What does the processing of personal data for the purpose of contract execution mean?
The processing of personal data must be objectively necessary for the purpose of contract or for the fulfilment of a specific contractual obligation. If in an employment relationship, contact means both the employment contract and the documents in it.
In order to be able to assess whether the processing of personal data is necessary for the execution of the contract, the contents and the main purpose of the contract must be determined. It is possible to assess on this basis whether the processing of data is indeed necessary for the execution of the contract.
The employer must take into account the fact that the connection between the execution of the employment contract and the processing of data within the scope of the employment contract must be unavoidable. The inclusion in the contrast of a general clause on personal data processing does not automatically mean that the processing of personal data necessary for the execution of the contract. In other words, if the processing of personal data would be necessary to verify the fulfilment of obligations arising from the employment contract, this does not mean that the employment contract cannot be performed without the verification of obligations.
To find out if it is possible to perform an employment contract without such data processing, it is advisable to remove the fact of data processing from the employment contract and to answer the following question: is it possible to perform the employment contract without such data processing?
For example, an employee’s use of the Internet, e-mail and telephone cannot be controlled for the purpose of executing the contract.
Even the verification of the employees’ work responsibility can be accepted if the employer has a legitimate interest.
Can consent be used to process an employee’s personal data during the employment relationship?
During the employment relationship the processing of personal data of the employee on the basis of consent is an exception, as the consent has to be withdrawn without any conditions and its basis is voluntary. The word “voluntary” means a truly free choice for the employee. In order to find out whether consent is an adequate basis for the processing of personal data, it is important to ask: can the employee be without negative consequences or how can the processing be continued if the employee revokes consent?
If the employee cannot refuse consent without negative consequences or revoke it at any time, the consent will be cancelled.
The most frequent mistake and that of “hiding” consent in the contract in such a way that it becomes part of the employment contract, this means that the word “consent” is used in the contract, but the person is effectively informed of data processing in the company.
When is consent exceptionally possible?
During the employment relationship, consent is considered as a pass for the processing of personal data of the employer of any type of innovation is not necessary for the execution of the employment contract with the employee, but as an additional function. In practice, one such example is the publication of employee photos on a company’s website.
With the employee’s consent, the employer may also be able to introduce an access system based on biometrics (only fingerprint data are used in the employment relations), which can be used only if another system without biometrics (such as a personalised smart card) is left to the employees in parallel. The employee must be able to identify himself with a fingerprint or a smart card when he goes to work.
Is an employee’s computer/email denied unauthorized access?
Yes, without the employee’s knowledge it is forbidden to carry out personal data processing operations on the computer or email address from which it is used.
Before any action is taken, the employee must be informed, even in cases where it is necessary to copy files or verify the execution of the work.
The word notification means both preventive notification of a specific activity and general notification of the employee. For example, an employee can generally be informed by establishing rules, conditions or instructions for the use of a computer/e-mail, they should regulate whether under which conditions the employee can keep his/her own personal information about a computer or an e-mail address.
A common option is that if an employee wants to archive personal files on a work computer, he or she has to create a personal box on the computer at the e-mail address where to collect the information with his or her own private content.
When creating rules, the employer must take into account the fact that they must not conflict with the Constitution or other laws.
An employee may not be subject to unreasonable restrictions or create greater rights than those permitted by law.
Can personal data be processed within a group on the basis of a legitimate interest?
If group companies have to transfer employees’ personal data for internal management purposes, data processing is possible on the basis of a legitimate interest. It is important to note that the legitimate interest is based on a discretionary decision. Such a decision implies a legal analysis in which the data controller discovers above all, on his own, the purpose of his activities and his legitimate interest. whether the processing of personal data at which station is and has been necessary for the purposes and whether the person can expect these activities from the data processor and what are the possible consequences of the processing for the privacy and freedom of the individual.
If the companies of the group are located in different countries, it is also possible to use a legitimate interest to transfer the data, but in addition to the international aspect, the need to establish uniform rules for the processing of personal data and the procedures for data transfer must take into account both the guarantees and the security of the data.
– The Data Protection Inspectorate website includes a guide to legitimate interests, which can be found in detail at the voice “instructions”, which speaks more about the processing of the legal basis.
– The Data Protection Inspectorate website has a longer explanation of the requirements for data transfers abroad under the voice “privacy protection”.
Is it possible to use a legitimate interest in video surveillance?
The basis of the legitimate interest alone of a security camera for the protection of goods and persons (for security reasons) as well as for the control or supervision of working hours, has conditioned that certain conditions are met, but here are two very important conditions.
Firstly, on the basis of a legitimate interest it is possible for an employer to use a security camera if specific types of personal data are processed and, secondly, the use of a legitimate interest becomes lawful after a legal analysis based on a discretionary decision.
Because video surveillance can have a profound effect on people’s thoughts and actions, as well as on freedom of expression or decision, and have a strong violation of privacy, the inspection recommends that alternative measures be considered before proceeding.
What does it mean to respect data protection rules in video surveillance?
Data protection rules exist to protect the privacy of individuals (employees, customers, partners and others). In video surveillance, respecting data protection rules means responsible processing of personal data and protection of human privacy. It also means the obligation to inform who does what and for what reason.
Rule number 3: the person must be informed of the video surveillance. Before the video area is set up, the person must be told who the organiser of the video surveillance is and who their contact is. We must specify for what purpose and on what legal basis the video surveillance is organised and where to refer the more detailed information on personal data processing.
Rule number 2: saving people means processing personal data. If the record is kept for later viewing, it is a personal data processing operation. The organizer of the video surveillance becomes the person in charge of processing personal data. This means the obligation to protect a person’s privacy and to be prepared to allow people to access their own personal data.
Rule number 1: records may not be used for purposes other than those for which they were originally intended.
This means that if a security camera configured to protect property has been captured by a malicious person, this recording does not have to be shared among millions of people on Social Networks. The purpose has been to protect the property, not to report the crime.
Because the responsibility of the police to discover the author of the crime, the registration will be in the hands of the police, who will use it in the procedural procedures.
In other words, the protection of privacy in video surveillance means that it is necessary to ensure that a person is informed about video surveillance, has access only to one’s own personal data and uses the personal data only for someone known to the person beforehand.
The data protection inspectorate’s website is assisted by a video surveillance tag generator, which can be used to create a video surveillance notification tag in accordance with data protection requirements. We also advise you to read the general instructions of the data processor.