The employer is only permitted to process personal data that is directly necessary with regard to the employee's employment relationship, related the performance of the parties’ rights and duties or the benefits offered by the employer, or required by the special nature of the employee’s tasks.
The requirement of necessity cannot be waived even with the employee's consent. In other words, the processing of the employee’s personal data by the employer is strictly limited.
E-mail communications are confidential. However, the employer is permitted, subject to certain conditions, to search for or open messages sent to or from an employee’s e-mail address.
The employer is permitted to process data concerning the employee’s state of health (e.g. diagnoses) if the processing is required for the payment of the wages for the period of illness or other, corresponding health-related benefits or to determine whether the employee has a justified reason for absence. The processing of data concerning the state of health is also permitted if the employee specifically requests that his or her ability to work should be reviewed on the basis of the data.
The employer can collect data concerning the employee’s state of health from the employee. The collection of such data from other sources requires the employee’s written consent. If the employee delivers a medical certificate or statement on his or her ability to work to the employer, the employer may deliver it to the occupational health care provider unless prohibited by the employee.
The employer should keep documents containing data concerning the employee's state of health separate from the employee’s other personal data. Neither may entries concerning state of health be saved in other personal data files maintained by the employer, such as payroll administration files.
The employer and any personnel processing data concerning state of health on behalf of the employer are subject to a non-disclosure obligation and may not disclose the employee's health data to third parties.
The employer has the right to supervise and monitor work (the right of direction), by virtue of which the employer can specify the duties of individual employees, issue work-related orders and monitor the performance of employees. However, this right does not entitle the employer to monitor the employee by collecting or viewing the identifying data accumulated through the employee’s use of the internet.
Neither can the employee give a valid consent to the employer's supervision of his or her browsing. The right to confidential communications also applies to browsing the internet and the identifying data accumulated thereby.
The employer can nevertheless issue rules on the use of information networks, such as whether browsing the internet at the workplace is permitted in the first place and, if it is, what kinds of sites employees are permitted to visit. The employer also has the right to block access to certain sites.
Determining the location of employees is part of technical supervision, which needs to be processed in the co-operation procedure at the workplace. It is only possible if the employer has an appropriate basis and need for it. Locating employees can be justified by, for example, ensuring the safety of employees and the correct allocation of resources (such as vehicles). Locating using a mobile phone requires the consent implied by law on the services of electronic communications.
In the opinion of the Data Protection Ombudsman, location data should not, as a rule, be used for the monitoring of obligations under labour law, such as the monitoring of working hours. Using location data for monitoring and keeping track of working hours can be possible, however, if the employee works at home or mostly away from the employer’s premises and there are no other, less intrusive means of monitoring available.
If the positioning system is intended to be used for monitoring and keeping track of working hours, the employer should specify this as one of the purposes of the processing of location data. If this purpose has not been specified in advance and no cooperation procedure has been implemented on the matter at the workplace, the location data may not be used for monitoring compliance with the terms of the employment or service relationship.
The employee's absence data and complaints made about him or her are personal data. Displaying such data at the workplace can be in violation of the employer's non-disclosure obligation and infringe on the employee’s right to privacy.
In practice, it may be necessary to communicate matters such as the numbers of complaints as general, statistical data at the workplace. The employer should specify the personnel whose duties entitle them to process the personal data of employees. If a person entitled to process personal data has obtained information on another person's characteristics, personal conditions or financial standing in connection with the processing, this information may not be disclosed to third parties.
The data can be published on the employer’s website without the employee’s consent if such publication is appropriately justified and necessary for the employer’s business operations. For example, the publication of such data can be necessary if the employee’s obligations include being identifiable and available on the basis of his or her job title, occupational contact details and photograph.
The employer should consider the necessity of such publication carefully and justify it to the employees and Data Protection Ombudsman if necessary. Even if consent is not required for publishing the data, the employees have the right to know for what purpose their data is published on the internet. The matter must be processed in the co-operation procedure at the workplace.
Trade union membership falls under a special category of personal data, and its processing is provided for in Article 9 of the General Data Protection Regulation. The processing of data concerning trade union membership is permitted when this is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
An organisation involved in trade union activities is permitted to process data concerning trade union membership in connection with its operations provided the appropriate safeguards are observed. Under section 6 (3) of the Data Protection Act, the processing of data concerning trade union membership is permitted in connection with, for example, industrial action.
A trade union may process the data of its own trade associations only. Processing of personal data is permitted if it concerns the data of the current or former members of these associations or persons who have regular contacts with the associations linked to the purpose of these associations. It is also required that personal data be not disclosed to a third party without the consent of the data subject and that the processing concerns data to the processing of which the data subject has specifically consented.
Trustees’ right of access to information is provided for in occupation-specific collective agreements. Employers must provide trustees with data necessary for a successful performance of their duties. Acceptable grounds for disclosing an employee’s contractual and salary information to a trustee include:
The employee whose data the discloser concerns, has given their consent to the disclosure.
The disclosure of personal data is based on a legal provision or is necessary for the carrying out of the controller’s statutory obligation.
The disclosure of personal data takes place in a manner agreed upon in a legally valid collective agreement.
The disclosure of personal data may also be acceptable on the employer’s discretion if this is necessary for the exercising the legitimate rights of the controller or a third party, unless these rights are not overridden by the interests or rights and freedoms of the data subject.
Trustees must process personal data as provided in the General Data Protection Regulation. Practices that were observed in the activities of trustees before the General Data Protection Regulation entered into force have continued largely unchanged.
The Data Protection Ombudsman does not have jurisdiction to interpret collective agreements or the powers to grant permission to or to prohibit the disclosing of personal data.