As of 25 May 2018, it is no longer necessary to apply for prior authorisation from the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) for the purpose of surveillance in the workplace.
At the same time, however, the obligation incumbent upon the employer to inform their employees is considerably more stringent.
Under no circumstances may employers implement covert surveillance measures.
Who is concerned
Any organisation that wishes, for legitimate reasons, to implement surveillance measures in the workplace, such as:
- video surveillance;
- electronic access control (e.g. electronic ID badges);
- electronic monitoring of working time;
- tracking of communications and/or recording of telephone conversations;
- monitoring the use of internet and emails;
- global positioning systems (GPS), etc.
Before implementing surveillance measures, employers are legally required to inform:
- collectively, the staff representatives: the staff delegation or, failing that, the Inspectorate of Labour and Mines (Inspection du travail et des mines - ITM);
- individually, the employees.
This prior information must contain:
- a detailed description of the purpose of the intended processing;
- the conditions in which the surveillance system is to be implemented;
- the length of time that the data will be retained, or the criteria governing its retention;
- a formal undertaking from the employer not to use the data collected for any purpose other than that explicitly declared in the prior information.
How to proceed
CONDITION OF LAWFULNESS OF SURVEILLANCE IN THE WORKPLACE
Employers are not permitted to process personal data for the purpose of surveillance of employees in the context of their working relationship unless it is strictly necessary for:
- the performance of a contract to which the person in question is a party;
- the fulfilment of a legal obligation to which the employer is subject;
- safeguarding the vital interests of the person concerned, or those of another natural person;
- conducting a mission in the public interest, or relating to the exercise of public authority with which the data controller is vested;
- serving the legitimate interests of the data controller or a third party, unless those interests are secondary to the interests, freedoms and fundamental rights of the person concerned, which require that the personal data be protected.
Where the implementation of a video surveillance system is concerned, the employer/data controller can typically hold that the processing is necessary to protect their legitimate interests, unless those interests are secondary to the interests, freedoms and fundamental rights of the person(s) subject to the planned video surveillance.
Unless it is required to fulfil a legal or regulatory obligation, the surveillance must be mutually agreed to by the employer and the staff delegation if it is to be implemented for the purpose of:
- protecting the workers' health and safety;
- monitoring the employee's production or performance if it is the only way to determine the employee's salary;
- planning of flexible working hours.
PRIOR ASSESSMENT FROM THE CNPD
When the employer intends to implement employee surveillance measures, the staff delegation or, if necessary, the employees in question themselves, may submit a request for prior assessment to the CNPD.
The application must be made within 15 days of receiving the prior information.
The CNPD's assessment shall relate to the legitimacy of the planned processing of the employee's data in relation to the working relationship.
The CNPD must make a ruling within a month of receiving:
- the request for prior assessment; and/or
- all necessary information.
Such a request for additional information has a suspensive effect on the time allotted for the CNPD's assessment. As such, the employer/data controller may not implement the surveillance system until they receive the assessment from the CNPD.
The CNPD's decision cannot be appealed. However, the employer is not legally required to abide by that decision, although they are advised to do so.
Furthermore, the employees concerned are entitled to file a claim with the CNPD. Such a claim may not be considered as a case of grave misconduct or a legitimate reason for dismissal.
PERSONAL DATA PROTECTION IMPACT ASSESSMENT
Depending on the intended surveillance measure, a personal data protection impact assessment (AIPD) must be carried out by the employer/data controller.
Large-scale systematic surveillance of an area accessible to the public generally requires an AIPD, given the high risk it may pose to the rights and fundamental freedoms of individuals. The installation of a video surveillance system may be such a case.
The CNPD is responsible for compiling and publishing a list of the types of personal data processing operations that require an AIPD.
DATA PROTECTION IN THE CONTEXT OF VIDEO SURVEILLANCE
The employer/data controller must use means of surveillance that are the least intrusive into the employees' privacy.
In principle, the employees have the right not to be subjected to permanent, constant surveillance.
In particular, video surveillance may not be implemented in the following places:
- in an office or workshop in which one or more employees are permanently engaged in work;
- reserved for the employees' private use; or
- which are not intended for work-related tasks (e.g. toilets, changing rooms, etc.).
Similarly, continuous surveillance of external personnel is not always permissible (e.g. in a canteen with dining tables).
Only that which is strictly necessary to achieve the purpose(s) specified by employer/data controller may be filmed. Processing operations must not be disproportionate.
The field of view of the cameras filming internal/external access points in a building must be limited to the surface area that is strictly necessary to view the persons attempting to gain access. It must not include the public roadway.
If that is not feasible, then the employer/data controller must implement masking/blurring techniques to limit the field of view to their own property.
Surveillance using video cameras must capture images only, without sound.
Recorded images may be kept for:
- 8 days in principle;
- 30 days in exceptional circumstances. The employer/data controller must provide explicit reasons to justify this extended retention of images;
- longer in the event of an incident or offence. Where necessary, the images may be forwarded to the police or competent legal authorities.
The employer/data controller must ensure that the images are destroyed once the allowed retention period has passed.