While many may possess superficial knowledge of the European Parliament and Council’s General Data Protection Regulation, very few seem to properly understand the implications it will have on Maltese businesses come the 25th of May 2018. Although remarkable in its intended reach and extent of application, the GDPR’s underpinning principles are in fact decades old: replacing the outmoded 1995 Data Protection Directive, the GDPR seeks to propel data protection rights into the digital age, amending and extending currently established obligations but more importantly, rights belonging to the data subject at large. Accustomed to a somewhat laissez faire attitude with regard to privacy and data protection when compared to other, continental, EU member states, the GDPR is set to bring about a tangible cultural shift in Maltese perception and practices concerning data protection.
Despite facilitating the exchange and storage of data as well as the general conducting of day to day business activities, technological advances pose an increased challenge in the application of and compliance to the GDPR’s requirements, aimed at guaranteeing the fundamental right to the protection of personal data as enshrined in Article 8 sub-article 1 of the Charter of Fundamental Rights of the European Union. It is however within the context of the work environment that the GDPR may give rise to considerable issues regarding practices and policies, not merely when dealing with customers and clients, but also with regard to employees.
Employers are in fact involved in near-constant processing of data belonging to their employee data subjects, which processing is generally related to the running of the business in question as well as to the fulfilment of contractual and legal obligations directly related to an employment situation. Office computers and Wi-Fi systems are commonly equipped with software designed to protect from data breaches or system compromisation; employers also routinely process their employees’ most personal information, ranging from addresses and identity card numbers to bank account and social security details. This data processing, based upon consent, legitimate interest or the mere fulfilment of established obligations, must necessarily be carried out within the confines of the GDPR’s underpinning principles.
A distinct departure from current data protection related practices concerns the issue of consent within the employment scenario. While generic consent clauses contained within employment contracts were generally believed to offer the employer near carte blanche with regard to employee data processing, this has been radically changed within the GDPR. Consent must in fact be proposed in easily legible and accessible forms related to the specific proposed use of the data in question; consent must be clear, manifest and distinguishable and requested using easily understandable language, as well as being as easily withdrawn as it is granted. Crucially, it is widely held that employee consent can never be entirely freely granted due to the inherent imbalance of power in the context of employer-employee relations; this necessarily increases the importance of the notion of ‘legitimate interest’ with regard to data processing methods within the workplace.
Legitimate interest, whilst not strictly defined by the Regulation, can be said to be delineated within the confines of the employee data subject’s rights and freedoms; it is often used to justify a number of data processing situations which must however be conducted in the most minimal and transparent of ways. The GDPR’s tenements in fact underline the need for proportionality and minimization, transparency and the right to access: employees must in fact be specifically informed on which personal data is going to be used, on how it will be used, on the period of time for which the data will be kept and why. In addition, employees will have the right to request and receive a copy of the data being processed in an easily accessible electronic format. Minimization and proportionality, on the other hand, may effectively be achieved through the accurate identification of potential risk areas and the application of preventative as well as monitoring measures directly and solely related to such risks.
The issue of proportionality and transparency, and, as an indirect consequence, minimization, proved to be the central issues to the decision promulgated by the Grand Chamber of the European Court of Human Rights in the names Barbulescu v. Romania. Directly related to the challenges posed by the GDPR within the context of employer-employee relations, this landmark judgment highlights the need for employees to be informed of possible monitoring of their personal communications within the workplace, of the nature and extent of such monitoring and of the impact and extent such monitoring may have on an employee’s private life, based upon a satisfactorily supported claim of legitimate interest by the employer. Framed within the context of the near-constant exchange of emails, instant messages, use of social media as well as the widening of the GDPR’s definition of ‘data’ to also include IP addresses and online cookies, this judgment highlights the potential risks and breaches a non-compliant employer may render himself liable to, with the possibility of grave repercussions of financial but also reputational nature.
Importantly, the GDPR also creates a new employment role, calling for the appointment of a Data Protection Officer for entities that process or store large amounts of personal data belonging to employees, customers and clients. Responsible for training and educating the company and its employees on issues of compliance and for conducting regular audits as well as for the keeping of complete records of data processing activity conducted by the company, Data Protection Officers will also serve as the point of contact between organizations and the Maltese Supervisory Authority with regard to data protection.
Although seemingly burdensome in scope and application, the GDPR is however set to bring about radical changes in the understanding of data protection and privacy within the place of work. By effectively encouraging the review of internal (as well as third party service providers’) processes and procedures and the establishment of new ones incorporating data protection by design from inception, the GDPR is proving to be a valuable means of enabling Maltese businesses and organizations in the context of long-established fundamental rights pertaining to all European citizens.
For more information on and how the legal implications and requirements of the GDPR can impact your business, please contact Dr Michele Tufigno on