The Dutch Data Protection Authority has published a guide for Dutch works councils on how to exercise their right of consent with regard to processing and protection of employee personal data and digital employee tracking systems. We also notice from our clients that companies are processing employees’ (personal) data more and more, and are considering using employee tracking systems as a new norm after the pandemic. Consequently, these topics will be on employers’ and works councils’ agendas more frequently, which is why the Dutch Data Protection Authority created a guide for works council members.
Employers process a lot of personal data of their employees. Arrangements for the use of employee data are present in every organization, for example the registration of absenteeism, payroll administration and data that are kept in personnel files. As working from home becomes more widespread as a result of the COVID-19 pandemic, employers may consider turning to more enhanced methods to monitor their employees and use more invasive technology – both at work and at home to observe employees, monitoring their attendance, behavior and performance. The Dutch works council plays a role in this respect.
Pursuant to the Dutch Works Council Act (‘WCA’), the works council’s endorsement shall be required for every proposed decision to establish, amend or withdraw regulations relating to (i) the handling and protection of personal data of persons working in the company, and (ii) measures aimed at monitoring or checking the attendance, behavior or performance of persons working in the company.
In order to properly assess the regulations proposed by the employer, the Dutch Data Protection Authority (‘the DDPA’) finds it important that the works council is well prepared. Where necessary, the works council may also ask the employer critical questions. In order to assist the works council in this respect, the DDPA has produced a guide: the Works Council Privacy Booklet. It is also recommended for employers to take note of this guide to be well prepared for when submitting a request for consent to the works council.
Works Council Privacy Booklet
The guide addresses the following topics:
- How to determine whether the works council has a right of consent? What is personal data exactly, and when is it being processed?
- What are the most important GDPR privacy rules? Which questions can be asked to check whether the employer’s plans are GPDR-proof?
- Which questions can a works council ask if the employer intends to use an employee tracking system?
The DDPA gives several examples of questions that a works council may ask in order to verify whether the employer’s plans are GDPR proof. Kindly find a few below:
- Does the employer make sufficient use of the possibilities to make personal data anonymous?
- Does the employer need to collect the data at the individual level or can the employer suffice with data at the level of a department or of the company as a whole (aggregate level)?
- Has a procedure been established to test whether the security measures are (still) effective?
Examples of questions that a works council could ask with regard to employee tracking systems are:
- Why is the employer considering to use this system?
- Is there a legal or contractual obligation? If not, is it for some other reason necessary to implement or use the system?
- If there is necessity, can the employer proof that it has a legitimate reason (legitimate interest) to use the system?
- Is it possible to achieve the employer’s purpose in a way that is less intrusive manner for the employees?
- Who has access to the personal data being processed?
- Is it known in the organization what behavior will not be tolerated and have employees been warned about it?
