May 03, 2019
Ireland Data Protection Commissioner Helen Dixon noted at a U.S. Senate Commerce Committee hearing that under the EU’s General Data Protection Regulation the “vast majority of decisions appealed to court from my office relate to disputes between employers and employees and far fewer relate to the commercial context.”
Of the nearly 6,000 complaints to Ireland's Data Protection Commission from individuals since the GDPR took effect, "It is frequently a feature of complaints we handle from consumers that their interest in their personal data is as a means of pursuing further litigation or action. For example, former employees of organizations often seek access to their personal data as part of the pursuit of an unfair dismissals case,” Dixon said in her written comments.
Employee monitoring particularly under scrutiny: “A large volume of complaints that come to the Commission relate to… employees complaining about their employers using excessive CCTV to monitor them or unauthorized access and excessive processing of their image if the employer uses CCTV as part of disciplinary proceedings."
Under the GDPR, employee records/personnel files are considered personal data. Even if a company does not interact with consumer data per se, it must comply with the GDPR on the basis of maintaining personnel files.
However, the GDPR does make special allowances for companies to hold certain personal data of workers. For example, the regulation’s “right to be forgotten” only extends in the employment context when the data is no longer necessary for “the purposes for which it was collected.”
Why it matters: As the U.S. Congress and various states look at broad data privacy laws, the implications of how such laws deal with the data of employees, applicants, and contractors will be significant—both for employers and, potentially, the plaintiff’s bar.