The Works Council Privacy Booklet – new guidance published by Dutch DPA

The Dutch Supervisory Authority (Autoriteit Persoongsgevens or "AP") has published a privacy booklet that primarily aims to support Works Council in its role with regard to privacy under the GDPR. Whilst the booklet provides some helpful clarifications on the AP’s interpretation of “employee monitoring systems,” it also contains statements that are not in line with the Dutch Works Council Act (WCA) and the General Data Protection Regulation (GDPR), resulting in new discussions on the Works Council’s role and responsibilities. This has created legal uncertainties and may lead to conflicts between employers and Works Council.

The Council’s role and responsibilities

Most importantly, the AP states that Works Council is closely involved in the arrangements concerning processing of employee data and employee monitoring systems, and that Works Council has a joint responsibility for the processing and protection of personal data at work. With these statements the AP seems to create a kind of internal supervisory role for Works Council in the field of privacy. However, this is not a role or responsibility that follows from the WCA nor the GDPR and in our experience is not a role Works Council is equipped to fulfil. In essence, the responsibility with regard to the processing of personal data and demonstrating GDPR compliance lies solely with the employer, being supervised by the Supervisory Authority. From a GDPR perspective, Works Council cannot be held liable in case of non-compliance with the GDPR and fines may only be imposed on the employer or its processor, but not on Works Council.

Based on the WCA, Works Council has a right to be informed of and to (withhold) consent to intended decisions of the employer to lay down, amend or withdraw, policies or internal regulations on the processing and protection of employee personal data, employee monitoring systems and the attendance or the performance of employees among others. For instance, if an employer plans to amend its employee privacy policy, implement software to keep track of workflows, customer interactions or access to documents (logging), Works Council must be informed and asked for consent according to the WCA. Works Council however does not need to consider or assess compliance with the basic principles of the GDPR, for instance the lawfulness and proportionality. Works Council furthermore is not obliged to carry out or review data protection impact assessments, records of processing activities, incident registers, international transfer mechanisms or (other) documents prepared for GDPR compliance by the employer.

Employee monitoring systems

Unsurprisingly, the AP interprets the notion of “employee monitoring system” broadly, making reference to obvious examples such as track & trace systems, CCTV, GPS trackers, wearables and smart watches. Whilst the AP recognized logging of access as an example for appropriate security measures, it also states that “the use of employee monitoring systems always constitutes an infringement of the employee’s privacy”. To help Works Council making an informed decision on whether or not to consent to intended decisions of the employer to lay down, amend or withdraw, policies or internal regulations that lead to employee monitoring, the AP recommends Works Council to consider asking the following questions:

  • Is the policy or regulation considered an employee monitoring system?
  • Is it necessary for the employer to use an employee monitoring system?
  • Will employees be informed of the purposes, use and retention prior to the monitoring?
  • Will performance reviews solely be based on data collected via employee monitoring systems?

Despite the points outlined above, the privacy booklet provides some helpful guidance, particularly on the basic principles of the GDPR and the AP’s view on employee monitoring systems. However it should be treated as guidance only, keeping in mind that it is not the role of Works Council to act as internal supervisory for employee privacy matters, and that Works Council have no joint responsibility in this respect.

 

Authored by Joke Bodewits. 

Andreas Haeuselmann, a paralegal in our Amsterdam office, contributed to this post.

 

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.