Lidia Gimeno

Abogada en Protección de Datos y Derecho de las Nuevas Tecnologías

The processing of employees’ personal data at work. 

In the day a day activity of an Enterprise, the Employer is obliged to process numerous personal data of their Employees. Even if in the past this data was not of an important amount, nowadays, with the progressive intrusion of new technologies in our lives, the data processed by the Employers had exponentially increased. In result, it is a fact that enterprises use new technologies for three main purposes with which personal data of employees is processed:

  • For the detection and prevention of intellectual property or assets loss;
  • To increase the productivity of employees;
  • To protect the personal data processed in the enterprise.

Obviously, the incorporation of this type of new technologies brought about important problems related with the fundamental rights of the employees (Privacy, communications secrecy, among others). For this reason, before implementing any type of technology that can harm these rights, the employer must weigh the rights that can be damaged, having in mind the employer has the right of property and freedom of enterprise (arts. 33 and 38 Spanish Constitution) along with the Power of Control upon the employee recognized in the article 20(3) of the Employee Statute.

After this general vision of the problems raised from the use of these technologies, the present post will focus in the protection of personal data and its concrete regulation to stablish in which situations the processing of personal data of the employees is lawful. The regulations in application in the present analysis will be:

To analyze whether a processing of employees’ personal data is lawful, a few questions should be made:

  • Do we have a legal basis to the processing of data?
  • Which is the purpose of the data processing?
  • Is it proportional and necessary the processing of data related with the purpose of the processing?
  • Have the employees been informed about the data processing?
  • Did we adopt the appropriate technical and organizational measures for the processing?

1)      Do we have a legal basis to the processing of data?

The articles 7 Directive and 6 GDPR establish the cases in which the processing of personal data in lawful, being relevant to the current analysis four of them.

  1. THE CONSENT OF THE EMPLOYEE – articles 7(a) Directive and 6(1)(a) GRPD.

Generally, it is considered that, having in mind the nature of the relationship existing between employee and employer, it would not be able to base a lawful processing of personal data in the consent of the employee.

Related with this, the Opinion 2/2017 specifies that the default configurations or the installation of unconsented software, without the opposition of the employee, must not be considered as consent as it has not existed an active expression of will of the worker.

So, WP 29 concludes that a processing of personal data should only be based in the consent of the employee when the worker has the freedom to consent the processing, having the possibility of denying the processing without existing any type of negative consequences for him/her.  


The Opinion 2/2017 indicates that there are certain types of processing that could be necessary for the performance of a labor contract, being, in this case, lawful the processing of the employee’s personal data. A clear example of this would be the processing of the personal data with the purpose of paying the salary to the employee.

  1. PROCESSING IMPOSED BY A LEGAL OBLIGATION – articles 7(c) Directive and 6(1)(c) GPDR.

Employment law can impose legal obligations on the employer. An example could be the processing of personal data with the purpose of calculating the retention in the salary of the employee.


This option can be used when the employer has a legitimate interest for the processing of the personal data and when it is not overridden by the fundamental rights or interests and freedoms of the data subjects.

The concept of legitimate interest can be defined as the final objective of the processing due to law. An example could be the protection of personal data contained in the servers of an enterprise from which the employer is the data controller and with the objective of protecting them from unauthorized access or leak of information.

Briefly, as it is stated in the Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, there are three main rules that an interest should meet to be considered as legitimate:

  • It must be lawful, according to the national and European law;
  • It must be indicated with sufficient clarity to be able to weight it with the fundamental rights and freedoms of the data subject;
  • It must represent a real and actual interest.

2)      Which is the purpose of the data processing?

In the moment of establishing the processing of the data, you should not only have a legal basis to the processing but also a determined purpose for the processing. For example, in case we process data for the payment of the worker’s salaries, the purpose of the processing of the necessary personal data would not be other than the payment of the employee’s salary. That will mean that this personal data will only be able to be processed for this purpose except in case you have another legal basis for the processing of the data.

Why is this so important?

This is relevant because in the article 5(1)(b) GDPR it is stablished the principle of purpose limitation. In this principle it is stated that the data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Maybe in the previous example that seemed not relevant but in the next one could be.

An employer decides to install a system that monitors the traffic of data of employees to prevent unauthorized access or leak of information. However, let’s imagine an employer uses the data recoiled from the employees with the purpose of monitor the effective work done by them. In this case, the employer would be using the data recollected for a purpose for a different purpose, for which it should be analyzed if this processing meets with all the requisites to be considered lawful.  

This is the reason why the purpose of the processing should be clear and specified, because every purpose should be submitted to the analysis previously stated, to ensure that the data processing is lawful.

3)      Is it proportional and necessary the processing of data related with the purpose of the processing?

After establishing the purpose of the processing, it should be analyzed if the processed data is proportional and necessary for the purpose of the data processing.

Here it will be relevant the data minimization principle indicated in the article 5(1)(c) GDPR for which it is stablished that the processed data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In addition, the principles of proportionality and subsidiarity should be obeyed in the measures adopted to collect personal data, with the objective to restrict to the minimum the damage to the fundamental rights of the employees.

This means:

  • The processed data should be the necessary amount of data related with the purpose of the processing;
  • The fundamental rights of the employees should be weighted with the collection of personal data (the method, amount and purpose);
  • The measures adopted by the enterprise should limit to the minimum the damage in the fundamental rights of the data subjects (mainly, privacy and secrecy to the fundamental rights), opting always for the measures that respect the rights of the workers. This would mean, for example, that, if the purpose of the employer is to control the productivity of the employees, it is not necessary to monitor and intercept all the communications of the workers as it is possible to reach the same purpose just controlling the metadata of the internet traffic of the workers, becoming disproportional the intromission in the right of the secrecy of the communications of the employees.

4)      Have the employees been informed about the data processing?

The employees should be informed about the processing of the data, virtue to the articles 10 Directive and 12 to 14 GDPR.

The workers should be informed about:

  • The purpose of the data processing;
  • The circumstances of the data processing;
  • The possibilities of preventing the data being captured;
  • The existence of a monitoring system of the Internet traffic;
  • Other guarantees for a lawful data processing.

5)      Did we adopt the appropriate technical and organizational measures for the processing? 

As any processing of personal data, the data controller -in this case, the employer- is obliged by the articles 17 Directive and 32 GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the processing.

After briefly seeing the analysis process that should be followed, next, it will be analyzed the different cases specified in the Opinion 2/2017.


As it is stated by the WP29, as a general matter, it should not be recollected the data from a social network of the candidate, even if this data is public.

In case the employer could base this processing in a legitimate interest for understanding that this data is necessary and relevant for the job, the candidates should be informed about the processing of this data. In this case, it should be considered which is the purpose of the social network (private -Facebook- or business -Linkedin-).

Despite that, the WP29 stablishes that there is no legal basis to require to a candidate the access to his social network content.

Finally, the data recollected during the recruitment should be deleted as soon as the recruitment process finishes, except for the cases in which the employer would want to retain them for future recruitment processes and when the data subject has been informed about this and had the possibility of accepting or refusing the data processing.


The WP29 states that, as a general matter, the data from the employees’ social networks can not be controlled as special categories of personal data could be collected.

Even that, the WP29 proposes an example in which could exist a lawful processing of personal data extracted from Linkedin.

An employer monitors the profiles in Linkedin of exemployees during the period stablished in a non-compete clause. This data processing could be lawful if the employer can prove that is necessary for its legitimate interest -the compliance of the non-compete clause and the protection of the knowledge and the positioning in the market-, does not exist a measure less harmful of the privacy right of the exemployees, and that they had been informed about the monitor of their profiles.
Finally, in case the job position requires from the use of a social network profile (for example, a spokesperson), the employee would have the option/freedom to have a personal social network profile different from the one related to his/her job.


The employer could want to monitor the Internet traffic of their employees with the purpose of protecting the personal data from which the employer is the data controller and their property assets.

For this, the employer should follow all the process indicated in the scheme previously indicated, weighting all the rights that could be affected.

Here, there are two examples:

The employer installs a TLS inspection device that deciphers and inspects all the codified data traffic with the objective of detecting malicious traffic and controlling and analyze the online activity of the employees.
In this case, the legitimate interest of the employer would be the protection of the office network and the data of employees and clients from an unauthorized access and leakage of data.
However, the WP29 considers that the monitoring of all the online activity of the employees could be a disproportionate measure and harm the Right to the secrecy of the communications of the workers. For this, it is considered that a less harmful measure should be adopted to accomplish this purpose.
The measures proposed are:
  • The configuration of devices to avoid the permanent storage of personal data, only storing data in case an incident occurs.
  • Configuring the device to not intercept the communications in those situations in which the proportionality principle could not be meet. For example, access to private mail, online banking and health websites.
  • Creating a Policy where the workers are clearly informer about how and why the logs are considered as malicious and could be accessible by the persons in charge of the monitor. That Policy should be permanently accessible by all the employees and, conveniently, should be revised at least every year.
  • Also, it is considered a good practice to ability non-monitored wi-fi and devices to the use of employees.
The Employer installs a device for the prevention of data loss with the objective of monitoring the e-mails traffic to prevent the unauthorized transmission of data. In the cases in which an e-mail is considered to meet with the characteristics to be a potential data leakage, a further investigation would be made.
The legitimate interest of the Employer in this data processing relies in the protection of the personal data of clients and also in the protection of their assets.
However, the WP29 understands that we could be in an unnecessary data processing due to the fact that, in case a false positive is detected, an unauthorized access to legitimate mails of the workers will be produced.
For this reason, the WP29 has a series of measures to take with the purpose of mitigating the risks in the workers’ rights:
  • Informing the employees about the rules that determine an e-mail as a potential leak of data;
  • In case an e-mail meets the characteristics to be determined as a potential leak of data, before the transference of the e-mail, a popup should appear in the computer of the employee informing him/her about that and giving him/her the possibility to cancel the transference.

In relation with the use of online applications, the WP29 stablishes that employers should define private spaces to the workers in which the employer only can access in exceptional circumstances. An example of this could be, in case of the employees have an online calendar, the worker should have the possibility of aggregate private events in which the employer does not have access.

In case the employer monitors the work done by home, the WP29 considers that it is not proportional and excessive the use of software that collects the typing and movement of the mouse, screen capture, registers the used applications and allow the activation of webcams and realization of photos. 

Another situation analyzed by the WP29 is those cases when the employee uses in the office a device of their property. In this case, the monitoring of that computer could derive in the processing of private data.

For this reason, in this cases, it should exist the possibility of differentiating between the private or business use of the device, as well as use methods of secure transference of data to connect with the office network (ex. VPN). Another solution would be the use of sanboxing systems.

In extreme cases and in those that there is no other method to prevent that the private use of the employee is monitored, the WP29 stablishes that the employee can considerate forbid the use of some devices for private uses. This will happen, for example, when the device allows to remote access to personal data for which the employer is the data controller.

In the use of mobile devices, the Employer could use a Mobile Device Management software, which allows him to access to remote access to the devices, to deploy specific configurations, erasure of data and tracking of position. In these cases, the WP29 outlines that its use must be limited and only related with determined purposes. 

For example, the tracking function could be used to track and monitor the employees and their positions, something that would not comply with the proportionality and subsidiarity principles. For this reason, in case that this function would be used with the purpose of loss or stealing preventing, the system should be configured as the tracking data is only accessible to the employer in case the device is reported as stolen or lost.

Other devices that are starting to be worn by employees is wearables. In this case, the WP29 stablishes that the employer should be careful about processing the data compiled because personal data related with health could be processed, being special protected data as established in the data protection regulation (articles 6 Directive and 9 GDPR).

Related with the legal basis of the personal data collected with these devices, the WP29 highlights that this processing can not be based in the consent of the employee, having in mind the nature of the relationship existing between employer and employee. In addition to this, it should be considered that the article 10 of the draft bill of the new Spanish data protection regulation indicates that the consent of the data subject can not be the legal basis for the processing of special protected data -having in mind that this devices collects data related with health-.

In addition, the WP29 highlights that the complete anonymization of this data is not possible, as the data subject could be identified by determined characteristics of health such as high blood pressure and obesity.

An enterprise offers to the employees wearables as a gift. That wearables count the steps of the worker, register their heartbeats and their sleep patterns.
The data collected should only be accessed by the employee. Moreover, the employer should be aware about the Privacy Policy of the service supplier as it could derive to an unlawful processing of the data of its employees. An example could be a wearable that synchronizes the data collected to a cloud in which the data is stored in a server situated in a third estate, generating an international transference of personal data of the workers.


The employer could want to process data related with time and assistance of the employees. As in all the cases, the conditions explained in the scheme should be complied (legal basis, necessity, proportionality, purpose, information and measures).

An employer installs a device to control the access to the room where all the servers of the enterprise are sited. These servers contain all the data of the office.
The legitimate interest searched by the employer for the data processing of the data collected in the access to the room would be the control of unauthorized access to the data for which the employer is the data controller.
However, these data could not be used for other purposes as, for example, to analyze the performance of the employee, as it exists less harmful measures to the rights of the employees to achieve this purpose.



The employer could have CCTV in the workplace with the purpose of security and control of the office. However, the WP29 warns that the processing of this data collected by CCTV could not be used to monitor the facial expressions of the workers, to identify deviations in the patterns of predefined movements -for example, in factories-, as it will not comply with the principles of subsidiarity and proportionality.

Moreover, it is recommended to not use facial recognition technologies as from this it will derive the processing of especial protected data.


In relation with the legal basis, the installation of devices to the monitoring of vehicles should respond to a legal obligation. For example, the security of the employees.

Another legal basis that could exist in the monitoring of vehicles could be the legitimate interest of the employer. For example, the tracking of vehicles with the purpose of preventing the stole of vehicles.

Obviously, this data can not be used for evaluating the workers’ performance nor analyzing the driving skills of the employee (as it was stablished by the WP29 in the Opinion 13/2011).

In relation with the tracking data, the WP29 indicated in the Opinion 5/2005 that the processing of this data could be justified in those cases in which the tracking is related with the persons’ or goods’ transport or the collect of data is for the purpose of improving the distribution of services in wide regions, or when the purpose is the security of the employee, goods or the vehicle. An example could be UPS and its software Orion, with which an algorithm stablishes the route of the delivery person with the purpose of improving the delivery route (In the following link you can learn more about this software).

In contrast, it would not be considered as justified -being, in consequence, an unlawful processing of personal data- the processing of tracking data of the vehicles when the workers are free to stablish the working routes or when the purpose of the tracking is to monitor the performance of the worker -as other less harmful measures could be adopted to accomplish this purpose-.

Furthermore, the WP29 also indicates that, in case the vehicle could be used for private uses, it can be possible to disconnect the tracking system while the private use, as the tracking out of working hours can not be justified.

In addition, in case the installation of the device is for the purpose of preventing the stealing of the vehicle, it should be possible to configure that the tracking data would only be visible for the employer in case the vehicle goes out of a predefined zone.

Finally, another type of devices are starting to be installed in the workers’ vehicles, which are called event data recorders. This devices record video and sound in case the possibility of an accident in detected (it is activated by an abrupt break or abrupt changes in the direction of the vehicle). Additionally, some devices also collect the position of the vehicle and information related with the driving.   

The WP29 indicated that in case a legitimate interest exists and the proportionality and subsidiarity principles are met, the processing will be lawful. However, it would not be proportional the use of this devices to control the driving skills of the workers as another less harmful measures could be adopted to fulfill this purpose.


The employer could transfer personal data to their Clients only in the cases when this transfer is proportional to the purpose of this transfer.

The employer sends to the clients a link to the name, photo and localization of the delivery person. However, this processing of data could not comply with the necessity principle as for the delivery of goods it is not necessary the transfer of the personal data of the worker.


An international transfer of data could happen in case the department uses an application based in a cloud computing system. In these cases, the employer should ensure that the requisite for a lawful transfer are meet, trying to avoid that the legal basis for these transfers are the consent of the employee -for the reasons before explained-.


In conclusion, six main conclusions could be deduced from the Opinions of the WP29 which it would have to be in mind when processing data from employers:

  1. Have always in mind the principles of the data protection.
  2. The content of the electronic communications in work have the same fundamental rights as the private communications.
  3. The consent is highly improbable as legal basis otherwise employees can decline the data processing without negative consequences.
  4. The performance of a contract and legitimate interests can be the legal basis for the processing only in the cases when it is strictly necessary for the legitimate purpose and when the proportionality and subsidiarity principles are met.
  5. The employees may receive effective information about the monitoring of the devices used at work.
  6. The international transfers of data should only be done when an adequate level of guarantees is ensured.