ICLG to Employment & Labour Law 2021 – Data Protection and Employee Privacy
8.1 How do employee data protection rights affect the employment relationship? Can an employer transfer employee data freely to other countries?
In an employment relationship, employers and employees take on the roles of data controllers and data subjects, respectively. An employer would be under the obligation to process any personal data pertaining to the employee in virtue of the Data Protection Act (hereinafter referred to as ‘DPA’), Chapter 586 of the Laws of Malta and the European Union General Data Protection Regulations (hereinafter referred to as ‘GDPR’).
Due to the unequal negotiation power between employers and employees, it is almost impossible to obtain voluntary consent from an employee which permits the said employer to obtain, process and/or transfer employee data. Consequently, in order for an employer to legitimately process employee data, such processing needs to be done on grounds of the performance of an employment contract, to comply with legal obligation, for the vital interests of the employee or of another natural person, or to further a legitimate interest of the employer.
In order to process employee data for a legitimate interest, an employer must ensure that such interest is not overridden by the interests or the fundamental rights and freedoms of the employee which require protection of personal data. To this end, an employer must perform a privacy impact assessment which balances his legitimate interests against the employees’ privacy interests.
A transfer of employee data to a third party must take place in accordance with the GDPR. Data transfers to jurisdictions that are not within the European Economic Area (the ‘EEA’) can only take place if the transfer is to an ‘Adequate Jurisdiction’ as specified by the EU Commission, or if the employer has implemented one of the required safeguards as specified by the GDPR.
8.2 Do employees have a right to obtain copies of any personal information that is held by their employer?
As data subjects, employees have the right to make a subject access request in order to obtain copies of any or all personal information held by the employer. A subject access request entitles an employee to acquire: a copy of any personal data held by the employer in hard copy, or which is held in hard copy, but is intended to be transferred to a computer; and any digital data including data held on a computer or an online system. This shall also include all backups of such data.
Upon lodging such a request, employees will have the right to know the reason why and what data is being held about them by the employer, to whom such data has been disclosed, the duration for which the data is intended on being stored and the source of the data when such data has not been supplied by the data subjects themselves.
8.3 Are employers entitled to carry out pre-employment checks on prospective employees (such as criminal record checks)?
Employers may carry out the necessary checks on prospective employees, provided that such checks shall be limited in scope and in accordance with what required and permissible by law. An employer must also ensure that any data obtained and processed in virtue of such checks is done due to a legitimate interest.
8.4 Are employers entitled to monitor an employee’s emails, telephone calls or use of an employer’s computer system?
Although an employer might have a legitimate interest to monitor an employee’s emails, telephone calls or use of an employer’s computer system, this interest must be balanced with the privacy rights of an employee. This is particularly the case in light of the fact that private communication, such as emails and telephone calls, fall under the definition of personal data as defined in Article 4 of the GDPR.
The GDPR does not prohibit monitoring at the workplace, as long as the employer complies with the regulations as outlined in the DPA and GDPR. In light of the European Court of Human Rights judgment in the names of Bărbulescu v. Romania (application no. 61496/08), an employer must ensure that the right to private and family life is not breached by such monitoring. This may be carried out by ensuring that any monitoring which may be adopted at the workplace is adequate, restricted in scope, relevant and not too intrusive on the employee. The scope of such monitoring and the way in which it is adopted by the employer must be clearly communicated to the employee in a transparent manner. To this end, the employer must set out clear policies outlining the lawful grounds on which they will carry out the monitoring in question, the circumstances in which monitoring may take place and their expectations of fair use.
8.5 Can an employer control an employee’s use of social media in or outside the workplace?
A social media policy implemented by an employer with the aim of controlling an employee’s use of social media in or outside the workplace, must necessarily comply with the regulations as outlined in the DPA and GDPR.
This article forms part of the ICLG to Employment and Labour Law 2021 publication.
For more information you can contact one of our Team Members at Mifsud & Mifsud Advocates.