The challenges and risks associated with the processing of employees' personal data at all stages of the employment relationship (at the recruitment stage, during employment and at the departure of the employee) have repeatedly concerned the Hellenic Data Protection Authority.

Issues, such as the monitoring of electronic communications at the workplace (e.g. telephone, web browsing, email) or in the context of teleworking, the use of personal devices (BYOD-Bring Your Own Device), the use of the company's mobile devices, the use of video surveillance systems, the installation of a global positioning system (GPS), the control of the employee's social networks and the use of artificial intelligence systems for work related decision making, reshape the concepts of work planning and management, while creating new challenges and balances between the reasonable expectation of respecting the right to privacy and protecting employees' personal data and satisfying the employer's legitimate interest in ensuring the proper functioning of the business.

More specifically, the employment relationship, as any other legal relationship, requires and implies the processing of employees' personal data for purposes related to the work environment and aim at fulfilling the obligations of both sides, whether imposed by law or agreed by contract, such as the payment of wage, the control of working hours, the calculation of social security contributions, the monitoring of leave days. Therefore, the impression that any further data processing should be deemed justified only because of the existence of the employment relationship, is not valid. The Authority, with its Decision No. 26/2019, has already pointed out, in an nearly educational manner, that neither the legal basis of performance of a contract (Article 6(1)(b) GDPR) nor that of consent (Article 6(1)(a) GDPR) can justify any processing of employee data, and that the employer is not exempted from liability by a simple reference that the processing is based on, for example, the consent of the employee.

In particular, the employee's consent is highly unlikely to constitute a valid legal basis for data processing at work and will only be considered such, in cases where no other legal basis remains. This happens due to the inherent inequality of the parties in labor relationships and the general dependency of the employees, which raise doubts on whether the employees' consent is free.

However, it must be made clear that the existence of, for instance, one legal basis, such as the employer's lawful interest during the exercise of the managerial right to control the leakage of know-how, trade secrets and to protect the company and its property from the transmission of confidential information to a competitor, does not exempt the employer from the obligation to respect the principles (Art.5 para. 1 of the GDPR) regarding legitimacy, necessity and proportionality, as well as the principle of minimization. In case of a potential violation of the abovementioned principles, the processing in question is deemed to be illegal.

Recently, the Authority issued Decision No. 27/2024, which, among others, states that "the employer in any case, applying the principles of the GDPR, should apply policies of acceptable use of electronic media and inform the employees accordingly. Such policies should describe in detail the permitted use of the operator's networks and equipment, the actual processing, as well as the possibility of legitimate access by the employer to the electronic media used by employees".

According to the Working Group 29 Guidelines: "for the provision of consent under the GDPR (WP259rev. 01)", as well as under ECtHR case law (Barbulescu v. Romania), in the occasion that the employer monitors the employee's electronic communications without having previously informed him of the existence of such possibility or of the circumstances of such monitoring, an infringement of the employee's right to privacy under Article 8 ECHR is established.

Thus, the employer should always take into consideration the basic principles of data protection and inform employees about the use of methods of controlling and monitoring at the stage of collecting their personal data, as well as about the supervision of their work and the purpose of processing their data, in order to ensure a legitimate and lawful data processing. Finally, the employer's invocation of legitimate interests on the basis of the use of technologies useful for detecting or preventing the loss of intellectual and material corporate property, which require the processing of employees' data, remains always under the condition that the processing is strictly necessary for the legitimate purpose and complies with the principles of proportionality and minimization, in order to prevent their use from becoming an unjustified, intrusive monitoring or a profoundly unfair processing for the assessment of the behavior and the efficiency of employees.

[1] See. L. Mitrou, The data protection of employees in L. Kotsalis, Personal Data: Commentary - Analysis - Application , Nomiki Bibliothiki, Athens 2016, p. 194