Council of Europe issues Recommendation CM/Rec(2015)5 on the processing of personal data by employers

On April 2, 2015, the Council of Europe issued Recommendation CM/Rec(2015)5 on the processing of personal data in the context of employment. The document lists several principles – for the public and private sectors – that member States should reflect in the application of domestic legislation on the processing of personal data of employees and job candidates, for example with regard to health data or the monitoring of communications in the workplace.

The Council recommends that in processing of personal data employers respect human dignity, privacy, and protect their employees’ personal data. Employers should develop appropriate measures to ensure that they respect the principles and obligations of data processing for employment purposes with reference, for example, to the collection, storage, use, and communication of employees’ data.

To this regard, the text lists a number of specific recommendations for employers who should guarantee:

  • transparency in the processing. The personal data held by employers should be made available either to the employees directly or through their intermediary, or brought to their notice through other appropriate means;
  • right of access, rectification and to object. Employees should be able to obtain, upon request, confirmation of the processing of their personal data. Employees should also be entitled to have their personal data rectified, blocked or erased;
  • security of data, by implementing adequate technical and organizational measures;
  • data preservation. Personal data should not be retained by employers for a period longer than is justified by the employment purposes.

Furthermore, the text addresses a number of specific recommendations with regard to special forms of processing, including the following:

– when monitoring the pages accessed by employees on Internet or Intranet, employers should give preference to preventive measures, such as the use of filters to prevent particular operations;

– access to the professional electronic communications of employees must only occur when they have been informed in advance of that possibility and for security or other legitimate reasons. Private electronic communications at work should not be monitored under any circumstances.

– the use of information systems, including video surveillance, for monitoring employees´ activity and behavior is in principle not allowed. It can exceptionally be admitted, subject to strict conditions;

– the collection and processing of biometric data (such as fingerprints or facial patterns) should only be undertaken when necessary to protect the legitimate interests of employers, employees or third parties, and only if there are no other less intrusive means available.

Recommendation CM/Rec(2015)5 is available at https://wcd.coe.int…   Open Pdf

Related press release is available at https://wcd.coe.int…

Follow us on& Like us on