Informing employees and third parties about surveillance in the workplace

As of 25 May 2018, it is no longer necessary to apply for prior authorisation from the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) for the purpose of surveillance in the workplace.

At the same time, however, the obligation incumbent upon the employer to inform their employees is considerably more stringent.

In addition, employers/data controllers must now keep a register of personal data processing operations (notably including processing that relates to the surveillance activities).

Under no circumstances may employers implement covert surveillance measures.

Who is concerned

Any organisation that wishes, for legitimate reasons, to implement surveillance measures in the workplace, such as:

  • video surveillance;
  • electronic access control (e.g. electronic ID badges);
  • electronic monitoring of working time;
  • tracking of communications and/or recording of telephone conversations;
  • monitoring the use of internet and emails;
  • global positioning systems (GPS), etc.

Preliminary steps

Before implementing surveillance measures, employers are legally required to inform:

  • collectively, the staff representatives: the staff delegation or, failing that, the Inspectorate of Labour and Mines (Inspection du travail et des mines - ITM);
  • individually, the employees.

This prior information must contain:

  • a detailed description of the purpose of the intended processing;
  • the conditions in which the surveillance system is to be implemented;
  • the length of time that the data will be retained, or the criteria governing its retention;
  • a formal undertaking from the employer not to use the data collected for any purpose other than that explicitly declared in the prior information.
Employers are advised to provide the required information in such a way as to have definitive proof of the exact date on which it was provided (e.g. by registered letter to all employees concerned).

How to proceed

CONDITION OF LAWFULNESS OF SURVEILLANCE IN THE WORKPLACE

Employers are not permitted to process personal data for the purpose of surveillance of employees in the context of their working relationship unless it is strictly necessary for:

  • the performance of a contract to which the person in question is a party;
  • the fulfilment of a legal obligation to which the employer is subject;
  • safeguarding the vital interests of the person concerned, or those of another natural person;
  • conducting a mission in the public interest, or relating to the exercise of public authority with which the data controller is vested;
  • serving the legitimate interests of the data controller or a third party, unless those interests are secondary to the interests, freedoms and fundamental rights of the person concerned, which require that the personal data be protected.

Where the implementation of a video surveillance system is concerned, the employer/data controller can typically hold that the processing is necessary to protect their legitimate interests, unless those interests are secondary to the interests, freedoms and fundamental rights of the person(s) subject to the planned video surveillance.

Unless it is required to fulfil a legal or regulatory obligation, the surveillance must be mutually agreed to by the employer and the staff delegation if it is to be implemented for the purpose of:

PRIOR ASSESSMENT FROM THE CNPD

When the employer intends to implement employee surveillance measures, the staff delegation or, if necessary, the employees in question themselves, may submit a request for prior assessment to the CNPD.

The application must be made within 15 days of receiving the prior information.

The CNPD's assessment shall relate to the legitimacy of the planned processing of the employee's data in relation to the working relationship.

The CNPD must make a ruling within a month of receiving:

  • the request for prior assessment; and/or
  • all necessary information.
The CNPD may request additional information from the applicant and, where necessary, from the data controller, by contacting them directly.

Such a request for additional information has a suspensive effect on the time allotted for the CNPD's assessment. As such, the employer/data controller may not implement the surveillance system until they receive the assessment from the CNPD.

The CNPD's decision cannot be appealed. However, the employer is not legally required to abide by that decision, although they are advised to do so.

Furthermore, the employees concerned are entitled to file a claim with the CNPD. Such a claim may not be considered as a case of grave misconduct or a legitimate reason for dismissal.

PERSONAL DATA PROTECTION IMPACT ASSESSMENT

Depending on the intended surveillance measure, a personal data protection impact assessment (AIPD) must be carried out by the employer/data controller.

Large-scale systematic surveillance of an area accessible to the public generally requires an AIPD, given the high risk it may pose to the rights and fundamental freedoms of individuals. The installation of a video surveillance system may be such a case.

The CNPD is responsible for compiling and publishing a list of the types of personal data processing operations that require an AIPD.

DATA PROTECTION IN THE CONTEXT OF VIDEO SURVEILLANCE

The employer/data controller must use means of surveillance that are the least intrusive into the employees' privacy.

In principle, the employees have the right not to be subjected to permanent, constant surveillance.

In particular, video surveillance may not be implemented in the following places:

  • in an office or workshop in which one or more employees are permanently engaged in work;
  • spaces:
    • reserved for the employees' private use; or
    • which are not intended for work-related tasks (e.g. toilets, changing rooms, etc.).

Similarly, continuous surveillance of external personnel is not always permissible (e.g. in a canteen with dining tables).

Only that which is strictly necessary to achieve the purpose(s) specified by employer/data controller may be filmed. Processing operations must not be disproportionate.

The field of view of the cameras filming internal/external access points in a building must be limited to the surface area that is strictly necessary to view the persons attempting to gain access. It must not include the public roadway.

If that is not feasible, then the employer/data controller must implement masking/blurring techniques to limit the field of view to their own property.

Situations must be assessed on a case-by-case basis to determine the necessity and proportionality of video surveillance.

Surveillance using video cameras must capture images only, without sound.

Recorded images may be kept for:

  • 8 days in principle;
  • 30 days in exceptional circumstances. The employer/data controller must provide explicit reasons to justify this extended retention of images;
  • longer in the event of an incident or offence. Where necessary, the images may be forwarded to the police or competent legal authorities.

The employer/data controller must ensure that the images are destroyed once the allowed retention period has passed.

Who to contact

Double click to activate the map
Last update