Employee Surveillance – When Employers Cross the Line

 

"It is still common for employers to monitor employees' online activities and check their communications without trusting them. In order to do so, employers install monitoring apps and view them as the optimal way to solve the problem of inefficiency. This decision is determined by the belief that the work tools provided by the employer automatically allow them to be checked at any time and without restriction. However, Lithuanian courts have clarified that employees do not lose the right to the protection of their private life, especially private correspondence, during work. So where is the limit of checks? When can such curiosity end in a violation of the General Data Protection Regulation (GDPR)?

 

The need for employee monitoring has become especially evident after the pandemic, when the popularity of remote work has increased. Managers who work remotely still check their employees for various reasons: to monitor work productivity, to ensure project continuity during long vacations or periods of incapacity for work, to suspect the leakage of confidential information, to prepare for a Competition Authority investigation for verification, investigating cyber incidents and similar cases.

 

Modern monitoring applications, such as Teramind, ActiveTrack, Controlio, Hubstarff, TimeDoctor, allow you to check the websites visited, see the login time, and obtain statistical data about the active working time in one or another operating system. However, they also provide the ability to remotely turn on the employee's computer camera, speaker, take screenshots, track the computer mouse movements and even see social media messages without the employee knowing anything about it.

 

All these functions are difficult to reconcile with the employees' right to privacy. The State Data Protection Inspectorate - the Lithuanian Data Protection Supervisory Authority - has included employee monitoring in the list of risky operations. This was done after emphasizing the importance of privacy at work and establishing the obligation for the employer to conduct a written privacy impact assessment before taking any employee monitoring actions.

 

No prohibitions on monitoring

 

There are no prohibitions for an employer to monitor the communication of its employees in Lithuanian law. However, on the other hand, the Labor Code stipulates that the employer’s rights to the provided tools cannot violate the confidentiality of employees’ personal communications. This means that even though the work tools belong to the employer, this does not give him the right to do whatever he wants with them. For example, to install tracking equipment in a company car or apps on computers without reason and restrictions.

 

This interpretation of the legal acts was recently confirmed by the Supreme Court of Lithuania in a resonant remote work case. The court indicated that the employer has an interest in checking whether the employee is not abusing the freedom granted to him to manage his working time, but must do so while respecting the privacy requirements of employees. The court noted that the employer could check whether the employee is performing the functions assigned to him by recording the employee’s connection to certain systems, active and passive connection times, setting different working hours or controlling the performance of work functions not by time accounting, but by recording the work performed and its results.

 

The State Data Protection Inspectorate has issued its recommendation on this issue, urging people to remember that the principles of honesty and cooperation apply in employment relationships. Therefore, both employees and employers should act honestly and not abuse the law. Especially when the employer prohibits the use of work tools for personal purposes.

 

Do not cross the line

 

Having assessed the situation, on one side are employers who, in the new era of hybrid work, must find ways to ensure work efficiency and prevent abuse by employee. On the other side is the protection of employee privacy. As is often the case in law, when two opposing interests collide, a fair balance is sought. Finding the right balance, in essence, depends on two things: the seriousness of the situation the employer is facing and the “penetration” of the monitoring tool into the employee’s private life.

 

For example, when an employee himself wishes to work remotely, but the tasks he performs cannot be objectively measured, the employer has a reasonable question: does the company receive from the employee the agreed eight-hour attention to perform his duties for the salary paid? Such examples are abundant in information technology, telemarketing, sales and other spheres. The need to monitor employees may also arise when they use company cars to perform their duties. Accordingly, the employer must have tools that will help monitor fuel consumption, determine optimal routes or ensure that the employee visits clients during work.

 

There are situations when monitoring of the means provided by the employer is necessary, and sometimes the only effective measure. However, there are also cases when monitoring will be assessed as a privacy violation. For example, if the risk is unreasonable and unnecessary, when the chosen monitoring method and tools will collect too much data about the employee or collect that data during their lunch breaks or after working hours. Finally, if the monitoring will be carried out secretly, without informing the employees in advance.

 

However, when the need for monitoring arises in cooperation with law enforcement, on suspicion that employees are committing crimes or simply deliberately violating the company's internal procedures, it may be impossible or even inappropriate to implement all requirements, such as informing employees in advance about the monitoring or conducting an impact assessment.

 

However, a violation will most likely not occur only if the employer uses monitoring tools only for temporary short-term monitoring and, after clarifying the circumstances, stops everything.

 

Additional actions are required

 

Rarely does an employer know that employee monitoring requires additional actions - a thorough analysis of the monitoring tools. Additional documentation is also required - a assessment of impact on data protection. Without these formalities, employee monitoring will also be recognized as a violation of the law.

 

When conducting internal investigations that require checking an employee's computer, phone or correspondence, it is very important to take into account personal information. This means that files marked as "personal", letters from family members, personal photos, copies of documents that the employee may keep on his work computer must be excluded from the scope of the investigation and left untouched.

 

In addition, it is always advisable to check the employee's computer or correspondence in his own presence, and when this is not possible, in the presence of an employee representative. Such measures protect the employer from a complaint about a data protection violation.”