The employer is only permitted to process personal data that is directly necessary with regard to the employee's employment relationship, related the performance of the parties’ rights and duties or the benefits offered by the employer, or required by the special nature of the employee’s tasks.
The requirement of necessity cannot be waived even with the employee's consent. In other words, the processing of the employee’s personal data by the employer is strictly limited.
E-mail communications are confidential. However, the employer is permitted, subject to certain conditions, to search for or open messages sent to or from an employee’s e-mail address. Read more.
The employer is permitted to process data concerning the employee’s state of health (e.g. diagnoses) if the processing is required for the payment of the wages for the period of illness or other, corresponding health-related benefits or to determine whether the employee has a justified reason for absence. The processing of data concerning the state of health is also permitted if the employee specifically requests that his or her ability to work should be reviewed on the basis of the data.
The employer can collect data concerning the employee’s state of health from the employee. The collection of such data from other sources requires the employee’s written consent. If the employee delivers a medical certificate or statement on his or her ability to work to the employer, the employer may deliver it to the occupational health care provider unless prohibited by the employee.
The employer should keep documents containing data concerning the employee's state of health separate from the employee’s other personal data. Neither may entries concerning state of health be saved in other personal data files maintained by the employer, such as payroll administration files.
The employer and any personnel processing data concerning state of health on behalf of the employer are subject to a non-disclosure obligation and may not disclose the employee's health data to third parties.
The employer has the right to supervise and monitor work (the right of direction), by virtue of which the employer can specify the duties of individual employees, issue work-related orders and monitor the performance of employees. However, this right does not entitle the employer to monitor the employee by collecting or viewing the identifying data accumulated through the employee’s use of the internet.
Neither can the employee give a valid consent to the employer's supervision of his or her browsing. The right to confidential communications also applies to browsing the internet and the identifying data accumulated thereby.
The employer can nevertheless issue rules on the use of information networks, such as whether browsing the internet at the workplace is permitted in the first place and, if it is, what kinds of sites employees are permitted to visit. The employer also has the right to block access to certain sites.
Determining the location of employees is part of technical supervision, which is possible if the employer has an appropriate basis and need for it. Locating employees can be justified by, for example, ensuring the safety of employees and the correct allocation of resources (such as vehicles).
In the opinion of the Data Protection Ombudsman, location data should not, as a rule, be used for the monitoring of obligations under labour law, such as the monitoring of working hours. Using location data for monitoring and keeping track of working hours can be possible, however, if the employee works at home or mostly away from the employer’s premises and there are no other, less intrusive means of monitoring available.
If the positioning system is intended to be used for monitoring and keeping track of working hours, the employer should specify this as one of the purposes of the processing of location data. If this purpose has not been specified in advance and no cooperation procedure has been implemented on the matter at the workplace, the location data may not be used for monitoring compliance with the terms of the employment or service relationship.
The employee's absence data and complaints made about him or her are personal data. Displaying such data at the workplace can be in violation of the employer's non-disclosure obligation and infringe on the employee’s right to privacy.
In practice, it may be necessary to communicate matters such as the numbers of complaints as general, statistical data at the workplace. The employer should specify the personnel whose duties entitle them to process the personal data of employees. If a person entitled to process personal data has obtained information on another person's characteristics, personal conditions or financial standing in connection with the processing, this information may not be disclosed to third parties.
The data can be published on the employer’s website without the employee’s consent if such publication is appropriately justified and necessary for the employer’s business operations. For example, the publication of such data can be necessary if the employee’s obligations include being identifiable and available on the basis of his or her job title, occupational contact details and photograph.
The employer should consider the necessity of such publication carefully and justify it to the employees and Data Protection Ombudsman if necessary. Even if consent is not required for publishing the data, the employees have the right to know for what purpose their data is published on the internet.