Employee monitoring proving hot target for GDPR enforcement

Indeed, some of the biggest fines under the GDPR have been because of improper employee monitoring.

In October 2020, clothing retailer H&M’s German subsidiary was hit with a €35.2 million (then-U.S. $41.3 million) penalty for excessively monitoring hundreds of employees over at least a five-year period. In January, another German data regulator fined online laptop and electronic goods retailer NBB €10.4 million (then-U.S. $12.7 million) for video-monitoring employees for at least two years without any legal basis.

According to law firm CMS’s most recent Enforcement Tracker report, most EU data protection authorities (15 as of the first half of this year) have imposed fines for illegal employee monitoring, and the frequency is rising. Germany and Italy are responsible for the largest penalties, while Spain has handed out the most.

“Just because it is now possible to monitor employees both in and out of the workplace, it does not mean it is always a good idea.”

Simon McMenemy, Managing Partner, Ogletree Deakins

While the majority of actions amount to triple-digit sanctions for low-level noncompliance, some can be severely punitive. In April 2020, an undisclosed Dutch organization was fined €725,000 for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. This February, the Norwegian DPA fined an employer €40,000 for unlawfully setting up automatic forwarding of an employee’s emails while that person was on sick leave.

According to research conducted by software comparison website GetApp, corporate spending on monitoring software has increased significantly since the pandemic began, with nearly a fifth of managers surveyed saying their budgets have doubled. GetApp also found 51 percent of managers admit to overstepping their employees’ legal rights through monitoring, with 30 percent doing so knowingly. Meanwhile, 26 percent of employees said they were not informed they were being monitored (despite a legal requirement to do so).

“Just because it is now possible to monitor employees both in and out of the workplace, it does not mean it is always a good idea,” says Simon McMenemy, managing partner at employment law firm Ogletree Deakins. Part of the problem, McMenemy says, is technology has been “rapidly outpacing the law that is meant to regulate its use,” while much of the technology embraced by organizations is U.S.-based and might not be GDPR-compliant.

Lawyers say remote surveillance is a legitimate business practice to monitor employee performance and well-being, and in some industries—such as financial services—it can even be required by the regulator for good governance. However, there is “a right and a wrong way to go about it.”

Paula Cole, partner at U.K. law firm TLT, says there are four key points for employers to consider when implementing monitoring technology.

“First, they need to act in a proportionate and justified manner,” she says. “Second, they have to inform employees of their intention to monitor. Third, be mindful of the risks around discrimination. And fourth, ensure there are sufficient safeguards in place to prevent abuse or over-monitoring.”

Ed Hayes, a data privacy and cyber-security partner at TLT, adds there is no “one-size-fits-all” guide to what is “proportionate and justified” monitoring. Variations include individual circumstances, industry sector, the type of work being done, and the purpose of the monitoring. Regulatory divergence and differences in enforcement across Europe could also have an impact on how such monitoring will be interpreted, tolerated, and punished, Hayes says.

“Consent is almost never a valid basis for a company to use to process its employees’ personal data because the imbalance of power in the employee-employer relationship means an employee can’t meaningfully be said to freely give their consent to remote monitoring,” he says. “When an employer notifies its employees of remote monitoring, it is not doing so to seek their consent but to fulfill its transparency obligations.”

To be safe, businesses should monitor in the least intrusive ways possible, says Kim Walker, partner and data protection expert at law firm Shakespeare Martineau.

“Restrict monitoring of emails to the email address and heading and don’t monitor content unless a red flag is raised,” Walker says. “Don’t monitor emails and calls continuously—just through sampling—and don’t continuously monitor through CCTV unless the role justifies it. It’s important to also tell employees to mark their emails ‘private’ as appropriate.”

Experts recommend companies should conduct a thorough data processing impact assessment to help flag whether any monitoring might be breaking the law.

Finding alternatives to monitoring might also prove more useful in the long run. Karen Holden, founder and managing director of legal services group A City Law Firm, suggests “better employee training and supervision could prove to be better preventative measures,” while limiting employees’ access to data not required for their role will also minimize risks.