WP29’s new opinion on data processing at work

Written by Yung Shin Van Der Sype, KU LEUVEN

Earlier this week the Article 29 Working Party (WP29) released an opinion on data processing at work. This opinion complements the previous publications of the WP29 on data processing in the employment context (i.e. Opinion 8/2001 on the processing of personal data in the employment context, WP 48 and the Working Document on the surveillance of electronic communication in the workplace WP 55).

A new opinion was welcome, given that the previous documents were fifteen years old and the rapid adoption of new information technologies in the workplace has changed the employment context in many ways. For example, the cost of technologies enabling data processing at work are much lower than they were, while the capacity of these technologies to process personal data has been increased exponentially. Moreover, there are several new forms of processing, for example, those concerning the location of individuals and screening of social media profiles. A last example that the WP29 provides, concerns the further blurring of the boundaries between home and work. Employees work remotely, for example from home, which could potentially include monitoring of the individual in a private context.

The 2017 opinion reassesses the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies. A number of the previous conclusions are restated (and further in the document refined). The WP29 confirms that when processing of personal data:

  • employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
  • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
  • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
  • performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
  • employees should receive effective information about the monitoring that takes place, and
  • any international transfer of employee data should take place only where an adequate level of protection is ensured.

Moreover, the new opinion considers a number of new GDPR obligations that are also applicable to employers-data controllers.

A first one concerns the data protection by design and by default principle. Article 25 of the GDPR requires data controllers to implement data protection by design and by default. For example, when an employer issues devices with tracking functions to employees, the most privacy-friendly solutions should be selected.

Another one concerns the Data Protection Impact Assessment (DPIA) obligation. Article 35 of the GDPR obliges data controllers to carry out a DPIA where a type of processing is likely to result in a high risk of the rights and freedoms of natural persons. Employers will need to conduct a DPIA, for example, when they systematically monitor their employees (see also the recent guidelines of the WP29 on DPIAs, WP 248).

Further, the WP29 emphasises that Article 88 of the GDPR allows Member States to provide more specific rules to ensure the protection of employees’ personal data in the employment context. These rules should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of the processing operation; the transfer of personal data within undertakings and enterprises engaged in a joint economic activity; and monitoring systems at the workplace.

In Section 5 of the opinion, the WP29 provides examples of proportionality assessments in nine different scenarios.

The WP29’s position on processing operations resulting from in-employment screening is particularly interesting in the DOGANA context. The WP29 states that:

Through the existence of profiles on social media, and the development of new analytical technologies, employers have (or can obtain) the technical capability of permanently screening employees by collecting information regarding their friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviours therefore capturing data, including sensitive data, relating to the employee’s private and family life.

In-employment screening of employees’ social media profiles should not take place on a generalised basis”.

However, employers could monitor the LinkedIn profiles of former employees that are subject to non-compete clauses as long as the employer can prove that, first, such monitoring is necessary to protect his legitimate interests. Second, there are no other, less invasive means available. And finally, that the former employees have been adequately informed about the extent of the regular observation of their online public communications.

In general, employers need to be constantly aware of the need to comply with the privacy- and data protection laws and regulations. Focus should go to i) the transparency of the processing activities, meaning that the employer should effectively communicate the monitoring procedures to the employees, and ii) proportionality and data minimisation, meaning that the processing activity does not go further than what is strictly necessary to achieve the pre-set and pre-communicated legitimate interest of the employer. As a consequence, employers are not allowed to (for example) use data from access control systems to track working hours of employees or to access health data about employees collected by company-offered fitness trackers.

In conclusion – the opinion provides for an extensive overview of the current position of the WP29 on the processing of personal data of employees in the employment context – and is hence a must-read document for everyone employing or being employed in an EU employment context.


by Yung Shin Van Der Sype (KU LEUVEN)


This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618




The DOGANA phishing videogame

Want to try it?
Read more here and contact us


Phishing: awareness through play

Want to try it?
Read more here and contact us


Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels