- Phase
- Work Council Act/ General Data protection regulation/ GDPR implementation act
- Native name
- Wet op de ondernemingsraden (WOR)/ Algemeen verordening gegevensbescherming (AVG)/ Uitvoeringswet AVG (UAVG)
- Type
- Employee monitoring and surveillance
- Added to database
- 18 October 2023
Article
Wet op de Ondernemingsraden (WOR) , Article 27(1)(k)(l)
Description
An employer is only allowed to monitor employees if it meets the requirements of the GDPR, as well as the law implementing the GDPR. Whenever an employer monitors their employees, the employees’ privacy must be protected at all times. If there are alternatives to employee monitoring, or less invasive methods for the employees’ privacy, those must take precedence. In general, the employee must give their explicit informed consent for the employer to be allowed to monitor their data, however, there are exceptions to this rule. There are also instances where employee monitoring is never admissible, for example in sensitive spaces, such as toilets and religious spaces.
The GDPR requirements for employee monitoring are as follows:
- Legitimate interest: the company must have a legitimate interest in monitoring its staff. This interest must outweigh the rights and interests of its employees. Such as their right to privacy. The company must be able to substantiate this. It must comply with the principles of proportionality and subsidiarity.
- Need: monitoring staff must be a necessity. This means that the company cannot achieve its goal in another way that is less drastic for its employees’ privacy.
- Inform staff: the company must inform its employees about:
- what is allowed and what is not;
- that control is possible;
- why and when to check;
- how to check;
- which data is involved.
Employees can be informed with internal guidelines, such as rules of conduct or a protocol.
* Right to confidential communications: employees' right to confidential communication must be considered. For example, when checking e-mail or telephone.
* Works council approval: if the organisation has a works council, then the company must request the prior approval of the Works Council for a scheme for the inspection of personnel. If the Works Council does not agree, you are not allowed to inspect.
* Data protection impact assessment: if a company wants to use large-scale processing and/or systematic monitoring of personal data to monitor the activities of employees, such as checking email and internet usage, GPS tracking in employees’ cars or trucks, or camera surveillance in order to combat theft and fraud, it needs to carry out a data protection impact assessment (“DPIA”) first. A DPIA looks at the privacy risks of the monitoring system, so that measures can be taken to reduce risks. If the company has a data protection officer, then they can be asked for advice on carrying out the DPIA.
* Prior consultation: if the DPIA shows that the intended inspection poses a high risk, and the company is unable to find measures to limit this risk, then the Dutch Data Protection Authority (AP) must be consulted before the company starts checking personnel. This is called a prior consultation. If the company has a data protection officer, they can advise on whether prior consultation is necessary.
- Covert control: if the company intends to secretly monitor employees, it must also meet the additional conditions for covert monitoring. Secret monitoring of employees is only allowed in special circumstances, such as in case of a suspected crime. In case of covert surveillance, the employer is only allowed to use the data for the initial purpose of the surveillance.
Citation
Eurofound (2023), Netherlands: Employee monitoring and surveillance, Restructuring legislation database, Dublin,
https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/netherlands