The Council’s role and responsibilities
Most importantly, the AP states that Works Council is closely involved in the arrangements concerning processing of employee data and employee monitoring systems, and that Works Council has a joint responsibility for the processing and protection of personal data at work. With these statements the AP seems to create a kind of internal supervisory role for Works Council in the field of privacy. However, this is not a role or responsibility that follows from the WCA nor the GDPR and in our experience is not a role Works Council is equipped to fulfil. In essence, the responsibility with regard to the processing of personal data and demonstrating GDPR compliance lies solely with the employer, being supervised by the Supervisory Authority. From a GDPR perspective, Works Council cannot be held liable in case of non-compliance with the GDPR and fines may only be imposed on the employer or its processor, but not on Works Council.
Employee monitoring systems
Unsurprisingly, the AP interprets the notion of “employee monitoring system” broadly, making reference to obvious examples such as track & trace systems, CCTV, GPS trackers, wearables and smart watches. Whilst the AP recognized logging of access as an example for appropriate security measures, it also states that “the use of employee monitoring systems always constitutes an infringement of the employee’s privacy”. To help Works Council making an informed decision on whether or not to consent to intended decisions of the employer to lay down, amend or withdraw, policies or internal regulations that lead to employee monitoring, the AP recommends Works Council to consider asking the following questions:
- Is the policy or regulation considered an employee monitoring system?
- Is it necessary for the employer to use an employee monitoring system?
- Will employees be informed of the purposes, use and retention prior to the monitoring?
- Will performance reviews solely be based on data collected via employee monitoring systems?
Despite the points outlined above, the privacy booklet provides some helpful guidance, particularly on the basic principles of the GDPR and the AP’s view on employee monitoring systems. However it should be treated as guidance only, keeping in mind that it is not the role of Works Council to act as internal supervisory for employee privacy matters, and that Works Council have no joint responsibility in this respect.
Authored by Joke Bodewits.
Andreas Haeuselmann, a paralegal in our Amsterdam office, contributed to this post.