Smart working, privacy and labour’s rights

The incorrect use of work tools leads to negative consequences. An example is a recent case involving an employee of the Banca ComercialăRomână (BCR) who, to facilitate customers in the administration of files, used his mobile phone to be sent copies of documents and identity cards via WhatsApp, not only violating the policies internal banks but also various provisions of the General Data Protection Regulation (GDPR).

With the progressive affirmation of the “smart” way of working because of the coronavirus, characterized by the ever more frequent use of electronic tools and by an exponential increase in the circulation of data and information, governments must promote not only knowledge of the tools, but above all to guarantee the security of the data processing carried out through the web platform, social networks, and messaging tools.

In the case of the BCR employee, the decision to adopt WhatsApp to communicate with customers, would be completely autonomous and arbitrary. The use of social channels or messaging tools for external communication is in any case the responsibility of the Employer or Data Controller. The latter also depends on the assessment of the risks of the freedoms and rights of individuals about the personal data processing of customers, carried out using these tools, as well as the organizational and technical measures adopted.

It is therefore important, to control the use of the tools, through internal policies, indicating the specific organizational security measures and procedures that employees, entitled to process customer data, must follow.In the specific case, and following the investigation carried out by the Romanian Privacy Guarantor, the Authority found the violation of the provisions on security of treatment (art.32 of the GPPR) by imposing an administrative penalty of 5,000 euros on the Bank.

The control of corporate tools is among the faculties of the employer who, for security reasons, can monitor the use of company computers and devices provided to the employees. Indeed, the staff must always be informed in advance of the possible control, the methods, and the reasons that justify it. The bad management of the tools by an attendant could harm the relationship of trust with the company, and therefore lead to a just cause for dismissal.

A factor not to be ignored is the intensification of the use of personal mobile devices, PCs, tablets, smartphones, etc., for the performance of work, the so-called BYOD, Bring Your Own Device. Although the use of these solutions is undoubtedly convenient, this could inevitably involve risks for the protection of personal data.

The European Data Protection Supervisor (EDPS) intervened on the subject. And through the issuing of the Guidelines on the use of mobile devices, provides an analysis of the generic risks associated with the processing of personal data on mobile devices, as well as recommendations and best practices that should help EU institutions (but also private organizations, companies, and other public bodies) to achieve a level of data protection compliant with regulation (EC) no. 45/2001, then replaced by Regulation (EU) 2018/1725.

The Guidelines contain some recommendations that help the organization/company to demonstrate the correctness of the processing of personal data on mobile devices, these include:

• Involve the DPO in all aspects related to the introduction and use of personal mobile devices in the company/organization;
• Assess the benefits deriving from the use of personal mobile devices on a case-by-case basis, taking into account the risks and invasiveness that this use may involve;
• Evaluate the adoption by the employer of an internal company policy that regulates the limits and methods of use of personal mobile devices in the workplace;
• Carry out an impact assessment (DPIA) on the control tools used and adopt the technical and organizational measures necessary to guarantee the security of personal mobile devices;
• Adopt internal procedures for the management of data breaches;
• Set the devices in such a way as to prevent the collection and processing of personal data from being “in excess”, in compliance with the principle of data minimization;
• Respect the principles of privacy by design provided by the GDPR in defining the security measures to be applied to individual devices.