The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.
The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.
The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.
The GDPR also establishes the principle of storage limitation, which requires that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The GDPR does not specify a precise time limit for the storage of personal data, but leaves it to the controller to determine the appropriate retention period, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also allows for the further storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards.
Based on the scenario, after fixing the privacy problems, Gentle Hedgehog may store the monitoring data as long as stated in the privacy policy that all employees must follow when processing personal data. This option is the most consistent with the GDPR's principles and requirements, as it:
Is based on a valid legal ground for the processing of personal data, namely the legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees, as well as the performance of a contract with the employees and the compliance with a legal obligation to prevent fraud and protect confidential information.
Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.
Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.
Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.
Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.
Respects the principle of storage limitation, as it specifies the retention period of the personal data, and deletes or anonymises the data when they are no longer needed for the purposes of the monitoring.
The other options listed in the question are not valid conditions for storing the monitoring data, as they:
Are not based on a valid legal ground for the processing of personal data, as they either rely on the consent of the employees, which is not freely given, informed and specific, or on the compliance with a legal obligation, which does not apply to the storage of personal data.
Are not limited to what is necessary for the purposes of the monitoring, as they involve the storage of personal data for longer than required by the legitimate interests of the employer, the performance of a contract with the employees, or the legal obligation to prevent fraud and protect confidential information.
Are not transparent to the employees, as they do not inform them of the retention period of the personal data, and do not give them the opportunity to request the erasure of the data.
Do not respect the principle of storage limitation, as they do not specify the retention period of the personal data, and do not delete or anonymise the data when they are no longer needed for the purposes of the monitoring.
Reference:
GDPR, Articles 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.
EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.
EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.
Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.