- 15 May 2018
- Dorothée David
On 25 April 2018, the CNPD (Luxembourg’s National Commission for Data Protection) published its opinion about the change to article L. 261-1 of the Labour Code on monitoring employees in the workplace, as established by Bill no. 7184 implementing the GDPR in Luxembourg. The CNPD focused on the following planned changes:
- Possibility for an employer to process personal data for the purposes of monitoring employees in accordance with the conditions governing the legality of the GDPR.
On this point, the CNPD welcomes the fact that the new article L. 261-1 proposed by the Bill would no longer limit the cases in which an employer can justify processing data for monitoring purposes (the current article L.261-1 only stipulates 5 limited cases in which this is permitted). Article 6 of the GDPR on the conditions governing the legality of any data processing applies to processing for the purposes of monitoring employees in the workplace, which means that Luxembourg law complies with European jurisprudence.
- Possibility for the staff delegation to request an advance compliance opinion from the CNPD for the processing of personal data in order to monitor employees’ activities in the workplace, with suspensive effect whilst waiting for the CNPD to give its opinion.
On this point, in particular, the CNPD wonders how the new article L. 261-1 put forward by the Bill might fit in with the spirit of the GDPR, especially when it comes to the principle of accountability designed to move from an a priori to an a posteriori monitoring system. In fact, according to the system that the GDPR is keen to implement, data controllers would no longer need to inform the CNPD of their data processing activities in advance, but would need to introduce a whole series of mandatory, documented internal measures to demonstrate their compliance. On its own initiative, and on the basis of any complaints it might receive or on the basis of the European cooperation procedure, the CNPD would investigate and sanction the data controller if the provisions of the GDPR have been breached.
The CNPD questions the legal value its advance opinion might have for the processing of data for the purposes of monitoring employees while it is also already responsible for subsequent compliance checks and has the power to decide on the legality of the processing.
As well as this, the CNPD points out that the planned advance compliance opinion procedure does not seem to be covered by “more specific rules to ensure the protection of the rights and freedoms” of employees, authorised by article 88 of the GDPR. In fact, for example, a prior consultation procedure is stipulated by the GDPR if an impact assessment identifies a high level of risk (articles 35 and 36). The supervisory authority is given 8 weeks to come to a decision. However, in the modified article L. 261-1 of the Labour Code, the time granted to the CNPD to come to a decision about the processing of personal data for the purposes of monitoring employees would be just 1 month.
Ultimately, the CNPD recommends quite simply revoking the current article L. 261-1 of the Labour Code, as “the GDPR is a robust, coherent frame of reference that provides a significant and adequate number of guarantees to protect those involved, including in particular employees, and in this case in relation to processing data for the purposes of monitoring in the workplace.”
If however the legislator would like to keep article L. 261-1 of the Labour Code, the CNPD feels that it would be necessary to provide clarifications and adapt it to the requirements of the GDPR.