Employee monitoring under the Romanian law implementing GDPR

05.07.2018

On 27 June 2018, the Romanian Parliament finally approved the Romanian law intending to cover the open clauses under the General Data Protection Regulation ("GDPR"). The new law ("GDPR Implementing Law") is not yet in force; at the date of this article (4 July 2018) it still lacks ratification from the Romanian President and publication with the Romanian Official Gazette.

The initial draft of the GDPR Implementing Law raised numerous debates and disputes, two different projects being proposed more or less simultaneously and by more or less the same initiators, some provisions being intensively criticized by the business environment, such as the total prohibition of the private sector in processing biometric, genetic and health data for profiling and other automatic processing, even while having the consent of the data subject. During the process, the text incorporated several amendments that partially balanced the positions of the processing actors.

The GDPR Implementing Law covers a limited number of areas, mainly it: (i) implements special rules concerning the processing of certain categories of sensitive data (biometric data, genetic data, data concerning health), (ii) introduces derogatory rules in relation to other categories of data (e.g. personal identification number, employee data), (iii) regulates the licensing of certification bodies, (iv) implements rules regarding the sanctioning of the public sector for GDPR breaches and (v) approves transitional provisions.

This brief deals only with the rules brought by the GDPR Implementing Law in the area of employment law, specifically when monitoring the employees via electronic communications and/or video surveillance.

In the light of the Barbulescu case (decision dated 5 September 2017 of the Grand Chamber of the European Court of Human Rights in the case Barbulescu v. Romania), but also of the latest Article 29 Data Protection Working Party Opinion on the matter (Opinion 2/2017 dated 8 June 2017on data processing at work), Romania decided to take the benefit of the open clause in art. 88 of the GDPR, which provides that "Member States may, by law or by collective agreements, provide for more specific rules to ensure protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context [..]. Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, [..] and monitoring systems of the workplace."

Specifically, the GDPR Implementing Law adds certain safeguards against an employer's abuse, by providing a number of pre-requisites to the monitoring of the employees via electronic communications and/or video surveillance. These pre-conditions are cumulative and, needles to say, must be thoroughly documented.

Under the GDPR Implementing Law, in order to monitor the employees legally, the employer must:

  • inform the employees (obviously, in advance) on the monitoring/surveillance, completely and explicitly;
  • document that its legitimate interests are solidly grounded and prevail over the interests, on one hand, or the rights and freedoms, on the other hand, of the data subjects;
  • consult the trade union or the representatives of the employees [according to the Romanian rules, consultation does not imply a consent of the employee representation bodies];
  • document the subsidiarity of the intended monitoring, respectively that other less intrusive measures have failed, have not proved to be efficient (which implies that such less intrusive measures have been actually applied and not only analyzed/considered).

As concerns the duration of the data storage, such duration must be proportional with the purpose of the processing, but in any event, not longer than 30 days, except for cases expressly provided in the law or other solidly grounded situations. Highly unlikely that any compliance or disciplinary issue will be finalized in 30 days; therefore, again employers will need to document the need to keep the data for longer periods.

At Romanian level, the court argumentation in Barbulescu case and the recommendations of Article 29 Data Protection Working Party are now therefore transposed to a certain extent into the national legislation by way of law. Further on, all three sources of law and guidance must be considered in aggregate when implementing employee monitoring systems, which certainly complicates the process for employers.

Even more than before, the specific circumstances and factual elements (e.g. the specific aim of a strict monitoring, the degree of the intrusion - flow vs. content, the seriousness of the consequences for the employees) will need to be carefully considered when balancing the interests at stake and a perfect documentation of the case becomes also of outmost importance.

The employee monitoring was, is and remains a hot, subjective and unsettled issue.

 

Article provided by: Adelina Iftime-Blagean (Wolf Theiss)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.