This study concludes that legal harmonisation of data protection legislation is important for the employment context. Diverse practices concerning data protection in
employment relations create a patchwork of national laws and practices. This causes problems for transnational enterprises and hinders the development of Europe-wide data protection policies inside those enterprises. Such diverse practices can also create enforcement problems when employee data gets transferred across borders. This leads to the conclusion that both employers and workers have an interest in the
harmonisation of data protection laws.
A second conclusion is that the application of data protection in the employment context based on general principles leads to a patchwork of different solutions, especially when new technologies are involved. Technical developments create legal
uncertainty for the application of data protection. Creating legal certainty through case law is an expensive and slow method. Legislative work can provide legal certainty. On the other hand, relying on flexible general principles provides a good fallback option. Soft law processes can function as learning processes on how to deal with new technologies.
A third conclusion is that to develop data protection rules in employment matters, the specificity of the political process in labour issues has to be taken into account. The data protection authorities lack legitimacy in the employment context. The social partners, as legitimate actors in employment matters, have to be involved and given ownership of the process to develop rules concerning data protection in
employment matters.
Data protection in employment relations cannot be isolated from labour law. Effective rule- making in this area needs to include trust-building. As well as harmonising laws, interests also have to be harmonised through social dialogue. An effective approach needs to
present a mix of hard and soft law.
Based on these conclusions, we can formulate recommendations for the European Parliament.
The proposed amendments to Article 82 GDPR reflect a wish to develop at least a minimal framework for data protection in employment relations. The need and intention to develop such a framework has been expressed over the years at different levels. Such a
framework would be a positive development if it effectively harmonises data protection in employment relations and if it is a technically well-developed framework.
The development of such a framework can take inspiration from the ILO Code of practice on the protection of workers’ personal data, from the earlier draft Directive concerning the processing of workers' personal data and the protection of privacy in the employment context and from the recent proposals in the Member States.
Several issues are better dealt with in the GDPR, as they have a wider application than employment relations. One such issue is consent; another issue is better enforcement in the employment context. It is recommended that unions and workers'
representatives are among the actors that can act on behalf of data subjects in the employment context, as foreseen in Articles 73-76 of the GDPR.
The minimum criteria in the proposed amendments to Article 82 GDPR are far from being such a well-developed framework. Although well intended, they are a collection of ad hoc rules without much coherence. A review of these proposals’ effectiveness in practice
is recommended; substituting them with more coherent proposals.
On the other hand, the inclusion of minimum criteria expresses the wish of the European Parliament for complementary rules concerning employment relations. These minimum criteria can be used as leverage to task the European Commission and the social partners to take the responsibility to develop a more coherent framework. Another amendment foresees a review of Article 82 GDPR in two years’ time. It is recommended to foresee a
review of Article 82 GDPR and to ask the Commission to substitute the minimum standards included in Article 82 with a coherent Directive on data protection in employment relations. The Commission could then consult the social partners about the
proposed directive and the social partners could also develop such a framework themselves through social dialogue. The European Parliament can actively follow up this process through regular consultations of the social partners in the Employment and Social Affairs Committee.
Protection of personal data in employment relations will remain a difficult issue through the further development of intrusive surveillance techniques, test methods, etc. The effective application of data protection will often represent a learning process. This learning process now takes place on an ad hoc basis through court decisions, advice from DPAs, … and could be improved. This justifies a consultation on a regular basis between the social
partners and the DPAs at national and European level. Such consultation should
create awareness of the impact of new technologies and create the necessary trust to develop common solutions. It should help to introduce relevant issues in the social dialogue. Several options for such consultation process are available. The European Parliament can consult the social partners and the Art 29 WP on the preferred options for such consultation process and ensure that it remains informed.