From a human rights perspective, the possession and use of our data by other people affects our private life. However, the privacy of our private life has to a certain extent been reduced. In other words, our right to private life has been restricted.
An employer should not monitor or access an employee‘s personal accounts but can still control and record the fact of employee access to personal accounts or the fact of in-office non-work activities by employees. For this purpose, the employer may establish procedures to watch for prohibited access or non-work activities by employees and to check whether employees are violating their responsibilities. However, this is only permissible if an access-controlling procedure is established in internal documents. Employees should be required to sign acknowledging they have read these internal documents.
This is the conclusion from the recent case law of the European Court of Human Rights (ECtHR) in the shape of the judgment delivered in Barbulescu v Romania (2016). The main rules established in this case may be considered as general principles to be applied on workplace use of social media and the internet by employees.
In 2007, Mr. Barbulescu was dismissed by his Romanian employer on the grounds of having violated internal company regulations. The violation of working duties consisted of his using his employee’s professional Yahoo Messenger account (which the employer asked him to set up specifically in order to reply to client queries) for personal purposes.
Following the position of the ECtHR, an employer suspecting a breach would be entitled to check accounts provided to employees or created by employees for professional purposes (i.e., professional accounts) in order to establish whether employees are in fact violating their duties. It is important that an employer should be entitled to carry out checks and use information received but only for the purpose of proving suspected violations. Additionally, an employer may maintain surveillance over and use private employee communications but only to the extent of proving violation of an employee’s professional obligations; otherwise it would be considered a violation of the employee’s right to respect for private life. The purpose of monitoring cannot be to collect, publish or in any other way use an employee‘s personal information. The right to monitor an employee’s professional accounts and check use of inventory, working methods and tools must be clearly established in the company’s internal documents. Monitoring purposes may be defined as “in order to establish whether employees are not violating their duties”.
As a general rule, employers are not prohibited from implementing monitoring measures in order to establish whether an employee is using inventory, technical equipment and tools provided exclusively for work purposes and to restrain their use for personal purposes as well as ensuring that employees are not managing their personal affairs during working time if this is clearly and comprehensively established in internal company documents.
Therefore, we recommend supplementing internal legal acts regulating working procedures, such as job description, employee guide, handbook, and policies as well as the employment agreement by including:
- a clear obligation to use professional accounts, inventory, working equipment and tools exclusively for work;
- a direct prohibition on managing personal affairs during working time;
- a detailed monitoring procedure: how the employee will be notified of a planned inspection, the scope and purposes of the inspection, how to communicate with the employee where violations are suspected, how the employee may provide explanations, and so on.
Where the above prohibitions and terms are clearly and properly documented, employees who use professional accounts or other purely work-related resources for purposes not related to their work (e.g. browsing the web for entertainment, texting in portals using personal accounts) will be considered to have violated their working duties. Consequently, the employer will be entitled to impose disciplinary measures accordingly.
After the new Labour Code entered into force on 1 July 2017, employee rights to respect for private communication are also established in Lithuania.
Under the Labour Code, an employer must respect employees’ right to privacy of private communications when implementing ownership and management rights to information and communication technologies used in the workplace.
An employer with over 50 employees (on average) must adopt and announce to employees the policy on protection of employees’ personal data and plans to achieve that goal. This means that an employer will be obliged to use separate documentation on processing employees’ data additionally to general Rules on Personal Data Processing as required under legal acts on personal data processing.
Under the new Labour Code rules, the following obligations relate to processing employees’ personal data:
- to approve policy on use of information and communication technologies and inform employees accordingly;
- to approve policy on employees’ workplace monitoring and surveillance as well as informing employees thereof (if monitoring is carried out);
- to approve policy on protection of employees’ personal data and measures to achieve this.
Every employer with over 20 employees (on average) is also obliged to inform and consult with the works council regarding approval of and amendments to the above-listed documents.
Clearly, the rules established by the new Labour Code comply with the position of the ECtHR. However, the exact means of enforcing an employer’s legitimate interests as well as principles for limiting employee rights are not indicated in detail. The Labour Code refers to other legal acts, where specific rules on protection of employees’ personal data and implementation of the right to respect for private life may be established. Thus, general rules on protection of personal data as well as privacy regulations will be further applicable on processing employees’ data as far as these are not regulated by the Labour Code.
Therefore, the new General Data Protection Regulation is relevant. This regulation will oblige companies to process more carefully and responsibly not only employees’ data but also the personal data of any other person. Only 11 months are left for preparation. So those who wish to prepare on time should start with an internal audit on actions performed with personal data. This should be followed by a check on the means implemented and principles applied to ensure data protection, while employees should be informed of all procedures. According to the audit results, all missing protective measures along with additional measures should be implemented in order to comply with the new obligations. Companies are already required to encode stored data, maintain backup copies, install antiviruses, establish procedures for updating passwords as well as to formalize all data processing procedures neatly and consistently. Failure to do so may result in significant fines up to 20 000 Euro or 4 % of annual turnover worldwide.