5

I was reading Can an employer perform deep packet inspection under the GDPR?, where the OP is asking whether GDPR protects them from their employer running deep packet inspection. I would have expected that the GDPR wouldn't be in any way relevant, so I am asking a broader question: if I am using a work computer, something that belongs to my employer, and as is usually the case, anything on that computer belongs to the employer and not me, in that case, can the GDPR protect any of my data?

My thinking here is that the machine and the network I am using both belong to the employer. Under the assumption that they require me to only use the machine for work-related activities and I am therefore under no obligation to have my own personal information there, how can I claim any kind of GDPR protection? This isn't a case of a company harvesting data from its clients or prospects but of an entity processing data that actually belong to it anyway.

Is my understanding wrong? Can the GDPR be used to argue that an employer cannot look at some activity (any activity) I am performing using their infrastructure?

Improve this question
12
  • 1
    I am not sure that is true; there are plenty of work-related services that require each person to have an individual account, but your employer is not entitled to your password. If you have work-related benefits, it is likely expected that you will do things related to that on your work computer, but your employer doesn't need to know all the details.
    – Joe W
    Commented yesterday
  • 1
    GDPR always applies to personal data (usually that does not mean it bans things, but that it requires a certain process and a legal basis). There are other laws, and an employer (at least in Germany where I live) can prohibit private use of the work computer altogether, but that does not mean they can just ignore the GDPR in the course of enforcement. The original question linked to a document that elaborates in great detail on the thing you are asking, and SE is probably not a better authority on EU law than the actual EU, so maybe ask specifically which part of the example is unclear.
    – Eike Pierstorff
    Commented yesterday
  • 2
    "... anything on that computer belongs to the employer and not me... " I'm pretty sure that is not true and the employer can't use this argument. For one, the data could be owned by a third party (e.g. the operating system software on it), or it could really be your personal data (e.g. your personal mailbox). The fact that you aren't allowed to use the computer to read personal emails doesn't change the ownership of that data.
    – PMF
    Commented yesterday
  • 4
    PII is not a GDPR concept, it comes from US regulations.
    – Relaxed
    Commented yesterday
  • 1
    I think "identifiable" is used to convey (similar to GDPR) that it concerns not only identifiers such as name and date of birth but also non-identifying data that relates to an identifiable person (for example that someone has a certain health condition or achieved a certain academic result). I agree that the phrase isn't particularly clear regardless.
    – phoog
    Commented 9 hours ago

4 Answers 4

Reset to default
9

Under the assumption that they require me to only use the machine for work-related activities and I am therefore under no obligation to have my own PII there, how can I claim any kind of GDPR protection?

Any data gathered from you in the role as employee (tax id, address, marital status, medical or paternity leaves, health care provider etc etc) is obviously under the protection of the GDPR no matter what.

If nothing else is said, it is assumed that "normal" use of work property for private reasons is acceptable. For example calling an Uber because your car broke down, ordering pizzas for lunch break, checking the public transport website to check the schedule to see when the next bus goes when you missed this one, all very innocent things to do that require lots of personal data to be transferred and company resources to be used. In that case you have protections and there are rules and regulations (not just the GDPR) that the employer has to follow.

If the employer actually explicitely forbids any other use than use for work (preferably, as everything in Germany, in writing in your contract, counter-signed by you), you have basically no protection. That is the employers right. They need to inform you that they are monitoring, but it is your own problem if you, against their written order, put your PII into their system. They can require you to use your personal phone on your personal plan for all the above. They do not need a reason. If not obviously required for security, they might appear draconian and not very fun as an employer, certainly a negative trait, but it would be perfectly legal.

So as always, it depends. Mostly on what your contract says.

Please note that there are rights you cannot sign away unless it is proven to be neccessary for national security or something, so there is no way an employer installs cameras in the restrooms, or denies you hydration. Those are basic human rights. But using a work computer for private stuff is no basic right. The employer does not have to grant that.

Improve this answer
4
  • Very good point about "tax id, address, marital status, medical or paternity leaves, health care provider". Those are indeed obviously protected and I hadn't considered them.
    – terdon
    Commented yesterday
  • I think there is a difference between 'no private use of work resources' which is legally fine if spelled out and say 'I will monitor all your internet use and traffic' which still requires some very strong reasons why it would be necessary and for the vast majority of jobs it just wouldn't be.
    – quarague
    Commented 12 hours ago
  • 2
    "If the employer actually explicitely forbids any other use than use for work, you have basically no protection." – I am almost certain that is not true. I don't have a source I can cite other than our annual privacy protection training, unfortunately. However, for example, if your laptop gets infected with malware and IT are going through your emails or your browser history or whatever to determine how the infection occurred, and they come across some personal information that is on there because you misused your laptop for personal stuff, then they must not look at it, at least once they …
    – Jörg W Mittag
    Commented 8 hours ago
  • 1
    … recognize that it is personal, even though it violates company policy to have it on the laptop in the first place. At least, that is what I was told.
    – Jörg W Mittag
    Commented 8 hours ago
3

Employee data is often personal data. The GDPR defines when and how personal data may be handled by a data controller or a data processor.

For internet users, the relevant justification is often the consent of the user. But there are other possible justifications, including contractual obligations. Since employees tend to have a contract with their employers, this justifies the handling of much personal data, from payrolls to work assignments. For some data there may also be a legal requirement as justification for data processing.

On the other hand, data controllers are required to implement appropriate technical-organizational measures to safeguard the data. Depending on what the company does, auditing all network traffic may be appropriate or not.

Improve this answer
2

GDPR applies

Any personal information on the laptop is being processed ("collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"). Since it's the employer's laptop, it's being processed by the employer, and they need a lawful basis for doing so.

Some information (like usernames, email addresses, IP addresses, etc.) is necessary to perform the employment contract. Information that the employer doesn't want or need but is provided voluntarily has been given consensually. Other lawful bases might be applicable.

To comply with the GDPR, the employer should have considered the laptop's possible uses and the PII that might be collected and documented the lawful bases applicable for each category of data that might reasonably be put on the computer and the processing that might happen to it. Notwithstanding, the employee still has all their normal rights such as that the data should only be kept for as long as it's needed and the right to be forgotten.

Improve this answer
2

Under the assumption that they require me to only use the machine for work-related activities and I am therefore under no obligation to have my own personal information there, how can I claim any kind of GDPR protection?

GDPR protects your "personal data." It defines "personal data" thus:

any information relating to an identified or identifiable natural person

Since everything on the laptop is related to you, the relationship being information residing on the laptop that is assigned to terdon, the whole laptop is arguably subject to GDPR.

But that doesn't mean you can stop the employer from monitoring what's on the laptop. After all, they own it. GDPR subjects the employer to certain obligations around how they handle the data and the circumstances under which they can disclose it to others, etc.

The argument that the employer owns the data because they own the laptop where it resides isn't particularly compelling. After all, an ISP may own the servers and storage devices where it maintains users' account records, but those records are nonetheless protected by GDPR.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.