Agile work, said smartworking, constitutes a method of executing the employment relationship characterized by the absence of time or place of work constraints, which today is particularly advocated by the government to ensure the social distancing among workers and avoid a new mass spread of Covid-19.
Even in the context of smartworking, however, there is no less interest from the employer to verify, within the limits of the provisions of the relevant labor law discipline and above all art. 4 of the Workers’ Statute, that the service subject of the employment relationship is actually fulfilled.
And in fact, the employer can easily have technological tools for this purpose (on the market there are already technologies that, for example, allow you to record the duration of use of the applications or the movements of the mouse); but the fact that the service, in this case, takes place mainly at the mansion the private life of the worker poses some important problems not only from a labor law point of view, but also, as far as this article is concerned, regarding privacy.
In this latter regard, the European Data Protection Committee has already stated that the worker consent to the treatment of his own personal data it cannot be considered an expression of a free will, since the refusal of the worker “could cause him a prejudice real or potential “, suggesting instead to evaluate – as the legal basis of the treatment – the use of regulatory or contractual provisions, the fulfillment of a legal obligation or the legitimate interest of the employer (Opinion 2/2017 on data processing at work).
The control of the actual performance of the work activity falls within the last hypothesis, that of the legitimate interest of the employer. However, in choosing the tools identified for this purpose, the employer will have to make sure that there is a perfect one equilibrium between the prejudice that the company would suffer from not proceeding with the treatment and that which the employee would suffer if the treatment took place (principle of “proportionality”).
In particular, before starting the treatment, the employer will have to develop an evaluation preventive on the consequences of data processing, checking whether there are high risks for workers’ freedoms and rights.
In the context of smartworking, in fact, the processing of personal data may concern sensitive data, take place on a large scale and through the use of new technological solutions, all elements that suggest proceeding with an impact assessment based on art. 35 Gdpr, in order to evaluate the risks associated with the treatment and adopt, in compliance with the principles of necessity and proportionality, the safety suitable to reduce or eliminate them.
In the event that these measures are not sufficient to eliminate or reduce the risk for the rights of employees, the owner must consult the Privacy Authority, which will indicate the additional security measures that may need to be implemented to proceed with the treatment.
Each treatment, then, must take place in compliance with the principle of transparency. They will therefore have to be prepared policies clear and easily understandable for all workers regarding the type of processing that will be carried out in the context of smartworking, the purposes, the data retention times and the security measures adopted to ensure that the private life of employees is not violated.
This applies even more in the case of treatments carried out for the purpose of legitimate interest, as in the case of the employer interested in verifying that the work is also actually carried out by the employee “in smartworking”. In fact, Recital no. 47 of the regulation states that “the interests and fundamental rights of the interested party could in particular to prevail on the interests of the data controller if personal data are processed in circumstances where data subjects cannot reasonably expect further processing of personal data “.
Failure to comply with the duty to inform workers of the activity of control carried out by the employer could therefore determine, in our case, not only a violation of the duty of transparency established by articles 12 and following of the Gdpr, but also the very lack of the legal basis of the legitimate interest on which the treatment is based.
In light of the above, and in conclusion, it may seem that in the preparation of the privacy policies corporate smartworking regulations place obstacles and problems at every step. In fact, the exact opposite is true. The Gdpr, in fact, as we have seen, guarantees the employer a wide range autonomy with respect to the choice of purposes and technical and organizational measures to be adopted in the context of protecting the privacy of workers in smartworking, with the only caveat to responsibly balance the opposing interests.
A flexibility which therefore has an important counterpart: the responsibility of the employer to be able to demonstrate the legitimacy of the decisions taken.
* Criminal lawyer, convinced that the profession is above all, for those who carry it out, an exceptional opportunity to get to know the reality and the social relationships that make it up. During my professional experience I have perfected skills in the field of criminal law relating to workplace safety pursuant to Legislative Decree 81/2008 and in the law of new technologies and privacy (avvocatofabiosavoldelli.com).