Restructuring legislation

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Video surveillance interferes with the fundamental rights to data protection and privacy. § 96 ArbVG regulates the necessity of the works council's consent when introducing control measures and technical systems for controlling employees, provided that these measures (systems) affect human dignity, in order for them to be legally effective. Without the conclusion of a corresponding work agreement, the use of such systems is against the law and the control devices must be removed by the employer.

Companies with works council

Control measures such as video surveillance at the workplace, GPS tracking of field staff or the recording of work performance by machines or work equipment, may only be used if the the owner of the company has reached a works agreement on the matter with works council. Otherwise, the control measure is against the law and the systems must be removed by the employer.

Companies without works council

In companies without a works council, such control measures may only be carried out with the consent of the individual employees. The consent should be given in writing and can be revoked at any time. It is possible to agree on a time limit.

For video surveillance to be possible, there must be a legitimate interest of the person responsible in the individual case that outweighs that of the person affected. In addition, the surveillance must also be proportionate in the individual case and no lesser measures may be possible.

Video surveillance does not have to be notified to the data protection authority, but it does have to be entered in the register of processing activities.

The General Data Protection Regulation explicitly states that persons whose personal data are processed must be informed about this. In addition, every employee has the right to information about the specific data held about him or her, about its origin, its links with other data and about any transfers.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Collective Labour Agreement 81 arranges the monitoring of electronic communication data in the workplace in Belgium. It regulates the monitoring of all forms of electronic online communication data, regardless of the carrier, transmitted or received by employees in the course of their employment, both internally and externally.

Employers may carry out monitoring for four main reasons:

• preventing defamatory acts and behaviours,
• protecting business interests,
• ensuring IT network system security, and
• monitoring compliance with company rules.

They may not violate the personal privacy of employees and must act proportionally, processing only necessary data.

In terms of transparency employers must provide detailed information about the monitoring system, including what is being monitored, why, the duration of monitoring, data storage, and whether monitoring is permanent. Rights, obligations, prohibitions, and sanctions must be communicated, both individually and collectively.

In case of violations, the employer must discuss the infringement with the offender, giving the employee the opportunity to justify their actions and prevent future violations.

CA 81 does not regulate how access to and the use of online communication tools in the company should be governed; this remains the responsibility of the employer.

The standards in CA 81 can be clarified, supplemented, and adapted to specific situations at the sector and/or company level.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Until 2018 Cyprus had a law the Processing of Personal Data (Protection of Individuals) Law which included certain provisions regarding employment. However, this law was annulled in 2018, and replaced with a new one (the Law on the Protection of Natural Persons Against the Processing of Personal Data and the Free Movement of such Data), which made no reference to employment.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The protection of employee privacy is mainly regulated by the Civil Code (Act No. 89/2012 Coll.), and then the Labour Code (Act No. 262/2006 Coll.), which regulates the property interests of the employer and the protection of the basic personal rights of the employee. Privacy protection is also regulated by the Personal Data Protection Act (Act No. 101/2000 Coll.). The protection of correspondence is guaranteed by the Charter of Fundamental Rights and Freedoms. Provision § 316 of the Labour Code provides an exhaustive list of ways that the law considers to be violations of the privacy of employees. This includes open or covert monitoring, listening and recording of the employee's telephone calls, checking e-mail or checking letters addressed to the employee.

The mentioned methods of monitoring employees can be considered legal only if the employer has serious reasons for their implementation related to his activity. At the same time, in this case, the law imposes an obligation on the employer to inform the employee about the introduction of these measures. Other ways, not mentioned in the law, are not a violation of labour regulations, provided that the control is carried out for all employees in the same way and to a similar extent. e.g. monitoring the movement of a company vehicle via GPS is not an invasion of privacy.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

This law (LBK nr 182 af 24/02/2023) regulates surveillance camera usage in Denmark and has been amended several times, most recently by Law No. 802 on June 9, 2020.

Regarding surveillance of employees at workplaces the law stipulates in §3 and §3a that: It is permissible for companies to monitor their employees, as long as they are notified of this. However, the purpose of the monitoring must not be to monitor the employees' efficiency, which is why it must only function preventively or to document break-ins, theft or the like.

Other key points of the law include:

General Prohibition on Private Surveillance: Private individuals are prohibited from conducting surveillance of public areas used for ordinary traffic, unless there is a legally specified exception.

Exceptions to the Prohibition: Certain exceptions permit surveillance of specific areas such as gas stations, factory premises, and other business areas, if conducted by the owner and necessary for crime prevention.

Police Permissions: The police can grant permissions for residential areas, sports facilities, and other private or public entities to conduct surveillance for crime prevention purposes.

Municipal Authority for Surveillance: Municipalities can, after discussion with the police director, conduct surveillance to enhance safety in public places.

Registration of Surveillance Equipment: Private and public entities must register their surveillance cameras in the police register (POLCAM).

Information Duty: Entities conducting surveillance must provide clear information through signage or other means.

Data Protection Authority Oversight: The Data Protection Authority oversees the processing of personal data in connection with surveillance.

Penal Provisions: Violations of the law can be penalized with fines or imprisonment, and there are also provisions regarding the disclosure of recordings and data storage.

The law has been amended several times to adapt to developments and strengthen security and safety in society.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

An employer will always possess an employee’s personal and work-related data, but there are regulations to the usage of that data. Trust and mutual understanding provides a foundation to a good employment relationship. This puts the principle of data processing with the knowledge of the employee in high importance. In legal terms, an employer must ensure the processing of personal data of an employee in accordance with the Personal Data Protection Act. Personal data are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist.

The Employment Contracts Act obliges employers to respect employee privacy and control fulfilment of job tasks without unnecessary measures. Employers have the right to process employee data without employees' consent as long as it is necessary to fill employment contract and work arrangements rules at the workplace. This data however, must be collected only in legal and fair ways. At the same time, employees have the right to ask and receive information on what kind and on what purpose is information collected on them and who has access to that data (Personal Data Protection Act). An employee also has a right to demand a change or removal of false information collected about them. The data of an employee can only be processed if they have been given an opportunity to give consent which can also be withdrawn at any moment. If an employee withdraws their consent, the employer has to stop processing that data.

In addition, the employer does not have the right to carry out couvert surveillance on their employees. If there are cameras used in the office, all employees need to have knowledge of that, which needs to be clear and unambiguous. In the case of privacy violation due to collection of data, the subject can demand compensation. Surveillance cameras can only be used for the protection of people and property, not for collecting data on the quality and quantity of the work carried out by the employees. The employer has no right to collect data of the employees outside of working hours and must provide access to the materials (including recordings) at all times if the employee finds it necessary.

However, if the employee uses computers or other devices provided by the workplace, the data collected from there can be used without consent, but this should be specifically mentioned in the work contract. Also, the employer has a right to prohibit the use of work computers or other devices for personal use but this should again be stated in the work contract.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The Finnish Act on the Protection of Privacy in Working Life (759/2004) is the most important Finnish legislation related to the processing of employees’ personal data. According to this act, employers may operate camera surveillance at workplaces only for the purpose of ensuring the personal security of employees and other persons on the premises, protecting property or supervising the proper operation of production processes, and for preventing or investigating situations that endanger safety, property or the production process. The data collected through surveillance must be necessary for the employment relationship, protection of property, and ensuring the safety of employees and other persons on the premises.

Regarding electronic surveillance, employers are allowed to monitor their employees' use of e-mail and the Internet, but only under certain prerequisites. The article does not provide specific details on these prerequisites, but it does mention that the monitoring must be necessary for the employment relationship and that the employer must inform the employees of the monitoring.

In short, the so called 'right to manage' gives the employer the right to decide who does what, where, when and how, during work hours. This includes surveillance of employees' work. The right is however limited by employment agreements, collective agreements and other labour legislation. The protection of an employee's personal data, as well as video surveillance, is regulated in the Act on the Protection of Privacy in Working Life (759/2004). According to the Occupational Safety and Health Act (738/2002), employers must constantly monitor the working environment, the state of the work community and the safety of working practices.

The collection of personal data during recruitment and employment is also subject to regulation under the Co-operation Act (1333/2021), according to which it needs to be included in workplace dialogue. This includes the purpose and methods of surveillance by technical means of employees, the use data networks and the processing of employees' e-mail and other electronic communications.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

There is no specific legislation governing the surveillance of employees, but rather a set of rules derived from several pieces of legislation.

Surveillance cameras

Employers may not install cameras on their premises without defining a purpose, which must be legal and legitimate. For example, cameras can be installed in the workplace to ensure the safety of people and property, as a deterrent or to identify the perpetrators of theft, damage or assault.

The employer's right of surveillance is recognised, but is subject to certain limits:

• Respect for employees' individual rights and freedoms, which do not disappear within the company;
• transparency: in principle, employees must be informed of the monitoring system, and the social and economic committee or works council must be consulted;
• compliance with the principles laid down by the GDPR;
• the proportionality requirement: the control must be justified by a legitimate interest (productivity, security, company image, etc.) and must not be excessive.

Geolocation devices

These devices can be installed in vehicles used by employees to:

• Monitor, justify and invoice the transport of people, goods or services directly linked to the use of the vehicle.
• Ensure the safety of the employee, the goods or the vehicles in their charge, and in particular to recover the vehicle in the event of theft (for example, with an inert device that can be activated remotely as soon as the theft is reported).
• Better allocation of resources for services to be provided in dispersed locations, particularly for emergency interventions.
• Optionally, monitor working hours when this cannot be done by any other means.
• Comply with a legal or regulatory obligation requiring the use of a geolocation system due to the type of transport or the nature of the goods being transported.
• To monitor compliance with the rules governing the use of the vehicle.

However, a geolocation device installed in a vehicle made available to an employee may not be used:

• to monitor compliance with speed limits.
• to monitor an employee at all times.
• In particular, it may not be used: in the vehicle of an employee who is free to organise his or her movements; to monitor the movements of employee representatives in the context of their mandate; to collect location data outside working hours, including to combat theft or check compliance with the conditions of use of the vehicle;
• to calculate employees' working hours when another system already exists.

Video recording or screen capture coupled with telephone conversation recording

For the purposes of staff training or appraisal, employers may couple computer actions with telephone conversations, for example by recording the image of what appears on the employee's computer screen, in the form of screen captures or a video, at the same time as recording telephone conversations.

However, the use of this device can lead to employees being monitored or to private information being captured (personal emails, instant messaging conversations or confidential passwords). It is particularly intrusive and must therefore be strictly supervised. In principle, screen captures cannot be used in conjunction with recordings of telephone conversations. The CNIL considers that, whatever the purpose, a screen capture is likely to be neither relevant nor proportionate, since it is a frozen image of an isolated action by the employee, which does not faithfully reflect his or her work. There may be a link between the recording of telephone conversations and video recording of the screen, under certain conditions.

In view of the impact and risks of misuse and surveillance associated with these devices, the coupling of telephone recordings with the image (screen capture or video) of the employee's actions is disproportionate when used for purposes other than training, such as staff appraisal, combating internal fraud, etc. The employer must then use alternative means to this type of device.

Access to an employee's email in their absence

In order to avoid infringing employees' privacy, as they may make private use of their email, which is not prohibited, the employer must set the conditions for consulting email while they are absent. These rules may, for example, be set out in an IT charter specific to the company: they must be known by the employees, who will be informed of the terms and conditions for consulting and using their email during their absence. In this way, the rules laid down in advance, in complete transparency, can avoid the risk of subsequent disputes. The courts consider that any message received or sent from the workstation provided by the employer is, in principle, of a professional nature. In this case, the employer may consult them. However, if the message is clearly identified as personal, for example if the subject line clearly states that it is a private or personal message, the employer must not look at it. He must respect the confidentiality of correspondence

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The Works Constitution Act in its revised version of 1972 foresees co-determination rights for works councils on a number of issues in so far as they are not prescribed by legislation or collective agreement. Among others, works councils have a right of co-determination regarding the introduction and use of technical devices designed to monitor the behaviour or performance of the employees. This normally takes the form of a written agreement between the employer and the works council. If no agreement can be reached, a conciliation committee makes a decision.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

By virtue of art. 67, para 8, Law 4808/2021:

• The employer monitors the employee's performance in a manner that respects his privacy and is in line with the protection of personal data. Employers are explicitly prohibited from monitoring the performance of teleworkers with the use of webcams. By virtue of articles 73 & 74:
• Employers are obliged to install and operate an electronic system, for the monitoring of their employees’ working time, directly connected and inter-operable to the “ERGANI II” Digital Information platform (Ministry of Labour & Social Affairs). Additionally, the new Law introduces the “digital employment card”, which provides, in real-time, data to the “ERGANI II” platform such as, starting and ending working time, breaks, overtime and any type of leave.

On 4 August, 2021 the Greek Data Protection Authority (DPA) issued its Guidelines 1/2021 on the protection of personal data in the context of teleworking; the teleworkers' monitoring is of pivotal importance for the Authority. The DPA recognises the right of the employer, as long as the conditions deriving from the legislation are met in principle, to monitor whether employees provide their work within the agreed working hours, and in line with the terms of employment. It considers, also, legitimate for the data controller to request additional confirmation (authentication) from the ICT user-teleworker (PC, communication software - electronic mail) - assuming that they actually provide the agreed work and keep the relevant information.

On the other hand, the DPA has judged with a series of decisions that, the ongoing surveillance of employees by means of web cams, software recognising images and movements, the shared use of the employees’ screen, the installation and operation of a Keylogger, or even the performance of certain activities on a regular basis for ascertaining that the employees are teleworking, are prohibited practices, because they lead to an unjustified profiling of employees and violate the proportionality principle. In addition to the prohibitions set in relation to the use of a camera (web cam) to control the performance of the employee, the controller in the context of their responsibility should take into account that the processing of data through closed-circuit visual recording within workplaces, whether publicly accessible or not, is permitted only if it is necessary for the protection of persons and property. Data collected through closed-circuit visual recording may not be used as a criterion for evaluating employees' efficiency. In addition, the legality of taking any such relevant measure, that constitutes processing of personal data, presupposes the prior notification of the data subject.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Under changes introduced in April 2019 to the Labour Code, providing more details on the rules on monitoring and surveillance, it is stated that the employer has a right to monitor whether employees are fulfilling their job-related tasks according to their instructions.

The employer may use technical equipment to exercise this right, but it must be justifiably in connection with the employee’s work and it must be proportionate. Such justification may be the protection of employer property, but surveillance cannot be used to measure employee productivity (for example by video surveillance). An exception may be when the surveillance serves the purpose of the health and safety of the employee, such as at an industrial site. Human dignity must be observed at all times, thus cameras cannot be placed in private spaces where the employee has the right to privacy and rest (showers and dressing rooms, kitchens or dining spaces, facilities for resting).

General GDPR rules must be observed when handling all data collected in this way and employees must be duly notified of any surveillance beforehand.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Legal framework ensures a balance between operational needs of employers and the privacy and rights of employees: the Workers' Statute (Law 300/70) sets the foundation by prohibiting audiovisual and remote monitoring systems unless there's an agreement with trade union representatives.

Employers are also bound by a comprehensive obligation to inform employees about various aspects of their employment, including the use of any monitoring systems (detailed in Legislative Decree No. 152/1997 and further elaborated in Legislative Decree No. 104/2022). The Privacy Code, as amended by Legislative Decree 101/2018, reinforces these principles by requiring a solid legal basis, such as collective agreements or administrative authorizations, for the implementation of monitoring systems. It also mandates strict adherence to data protection laws, ensuring that any data collection is relevant, limited, and respects the privacy rights of individuals.

Furthermore, recent legislative developments, such as Law No. 48/2023, introduce additional layers of employee protection, including requirements for employers to provide or make accessible collective contracts, company rules, and information about automated decision-making systems used in the workplace, unless exempted due to industrial or commercial secrecy.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Handling of employee health data following amendments to the Labour Code on quarantine, 14th, April 2020, Article 27 of the Labour Code "Workers' rights to privacy and protection of personal data" establishes employer‘s obligation to respect the rights of workers to privacy and protection of personal data. The employer's exercise of ownership or control over information and electronic communication technologies used in the workplace shall not violate the confidentiality of employees' private communications. Moreover, the State Data Protection Inspectorate has issued a series of recommendations and guidelines on the protection of personal data in the context of employment relationships that are applicable together with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (and Lithuanian legislation:

• Guidance for employees, 2023;
• Guidelines for small and medium-sized businesses, 2023;
• Guidelines for public sector bodies and organisations, 2023;
• Recommendation on the safe use of mobile applications on mobile devices, 15th June, 2023;
• Handling of employee health data following amendments to the Labour Code on quarantine, 14th, April, 2020;
• Processing of employees' personal data in the context of teleworking, 9th April, 2020;
• Guidance: Adaptive and Standardised Data Protection in the Life Cycle of an Information System, 11th December, 2020;
• Memo on video surveillance requirements, 2019.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The legislator exercised the option to the Member States by Article 88 of the GDPR to provide for more specific rules concerning the processing of personal data for employee surveillance purposes under employment relationships.

The processing of personal data by the employer for surveillance purposes is therefore authorized: If it is necessary:

• for the performance of the contract of employment;
• for compliance with a statutory obligation of the employer;
• for legitimate interests pursued by the employer or by a third party, unless the employee’s interests or fundamental rights and freedoms prevail over the former;
• for the safeguarding of the vital interests of the employee or another natural person;
• for carrying out a mission that is in the public interest or relevant for the exercise of public authority vested in the employer;
• Or if the person concerned has consented to the processing of his or her personal data.

In addition to an individual right of access to information for each employee by virtue of Articles 13 and 14 of the GDPR, the employer must also inform the staff delegation or, otherwise, the Inspectorate of Labour and Mines. The information must include the following elements:

• A detailed description of the purpose of the proposed processing;
• The implementation methods of the surveillance system and, where applicable, the period of and criteria for data retention;
• The employer’s formal commitment not to use the data collected for a purpose other than that provided explicitly in the prior information.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

There is no law specifically on employee monitoring in Malta. It therefore falls under the Data Protection Act (Act XX of 2018, implementing the GDPR, Regulation (EU) 2016/679), with privacy also being constitutionally protected. The employee's consent is not usually considered sufficient justification for employee monitoring, because the power imbalance in the employer-employee relationship compromises the employee's ability to freely grant such consent. A Data Protection Impact Assessment is required for employee monitoring, including for purposes of evaluating the employee's performance at work; if risks to the ‘rights and freedoms of data subjects’ (GDPR, Art. 35) remain in the processing operation, the Information and Data Protection Commissioner must be consulted.

Disputes relating to dismissals on the basis of claimed breaches of privacy have come before the Industrial Tribunal. The responsibility for monitoring and enforcing the GDPR and the Data Protection Act lies with the Office of the Information and Data Protection Commissioner (IDPC), as the national supervisory authority and regulatory body. The Information and Data Protection Appeals Tribunal decides cases relating to the monitoring of employees and the use of employees’ personal data, and hears appeals from the decisions of the Office of the Information and Data Protection Commissioner.

Under Article 20 of the Data Protection Act, the IDPC may impose an administrative fine for violations, by order in writing.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

An employer is only allowed to monitor employees if it meets the requirements of the GDPR, as well as the law implementing the GDPR. Whenever an employer monitors their employees, the employees’ privacy must be protected at all times. If there are alternatives to employee monitoring, or less invasive methods for the employees’ privacy, those must take precedence. In general, the employee must give their explicit informed consent for the employer to be allowed to monitor their data, however, there are exceptions to this rule. There are also instances where employee monitoring is never admissible, for example in sensitive spaces, such as toilets and religious spaces.

The GDPR requirements for employee monitoring are as follows:

• Legitimate interest: the company must have a legitimate interest in monitoring its staff. This interest must outweigh the rights and interests of its employees. Such as their right to privacy. The company must be able to substantiate this. It must comply with the principles of proportionality and subsidiarity.
• Need: monitoring staff must be a necessity. This means that the company cannot achieve its goal in another way that is less drastic for its employees’ privacy.
• Inform staff: the company must inform its employees about:
• what is allowed and what is not;
• that control is possible;
• why and when to check;
• how to check;
• which data is involved.

Employees can be informed with internal guidelines, such as rules of conduct or a protocol.

• Right to confidential communications: employees' right to confidential communication must be considered. For example, when checking e-mail or telephone.
• Works council approval: if the organisation has a works council, then the company must request the prior approval of the Works Council for a scheme for the inspection of personnel. If the Works Council does not agree, you are not allowed to inspect.
• Data protection impact assessment: if a company wants to use large-scale processing and/or systematic monitoring of personal data to monitor the activities of employees, such as checking email and internet usage, GPS tracking in employees’ cars or trucks, or camera surveillance in order to combat theft and fraud, it needs to carry out a data protection impact assessment (“DPIA”) first. A DPIA looks at the privacy risks of the monitoring system, so that measures can be taken to reduce risks. If the company has a data protection officer, then they can be asked for advice on carrying out the DPIA.
• Prior consultation: if the DPIA shows that the intended inspection poses a high risk, and the company is unable to find measures to limit this risk, then the Dutch Data Protection Authority (AP) must be consulted before the company starts checking personnel. This is called a prior consultation. If the company has a data protection officer, they can advise on whether prior consultation is necessary.
• Covert control: if the company intends to secretly monitor employees, it must also meet the additional conditions for covert monitoring. Secret monitoring of employees is only allowed in special circumstances, such as in case of a suspected crime. In case of covert surveillance, the employer is only allowed to use the data for the initial purpose of the surveillance.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

Sobriety checks

An employer may introduce sobriety checks for employees if this is necessary to ensure the protection of the life and health of employees or other persons or the protection of property. The conditions of the sobriety check must be laid down in a collective agreement or in the work rules or in a notice if the employer is not subject to a collective agreement or is not obliged to issue work rules.

Remote control of work

An employer has the right to carry out an inspection of the employee's remote work, a health and safety inspection or an inspection of compliance with security and information protection requirements, including procedures for the protection of personal data, under the terms of the remote work agreement between the employer and the employee. The inspection shall be carried out in agreement with the employee at the place of remote work during the employee's working hours. The monitoring shall not invade the privacy of the teleworking employee or any other person, nor interfere with the intended use of the home premises.

E-mail monitoring

If necessary to ensure that the work is organised in such a way that the working time can be fully utilised and the working tools are made available to the employee, the employer may introduce monitoring of the employee's business e-mails (e-mail monitoring, electronic mail monitoring). E-mail monitoring must not violate the employee's privacy and other personal rights.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

With the law, the processing of personal data is much better defined, the employee is protected against abuse by the employer. At the same time, employers are informed more specifically about how the law regulates the surveillance of employees, in order to have a balance between the two parties.

According to the provisions, the employer can monitor the work of employees only if the following conditions are met:

• The employer has legitimate and well-founded interests that prevail over the interests or rights and freedoms of the employees.
• The employer has informed in advance, in a precise and explicit manner how they wish to monitor the employees' activity.
• The employer has consulted in advance with the trade union or employee representatives before implementing monitoring systems.
• The employer ensured that the duration of storage of personal data is directly proportional to the purpose of the processing, without exceeding the legal time limit of 30 days. An exception is made in duly justified cases.

The law clearly specifies the employer's obligation to inform employees in advance of how they choose to monitor their activity. This can be done by following certain steps.

• An e-mail will be sent to the employees informing them of the intention and the way in which the monitoring of their activity will be carried out.
• The necessary changes will be made in the internal rules.
• The necessary changes will be made in the additional documents to the employment contract.
• Minutes will be drawn up and signed by all employees.

There are some situations in which the employer must justify the need to implement supervision systems. An example is GPS tracking of the transport vehicle or any other purpose for which the employee works. If there is no reason that would give the employer reason to suspect that the employee is carrying out illegal operations and activities with the company car, then the imposition of surveillance is not justified.

As far as surveillance cameras at the workplace are concerned, employees must be informed of their location and when they are active. It is forbidden to place hidden cameras, as it violates the employee's right to privacy, even if they are in the work space.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

In Slovakia, the general regulation on the protection of personal data applies (the EU regulation and the Act on the Protection of Personal Data are also directly applicable in Slovakia).

Regarding the monitoring and surveillance of employees, the Labour Code (Act 311/2001 Coll.) has a very brief legal regulation in this regard, quite problematic and unclear (according to practice). This legislation was introduced by Act No. 361/1012 Coll. which amends Act no. 311/2001 Coll. Labour Code and valid from 1.1.2013.

The employer must not violate the employee's privacy at the workplace and in the employer's common areas. It is inadmissible to monitor or record the employee's phone calls using the employer's technical devices. It is also inadmissible to check the employee's e-mail sent from the work e-mail address and delivered to this address without the employer notifying them in advance. The employee has the right to file the complaint to the employer if the principles of equal treatment are violated, if the conditions for the exercise of rights and duties are not observed in accordance with good morals, if it is an unjustified unauthorised violation of the employee's privacy, if it is an unauthorized prohibition to maintain confidentiality about working conditions or if it is a prohibition to perform other gainful activity, as well as if it is a violation of rights and obligations arising from the employment relationship. The employer is obliged to respond to the employee's complaint without undue delay, to make corrections, to refrain from such action and to eliminate its consequences.

An employee who believes that his privacy at the workplace or in common areas has been violated due to non-compliance, may turn to the court and seek legal protection.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The Personal Data Protection Act (ZVOP-2), issued on 27 December 2022, stipulates the procedure and rules on video monitoring and biometric data collection for businesses.

First, the authorised person must issue a written decision on the use of video surveillance, detailing the reasons. Second, the domain under video surveillance must be clearly designated by a written or graphic description that alerts the subject to the fact that they are being watched. According to Regulation (EU) 2016/679, such notice must include information on the controller, the reasons for surveillance, data processing, and unusual additional data processing (for example, data transfer to third-country entities or live monitoring). However, rather than a full notification, a webpage link (URL and QR code) is adequate. Video surveillance is not permitted in elevators, restrooms, dressing rooms, or hotel rooms. The controller must document all access to and use of surveillance data. In commercial buildings, 70% of owners must approve of the surveillance before its introduction.

The following reasons may justify video monitoring of business premises access: (1) the security of people and property, (2) control of entry to those premises, or (3) the risk of injury to employees due to the nature of their employment. Monitoring should not cover other buildings, for instance, residential houses. Access surveillance may comprise a written record of names, addresses, employments, number of identity documents, and the purpose of the visit, in addition to CCTV data (picture, date, time, and, in exceptional cases, sound).

Within work premises, video surveillance is allowed only on the grounds of (1) security of persons and property, (2) prevention and detection of offences in gambling or (3) protection of confidential information. Surveillance must be limited and should not cover workplaces where employees usually work unless necessary for one of the three reasons. Only controller’s authorised employees can perform direct monitoring.

The employer must notify workers about video surveillance in advance. Before its introduction, the employer must consult the company trade union and works council (or workers’ representative). The consultation should occur at least 30 days before it. If monitoring is to cover workplaces, the consultation must occur at least 60 days before. National security issues and gambling are excluded from the obligation to consultation.

The Information Commissioner issued instructions on the proper use of surveillance at the workplace in the face of the collision of the employee's right to privacy and the right of the owner to property. Surveillance must be proportionate, and it is not allowed to survey employees during the work process because the employer is, for example, afraid of theft. In this case, surveillance monitoring is more necessary during employee absence since stealing is more likely to occur at that time. It is neither possible (and even prohibited) to monitor employees for research purposes or mystery shopping, either directly or by authorising a third party. For monitoring people, one may be criminally liable for breaching human rights to personality, personal and family life.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

The new Law (Organic Law 3/2018) repeals the previous Data Protection Law (LOPD 15/1999). Organic Law 3/2018 has a twofold objective:

• to adapt Spanish legislation to the European package of measures on data protection, i.e. the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680.
• guarantee the new digital rights of citizens, under the protection of the provisions of Article 18.4 of the Spanish Constitution.

Thus, the regulation incorporates a broad catalogue of digital rights. Specifically, it recognises and guarantees a new catalogue of digital rights, including the following: (i) the neutrality of the internet; (ii) universal access to the internet; (iii) digital security; (iii) digital education; (iv) the protection of minors on the internet; (v) the rectification or updating of information on the internet; (vi) the right to be forgotten in search engines and social networks; (vii) the regulation of the right to a digital will.

The law also regulates new labour rights, such as digital disconnection, and privacy against the use of a video surveillance system and geolocation in the workplace. In other words, it reinforces the employee's privacy, and therefore his or her right to digital disconnection and privacy with regard to the use of digital devices, video surveillance and geolocation in the workplace, allowing collective agreements to guarantee greater protection.

Thus, for example, Article 87 states that workers and public employees shall have the right to protection of their privacy in the use of digital devices made available to them by their employer. Likewise, the employer may access the contents derived from the use of digital media provided to workers for the sole purpose of monitoring compliance with work or statutory obligations and ensuring the integrity of such devices.

Meanwhile, Article 88 states that workers and public employees shall have the right to digital disconnection in order to guarantee, outside the legally or conventionally established working time, respect for their rest time, leave and holidays, as well as their personal and family privacy.

Article 91 indicates that collective agreements may establish additional guarantees of rights and freedoms related to the processing of workers' personal data and the safeguarding of digital rights in the workplace.

LAST UPDATE 2023 - THIS CONTENT WILL NOT BE UPDATED

This Act supplements Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons with regard to the processing of personal data and on the free movement of such data. It is the main act referred to in stating that the following activities are forbidden by the employer:

• Searching through the browsing history of an employee without reason. Automatic collection of such data is not allowed.
• Surveillance of working activity by forcing the web camera of a work laptop to be on.
• Surveillance of email conversation can be allowed in some cases, but only when there are suspicions of disloyal activity or criminal behaviour.