If the General Data Protection Regulation (GDPR) harmonizes the data protection rules across Europe, it also leaves room for EU Member States to provide for more specific provisions in certain sensitive area. This is notably the case of processing of employees' personal data in the employment context. Article 88 of the GDPR indeed provides for a possibility for EU Member States to provide for specific rules, in order to ensure the protection of the employees' rights and freedoms.
In this context, the new law of 1 August 2018 which implements the GDPR in Luxembourg and repeals the former data protection law of 2 August 2002, has amended the Article L. 261-1 of the Luxembourg Labour Code with effect as of 20 August 2018. This provision lays down the conditions for monitoring at the workplace in rendering the use of such monitoring easier for employers. No authorisation for monitoring at the working place anymore
Thanks to the GDPR and the abolition of the administrative formalities, employers do no longer need to ask for the prior authorisation of the CNPD (the Luxembourg data protection authority) to put in place a monitoring activity. Nonetheless, employers are now required to maintain an internal record of their data processing activities. As such, all the information concerning employees' monitoring (e.g. video surveillance, computer surveillance, etc.) should be detailed in the record.
The new article L. 261-1 of the Labour Code recalls that depending on the monitoring activity, the employer might have to carry out a prior data protection impact assessment in accordance with article 35 of the GDPR. This will be notably necessary when the employer puts in place a systematic monitoring of a publicly accessible area on a large scale. Depending on the outcome of such impact assessment, a consultation process with the CNPD may be necessary.
No specific conditions for lawful processing anymore - the grounds of lawful processing indicated in the GDPR apply
Concerning the lawfulness of the processing, the new article L. 261-1 of the Labour Code removes the old specific legitimacy basis and a monitoring activity can now be carried out if one of the general lawful basis of article 6 of the GDPR (inter alia, legitimate interest of the data controller, legal obligation, data subject's consent, etc.), can be relied upon.
Does this mean that consent, which was de lege excluded of the previous regime, could be used as a legal basis for such a processing? In view of the clear imbalance between employer and employee and the fact that a consent can be withdrawn at any moment, another legitimacy basis should preferably be used.
The employer's legitimate interest can notably be relied upon which means that employers could envisage to monitor for reasons that were not accepted under the previous version of Article L. 261-1 of the Labour Code, such as the compliance with an IT policy or a code of conduct. Employers can invoke their legitimate interest provided that a balancing test between those interests and the interests or fundamental rights and freedoms of the employees has been undertaken. In any case, the Article 29 Working Party (now replaced by the European Data Protection Board) recommends that data processing for monitoring purposes at work should be a proportionate response to the risks faced by the employer and the fact that an employer has the ownership of the electronic means does not rule out the right of employees to private life and to secrecy of their communications (WP 249). In practice, we often notice that employers do not proceed to such a balancing test when relying on the lawful basis of its legitimate interest. We expect that the CNPD will require employers to provide proof as to whether they have run a balancing test.
The specific case of video surveillance - guidance by the CNPD
As regards video surveillance and according to the CNPD's recent guidelines, employees, who thus also have a right to private life in the workplace, should not be continuously and permanently monitored.
Consequently, the cameras' field of view must be limited to the only area that must be necessarily monitored for the purposes of the processing (e.g. security of the premises, surveillance of the activity of the employer and the inherent risks, etc.) and should not include areas that are reserved for employees' private use. The cameras must be visible and reported by appropriate signs and the recordings should be limited to images without sound. The CNPD's guidelines further provides that the video surveillance data should only be kept eight days but that this period can exceptionally be extended up to thirty days when duly justified. In case of accident or criminal infraction, data may nevertheless be kept for a longer period.
Pay attention to outsourcing arrangements in the field of employee monitoring
If another company is involved in the data processing resulting from the monitoring, e.g. a security company which would typically be a data "processor" acting in the name and on behalf of the employer, an outsourcing contract will have to be entered into between the employer and this subcontractor. This contract will need to comply with the requirements set out in Article 28 of the GDPR with respect to the relationship between data controller and data processors
Inform, inform, inform
Like in its previous version, the new article L. 261-1 of the Labour Code provides that employers must also inform in advance the staff representative bodies (the joint committee, (to the extent that such a committee still exists in certain organisations) or the staff delegation), or in the absence thereof, the Luxembourg Labour Inspectorate ("Inspection du Travail et des Mines"). This information is obviously without prejudice to the employees' general right to be informed under Article 13 of the GDPR and to their right to be informed stemming from the case law of the European Court of Human Rights, for example in the 2017 Bârbulescu case.
The new provision details the information that must be delivered to the above-mentioned bodies. Such information must thus consist of a detailed description of the purposes of the processing, the modalities of the monitoring system and the period for which the data will be stored, (or if that is not possible, the criteria used to determine that period), and contain a formal declaration by the employer that it will not use the personal data for any other purposes than those explicitly mentioned. Within 15 days of receipt of such prior information, the staff delegation, or in the absence thereof, the concerned employees may request a prior opinion on the monitoring project with the CNPD. Such request has a suspensive effect so that the monitoring project cannot be implemented before the CNPD has handed down its opinion. The CNPD should deliver its opinion within the month. The law unfortunately does not foresee what are the consequences if the CNPD does not hand down an opinion within that time period. It is also to be regretted that the employer cannot challenge the opinion of the CNPD before the administrative courts as an opinion is in principle not a decision that is binding upon the employer (even when in practice the employer will nevertheless feel obliged to follow the opinion).
To the extent that the monitoring takes place for the purposes (i) of health and safety of the employees, (ii) the control of the production or the performance of the employee provided such measure is the only means of determining the exact salary, or (iii) within the context of flexiwork organization (horaire mobile), the employer will have to submit it to its staff delegation, respectively the joint committee (if still existing), on beforehand and to run it via the codecision process foreseen in the Luxembourg Labour Code, unless the processing meets a legal or regulatory requirement.
The right to lodge a complaint
Article L-261-1 of the Labour Code further specifies that an employee has the right to lodge a complaint with the CNPD (which is also foreseen in article 77 of the GDPR) and such a complaint will not constitute a serious and valid ground for dismissal.
What about existing monitoring projects ?
One of the previous versions of the bill of law introducing the new Article L. 261-1 of the Labour code explicitly mentioned that the new regime is only applicable to the introduction of a new monitoring processing or to the substantial change of an existing monitoring processing. The Luxembourg State Council (Conseil d'Etat) nevertheless considered that it was obvious that only "new" processing activities fall within the scope of the new regime and that the use of the word "substantial" to characterize a change was too vague and created legal insecurity. The legislator followed the suggestion of the State Council therefore deleted the provision and, hence, it may be concluded that only employee monitoring processing activities introduced after the law of 1 August 2018 are concerned by the specific notification regime.
Some questions nevertheless remain unanswered. For instance, what about the case of employers that have implemented monitoring measures before the law of 1 August 2018 without complying with the then applicable notification/authorisation requirements? Or : must the modification of the purposes and the categories of data of an existing processing be considered as a "new" processing?
Is this it ? No, it is not : other rules are likely to apply …
But monitoring activities may also be subject to other rules that have not been modified or repealed by the new data protection law of 1 August 2018.
For example, recording of employees' telephone conversation or searching e-mails that are private in nature are as such still subject to the provisions of the amended law of 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, which implement the E-Privacy Directive 2002/58/EC in Luxembourg and which provides that "no person other than the user concerned may listen to, tap or store communications or the traffic data relating thereto, or engage in any other kinds of interception or surveillance thereof, without the consent of the user concerned", unless one of the exemption provided by the law applies.
These exceptions are rare and, for example, telephone calls involving employees can only be registered without their consent when such recording is carried out in the context of lawful business practices for the purpose of providing evidence of a commercial transaction or where there is otherwise an explicit legal basis for this (e.g., the obligation to record calls under MIFID II).
Unlike the previous regime, the new article L. 261-1 of the Labour Code liberalizes somewhat the use of monitoring techniques at the workplace for employers in Luxembourg but the latter are not released from the strengthened obligations resulting from the GDPR (e.g., in some cases a prior impact assessment should be undertaken). Prior administrative formalities have been removed but the information obligation towards staff representative bodies is now reinforced and the employees' fundamental rights are also spotlighted. The new Article L. 261-1 of the Labour Code, the application of the GDPR as such as well as some other specific provisions (such as the rules on e-privacy) have manifestly an impact on each contemplated workplace monitoring activity, and such a project should thus be carefully considered by Luxembourg employers.