Stricter control over employees’ personal data protection
The legal framework regulating the handling of employees’ personal data is going through significant changes. One of them is the adoption of the EU General Data Protection Regulation (GDPR), substantially changing the rules for the treatment of personal data. Another not as ground- breaking change has been overshadowed by the aforementioned measures, even though it also deserves our attention, as it establishes stricter control over the observance of employers’ duties to protect employees’ personal data.
Employers’ duties when handling employees’ personal data are regulated both by the Personal Data Protection Act, and by Section 316 of the Labour Code. The list of duties and their content are not changing yet (until the effective date of the mentioned GDPR in May 2018), but the manner of control over the observance of the stipulated duties may: the Chamber of Deputies is presently discussing a draft amendment to the Labour Inspection Act, which introduces new administrative delicts in the area of employee privacy protection.
Currently, the only entity authorised to inspect the observance of duties when handling personal data of employees is the Office for Personal Data Protection. It checks the adherence to all responsibilities ensuing from both mentioned laws. Yet, according to the intention of the Ministry of Labour, the observance of the duties stipulated by the Labour Code should from now on be checked by an authority specialised in labour-law issues, i.e. the Labour Inspection Authority.
The Labour Inspection Authority would primarily check whether employers observe all relevant duties when monitoring employees through camera systems, GPS monitors in company cars, the recording of telephone conversations, or when inspecting internet use or internal e-mail systems. The authority would check not only the manner of monitoring, but also whether the employer had a legitimate reason to do so. If it were to determine that the employer had been infringing on employees’ privacy in an unpermitted manner, it could impose a penalty of up to CZK 1 million. Failure to meet the duty to inform of monitoring being carried out could involve a penalty of up to CZK 100 000.
Thus, instead of one, two authorities may soon be supervising employers: the Personal Data Protection Office will continue checking the observance of duties ensuing from the Data Protection Act, while the Labour Inspection Authority will supervise the observance of privacy protection rules as stipulated by the Labour Code. The probability that employers will get under the scrutiny of one of the authorities will thus increase significantly. If the proposed amendment gets through the legislative process, it will enter into effect 15 days after its promulgation in the Collection of Laws. This means that employers will only have a short time available to make their entire employee monitoring practices compliant with the law.