Employers cannot prohibit employees from using the company’s equipment for personal purposes. 5 things that can be done instead
We were recently working on a GDPR audit and we found in the company’s security policy the employee’s interdiction to use the company’s IT resources for personal purpose.
It may seem like a good solution both for maintaining productivity in the company, and for avoiding the accumulation of personal data on the company’s equipment. This is because we know that all the employees’ personal data owned by the company involve a series of GDPR rights that must be observed by the employers, even after the employee has left the company.
Such an interdiction would be possible in accordance with a 2019 decision of the Greek Supervisory Authority. Nevertheless, the top-level European authority on data protection, the Article 29 Working Party (currently the EDPB), expressly stated in its 2017 Opinion that “employees can exercise their legitimate right to use work facilities for some private usage”. The position of the Working Party, which outperforms the Greek authority in hierarchy, must be thoroughly considered by employers when deciding on the proper measures for their company.
The Working Party’s Opinion is complementary to the case-law of the EU Courts, which have long recognized the employees’ right to privacy in the workplace (Niemietz vs Germany, Copland vs UK, Bărbulescu vs Romania). Using the office facilities, which also includes communications for personal interest on the company’s equipment, is part of the right to privacy. And the employee cannot be faced with an absolute interdiction on using the company’s IT resources for personal interest.
On the one hand, the imposition of such an interdiction may have labour law implications, as the employer may risk being accused of infringing the employee’s right to privacy.
On the other hand, no one can deny the employee his/her rights recognized by GDPR regarding his/her personal data stored on the company’s equipment, on the grounds that he/she was not, in fact, allowed to use them. As such, the employee who used the company’s equipment for personal purposes, despite the interdiction of using it, will have, howsoever, the rights established by GDPR, including the right of access and deletion.
Yes, we are talking about the company’s equipment and yes, it can be surprising that the authorities do not acknowledge the company’s absolute right of deciding how it wants to use its property. We have seen countless comments online, in which companies’ representatives were stunned by the fact that they cannot decide whether the work laptops or company’s networks will be used only for the purposes for which there were purchased, which is for work.
This subject is suitable for some extended discussions and, no matter which side you pick, in the end you may come to understand that the fundamental values at play, are the company’s ownership right (and we all want for our ownership right to be absolute), and the person’s right to privacy (and, again, we all want to have a life that is free from surveillance and restrictions of our natural behaviour).
And, when we analytically compare these two rights we all care about, no matter how attached we are to the idea of absolute ownership, it is possible to realize that we wouldn’t want to be put in positions that would equate to giving up to our private life. The employee status would be such a position, if we considered that the employee gives up private life when arriving at the office. Or that the employee must bring his/her own equipment from home in order to keep in touch with the world during office hours. And, as the legal regulations are made also to ensure social balance, this time the employer is sacrificed, finding itself in the situation of not being able to use its property solely as desired. This was pretty much the thinking that generated the regulations mentioned herein.
If you are an employer, you have two options – to be outraged by the pressure of these restrictive regulations that you cannot change, or to be prepared.
You are an employer. What to do to be prepared:
- Develop a policy regarding the acceptable use of IT resources, indicating how long, in which manner and under which terms is the employee allowed to use them, instead of imposing an absolute interdiction on the use of IT&C equipment;
- Implement an IT equipment handover – receipt procedure when the employee leaves the company, which foresees the obligation of the employee to take over and delete all personal data from the company’s media, including correspondence, photos, etc., instead of looking for hundreds or even thousands of emails in the archive after the employee’s departure, in response to their request for access. On a side note – an EU Court recently ruled that the request for access to the employee’s email archive may be excessive, but that does not mean that things could not be seen differently by other Courts.
- Establish in the internal regulations the employee’s obligation of labelling private correspondence or other personal data with the word “Personal”, which will ease the rapid identification of personal data during the process of handover – receipt;
- Establish in the internal regulations the conditions in which you can access the employee’s equipment in his/her absence, in order not to be exposed to accusations of violation of privacy. In the case of Libert v. France, it was established that the employer can access the employee’s electronic files in his/her absence, having a legitimate interest in verifying whether they were used in accordance with the contractual stipulations and the company rules. If the files have not been labelled as “personal”, the presumption is that they are for professional use.
- Inform the employees on any monitoring of the IT resources that you wish to undertake, before doing it. Whether it is about monitoring the traffic volume or the content of the correspondence, the monitoring is possible if and to the extent in which the employer can prove a legitimate interest in doing so, and if the employee has been previously informed about the employer’s intention. The idea is that the employers should try to prevent the employees’ inadequate behaviour, rather than securing more intrusive means for fighting against them.
Whether we are an employee, or an employer, in the age we live in we are united by a common denominator – We’re worth what our data’s worth. Let’s treat it wisely.
andreea-vlantoiu @en gdpr @en