In August 2020, the Danish Data Protection Agency completed five written inspections, all of which focused on the employer’s duty to provide information to employees about control measures used towards the employees.
All five inspections gave rise to criticism from the Agency, and in three of the five cases, the Agency expressed serious criticism of the employers’ processing of personal data.
The inspections and subsequent criticisms are related to the General Data Protection Regulation, which requires that a data controller must inform data subjects if their personal data is being collected no later than the moment of collection. Data subjects must also be notified of (among other things) the purpose of the data processing, the legal basis for it and, whenever possible, the length of time the data will be stored.
The duty to provide this information is linked to the GDPR’s principle of transparency, which includes a requirement that data subjects have easy access to detailed information about the processing of their personal data.
The serious criticism from the Agency concerned, among other things, the lack of clear information about why the employees’ personal information was being processed. For example, in one case the employer had not sufficiently informed its employees of a number of measures, including access to the employees’ e-mails and the use of video surveillance, which the company could use for control purposes in relation to the employees.
In addition, the Agency criticised the lack of information regarding the employers’ legal basis for processing employee data as well as the categories of information collected for control purposes. Thus, the recurring theme of the inspections was whether the employees had received sufficient information and whether they had easy access to that information.
The Agency’s very detailed decisions emphasize that employers should be diligent in informing employees about measures that allow the monitoring of employees and, to the greatest extent practicable, ensure that the information required by the GDPR is given to employees in an easily accessible form.