Fundamental data protection principles apply when processing personal data in the employment context. With the rapid adoption by employers of new information technologies, in terms of infrastructure, applications and smart devices, the workplace has become increasingly data intensive, as new types of systematic and potentially invasive data processing are being introduced. This situation has escalated particularly in light of the digitisation phenomenon and the recent shift towards remote working by many employers, as a result of the COVID-19 pandemic. The use of such technologies whilst helpful, they also create significant privacy and data protection challenges.
In an employment relationship, the employer takes on the role of a data controller, determining the purposes for which and the means by which personal data, including that of their employees, is processed. On the other hand, the more vulnerable employee takes on the role of a data subject. This relationship requires that a balance be struck between the interests of both parties.
The current legal framework is set in the General Data Protection Regulation (GDPR), implemented into Maltese law in the Data Protection Act (DPA). The regulation regulates the processing of personal data of the data subject, whether held electronically or manually including issues that may apply to employees. It permeates also through employment law and the employer-employee relationship, as it seeks to strike a balance between the interests of both.
An employer may receive the necessary consent from an employee to obtain, process or transfer his or her personal data. For such consent to be valid, it has to be “freely given” and it must also be revocable. Due to the imbalance of power between employers and employees, consent is rarely seen as being freely given. Thus, most personal data in an employment context is processed on the basis of (a) being necessary to comply with a contract and (b) to comply with the legal obligations imposed on employers. In certain limited circumstances, processing may be also based on legitimate interest, however, it may not be overridden by the interests or fundamental rights and freedoms of the employee.
As an employee, you have a right to ensure that any personal data concerning you is processed fairly, lawfully and generally in accordance with the principles and requirements of the GDPR.
When processing your data, your employer (as data controller) is obliged to ensure that any personal data concerning the employee (the data subject) is:
The principle of transparency requires controllers (in this case employers) to provide data subjects (in this case employees) with adequate, complete and clear information about the personal data being collected, the intended uses of such personal data and other important information which allows the data subject to understand the data handling practices of the employer. This information is typically included in a Privacy Notice or as part of the Employee Handbook.
Employers must also ensure that employees involved in the processing of other employees’ or customers’ personal data are contractually bound to act on the instructions of the employer in the process of such data, also taking all the security measures available to the employer to protect the data against accidental destruction or loss, or unlawful forms of processing.
In the context of employment, employers should:
A primary right granted to employees in their role as data subjects is that of making subject access requests (SAR), by which employees may obtain copies of all personal information held by their employer. This includes a copy of any personal data held by the employer in hard copy, and any digital data including data held on a computer or an online system, including backups of such data.
Upon lodging such a request, the employee has the right to know what and why his or her data is being held by the employer, to whom such data has been disclosed and the duration for which the data is intended on being stored. In case of data which the employee has not supplied to the employer themselves, the source of the data may also be requested.
An employer may refuse to provide all or some of the requested information, depending on the circumstances. An employer may also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive, or where the controller is unable to identify data referring to the data subject, unless such data subjeact provides additional information that enables identification.
If controllers refuse to act on a request for the right of access in whole or partly, they must inform the data subject without delay and at the latest within one month of receipt of the request of the reason why they have refused the SAR, also informing the data subject of the right to lodge a complaint with the Information and Data Protection Commissioner, and the possibility to seek a judicial remedy.
There are many reasons why an employer may monitor an employee at work. Although an employer might have a legitimate interest to monitor an employee’s emails, telephone calls or use of an employer’s computer system, this interest must be balanced with the employee’s right to privacy. Private communication, such as emails and telephone calls, fall under the definition of personal data as defined in Article 4 of the General Data Protection Regulation (GDPR), deserving of certain protection provided by the DPA and GDPR.
Furthermore, any pre-employment vetting or checks performed by the employer on candidates must be in line with the GDPR and DPA in Malta. Processing of personal data of candidates, including information about an actual or alleged criminal offence, requires the employer to have a lawful basis for such processing, such as a legal obligation, or a lawful authority. In the absence of either, consent is required and employment is not being dependent upon such consent.
Though not obligatory, it is suggested that, in the contract of employment, employers include a clause by which the employer’s communication systems are made available to the employee with the understanding that these are used solely for the purposes of the employer’s business and that all communications made through such systems are subject to interception, surveillance and monitoring. This avoids uncomfortable privacy-related situations by making things clear to all employees from the outset.
With the plethora of mitigating measures implemented by the health authorities to curb the spread of COVID-19, many businesses were compelled to shift their workforce to operate remotely from their own homes. Employers had to seek alternative ways to exercise a level of oversight over employees working outside the workplace.
The European Court of Human Rights gave a decision on employee monitoring in 2017, whereby it established that monitoring of employees could only be carried out in compliance with applicable legislation, in a transparent manner and on grounds provided for by law.
Though there is a legitimate reason to assume that the employer has a right to ensure their employee is using the hours of work assigned to them diligently, in adopting such measures, a degree of proportionality and procedural guarantees against arbitrariness are essential, the Court said.
The ECrtHR established a set of principles that must be taken into account to determine whether the monitoring process is in breach of the employees’ rights. These include whether the employee has been notified before being monitored, the extent of the monitoring process, the legitimacy of the reasons to justify monitoring, whether a less intrusive method could have been used, the consequences of monitoring and the provision of adequate safeguards where the measure implemented is of a substantially instrusive nature.
If an employee believes that their data protection rights have been infringed, the employee may lodge a complaint with the Information and Data Protection Commissioner (IDPC).
With regards to social media at the workplace, employers may implement a social media policy that controls the employee’s use of social media, whether at or outside the workplace. Such a policy must, however, comply with the DPA and GDPR’s restrictions.
A solidly drafted social media policy is highly advisable at any workplace, as it easily resolves internal and legal disputes, while also pre-empting and preventing disagreements over employees’ online behaviour, its effects on productivity, time-management and company reputation.
Employers can resort to the proportionate monitoring of employee internet use. However, this needs to be carried out diligently and in full compliance with the relevant data protection principles, ensuring that a balance is struck between the employer’s right to protect their interests and the employee’s right to privacy.
If you believe that your data protection rights have been breached, do not hesitate to contact our legal team at Empleo.
A data breach may occur in the employment context when the data for which an employer is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.
If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, such company has to notify the Office of the Information and Data Protection Commissioner without undue delay, and at the latest within 72 hours after having become aware of the breach. If the company is a data processor it must notify every data breach to the data controller.
In cases of breaches of data by employees, any work carried out by an employee within the scope of the employee’s employment contract is carried out on behalf and for their employer. The employee is, in fact, considered to be the extension of their employer, who is the controller of the data in question.
The employee and employer cannot be considered to be separate from one another, as long as the employee works within the scope of his/her contract of employment. In data protection law, the employee would only be considered a separate entity from the employer if there is an unauthorised transfer of data, i.e. a transfer of data which was not authorised by the employee’s employer.
It is important to note that if an employee commits a data breach, under the general notions of liability, the employer is liable. However, the employer may separately sue the employee for damages if the employer proves that the employee is at fault for such a breach. If an employee commits such a breach because s/he was not given the adequate training, then the employer may be found responsible.
If an employer subcontracts to an independent practitioner, then such a person would be a separate entity and may be held liable for such a breach of data.
At Empleo, our GDPR and Data Protection professionals can help employees navigate through the legal framework protecting personal data within the context of employment and beyond.
Some of our services in this area include the following:
You may get in touch with us here to request an initial free legal consultation in relation to any of the matters outlined above.
Mariella graduated from the University of Malta with a doctorate in law in 2005. She completed a master’s degree in ‘European Private Law’ from the La Sapienza, University of Rome, and was admitted to the bar in Malta in 2006.
Mariella is a people person – and it is this attribute which has really characterised and shaped her career.
Over the years, she headed the legal departments of several corporate services firms. Due to her skillset, she was also entrusted with managing and overseeing operations and human resources, where she gained technical and practical experience in various corporate, commercial and employment matters.
Her practical hands-on experience and insight perfectly complement Mariella’s technical knowledge of employment law, thus placing her in an ideal position to understand and advise employers and employees alike on various matters that may arise at the workplace.
Mariella is passionate about employment law matters and provides her clients with the highest-quality legal service to achieve the best possible outcome and resolve any employment law related issues and concerns.
Bradley graduated Doctor of Laws from the University of Malta in 2005 and was admitted to the Bar in Malta in 2006. He advises clients on various corporate, commercial, employment and regulatory matters, with particular focus on company and financial services law.
He has assisted clients in various corporate and commercial matters by providing company law advice and assisting in the implementation of corporate finance, restructuring, mergers and acquisitions and similar transactions.
Bradley has also advised and assisted investment funds, fund managers and other investment services providers, banks and financial institutions, on various legal and regulatory matters relating to the setting up, authorisation and ongoing conduct of their activities in Malta.
His practice also covers general employment law matters. Bradley’s experience in company and financial services law enables him to focus on various corporate and regulatory aspects of employment relationships. In particular, he advises organisations on the implementation of employee share option and participation schemes, the implications of business transfers on employment relationships, as well as relations with senior employees.
Karl graduated Doctor of Laws from the University of Malta in 2005 and was admitted to the Bar in Malta in 2006.
Karl has gained considerable expertise in technology law and regularly assists clients in relation to intellectual property issues, commercial contracts and ways to ensure compliance with the General Data Protection Regulation (GDPR) and privacy laws. Whilst such matters used to be only given incidental importance when dealing with employment matters, they are now widely acknowledged to be vital in all employment relationships.
He is also regularly engaged by C-level executives to assist in negotiating employment contracts and settlement agreements.
Karl advises across a multitude of industries including technology; marketing; adtech; financial services; gaming; esports; consumer products; and media and telecommunications.