019](https://www.maltatoday.com.mt/news/national/96890/hsbc_fined_5000_for_illegal_monitoring_of_trade_unionists_bank_accounts)).

Generally, monitoring is allowed provided companies take privacy into account. They must also comply with the General Data Protection Regulation and the law implementing the GDPR. Specifically, the employer must have a legitimate interest in monitoring their staff and they must be able to argue why it is legitimate. Furthermore, monitoring must be absolutely necessary. Employers must also inform personnel, specifically on what is and what is not allowed, that control is possible, the reason and when the employer will check, how the monitoring takes place and what data will be monitored. The right to confidential communication must also be taken into account. When companies have a works council, according to article 27 (1) (k) (l) the company must ask the works council for permission in relation to the processing and protection of personnel and arrangements aimed at or suitable for observing or checking the presence, behaviour or performance of the staff. When the work council does not approve, the employer is not allowed to check. A data protection impact assessment must also be carried out and when this shows a high-risk, prior consultancy should be done with the Dutch Data protection authority. This applies to all forms of employee monitoring. Employee monitoring in the Netherlands and Europe is subject to strict legal standards regarding informed consent and privacy. According to a ruling by the subdistrict court judge of the Central Netherlands District Court, Utrecht (ECLI:NL:RBMNE:2021:6071), an employee's consent to monitoring must be well-informed. A mere warning message that an employee must accept before logging in is insufficient to constitute informed consent. In this specific case, the court held that the employee did not provide informed consent because the extent and manner of monitoring were unclear, despite the warning message displayed upon login. The European Court of Human Rights (ECHR) further clarified the principles surrounding workplace monitoring in the Bărbulescu v Romania case (ECLI:CE:ECHR:2017:0905JUD006149608). In this case, an employer sought to terminate an employee, Mr. Bărbulescu, who had his work-related account monitored. The ECHR ruled that the monitoring in this case was not legally valid. The ECHR provided six crucial factors that an employer must consider when monitoring an employee: (i) The employee must be informed in advance about the nature of potential monitoring by the employer. (ii) The extent of monitoring and its impact on the employee's privacy. (iii) The employer should have legitimate grounds justifying the need for monitoring. (iv) Employers should explore less intrusive methods and measures when implementing monitoring. (v) The consequences of monitoring on the employee. (vi) Providing adequate safeguards, especially in cases involving highly intrusive monitoring methods (paragraphs 121 and 122). This ruling and the stringent factors outlined emphasise that monitoring employees cannot be undertaken lightly and must adhere to clear legal standards. The following are the extra criteria for covert control: * Reasonable Suspicion: if an employer has a reasonable suspicion that one or more employees are engaging in criminal or prohibited activities, such as theft or fraud, the employer may consider secret monitoring. * No Alternative: if the employer made efforts to stop theft or fraud but has not succeeded, the employer may have no choice but to conduct secret monitoring. * Occasional Monitoring: covert monitoring should be occasional, meaning it is limited to a predetermined period, and continuous secret monitoring is not allowed. * Notification: regardless of the monitoring's outcome, the employer must inform the involved employee(s) after the secret monitoring has taken place. * DPIA (Data Protection Impact Assessment): for the first-time secret monitoring, perform a DPIA. If the organisation has a Data Protection Officer (DPO), the employer should seek their advice. * Subsequent Occasional Monitoring: for subsequent secret monitoring instances with the same methodology, the employer does not need to repeat the DPIA. * Periodic DPIA Review: even if the data processing remains unchanged, the employer should consider reviewing the DPIA periodically, for instance every three years. * Private Investigation Agency: if the employer hires a private investigation agency for secret monitoring, the employer should perform a DPIA. * Prior Consultation: if the DPIA indicates a high risk and the employer cannot mitigate it, the employer should consult with the Dutch Data Protection Authority before commencing secret monitoring, known as prior consultation. The employer's Data Protection Officer can advise on the need for this consultation. **Figures about monitoring employees** In 2023, a study was done on employee monitoring in the Netherlands on 910 employees (including managers and senior managers) and 126 owners and executive managers within the small and medium-sized enterprise (SME) sector. 43% of surveyed employees report that their companies use tools for employee monitoring. Besides employees, many supervisors and managers are also under surveillance. Among respondents working for companies using monitoring software, 56% both monitor employees and are themselves monitored by their superiors or the HR department. A smaller group (27%) only supervise employees without being monitored, while 17% report being solely subject to monitoring. 73% of employees say that the HR department has explained their rights to them. However, more than a quarter of employees still respond that they either have not received information (22%) or do not know (5%).

The employer must agree with the employee on the timing of the remote working check. The inspection shall take place during the employee's working hours. A negative inspection result allows the employer to revoke the permission to carry out remote working. The employer is eligible (but not required) to impose a disciplinary sanction (a warning, a reprimand or a fine) on the intoxicated employee but also to terminate the employee's employment contract without notice through the employee's fault or with notice. The employer may apply one or both of these sanctions.

The same applies to monitoring activity on the internet and generally on the work computer. This situation is quite delicate, because it is not possible to impose an exclusive control on the way the employee chooses to carry out their activity. Some people may take more frequent breaks and go on social networks, but they do what their work without any problems. In this case, too, the employer must have some justified suspicion that the employee is using the computer and internet for personal, abusive and illegal activities.

So far, there are no known statistically significant violations of the law regarding monitoring and supervision of employees. Even the National Labour Inspectorate, which carries out labour inspections, does not pay significant attention to compliance with the provisions of § 13 of the Labour Code.

Not available.

According to the CCOO trade union, Organic Law 3/2018 seeks to reinforce the right to privacy and information, but its lack of specificity, insufficient regulation and interpretative problems, as well as the reference to collective bargaining, mean that collective bargaining plays a key role in increasing and guaranteeing the privacy and intimacy of workers. Indeed, in the drafting of the Law, the legislator is aware that there is a wide and varied casuistry, and therefore determines that these labour rights may be modulated according to the nature and purpose of the employment relationship, deriving their specific regulation to collective bargaining, both through collective agreements and agreements between the company and the workers' representatives. The Spanish Data Protection Agency has drafted a specific document on "Data protection in labour relations" with the participation of both the Ministry of Labour and Social Economy and business organisations (CEOE and CEPYME) and trade unions (CCOO and UGT), with the aim of structuring and summarising the legislation and offering practical (non-binding) guidance.

The largest trade union in Sweden, Unionen, for private sector white collar workers released a report in 2021 that argues that the existing legal framework to regulate employee monitoring and surveillance is a good foundation for future regulation but may need supplementary regulation to be effective. This existing framework is the GDPR-law, the Swedish Codetermination Act (MBL), the Employment Protection Act (LAS), and various sectoral collective agreements. However, they also state that the legal framework lacks specific regulation on the issue of employee protection from surveillance. A dedicated legal reference that ensures employee protection from excessive surveillance would make it easier.