Brussels, 31 October, 2002
Data protection at work: Commission proposes new EU framework to European social partners
The Commission today launched a second formal consultation of social partners on an initiative to improve protection of workers' personal data throughout the EU. The Commission proposes to the European-level social partner organisations (including UNICE, ETUC, UEAPME, CEC and Eurocadres) a set of principles and rules governing treatment of personal data at work in order to provide clear and comprehensive guidance to employers and workers about their rights and obligations in this field. The Commission decision covers a range of specific questions related to data protection at the workplace which were originally identified in the Commission's first consultation of social partners on this subject in August 2001, including treatment of sensitive information, such as health data, drug testing and genetic testing data, monitoring of workers' e-mails and internet use. Following this Commission consultation, the social partners now have an indicative period of six weeks in which to comment on the Commission's proposals, or they may decide to take up the matter themselves, independently of the Commission, with a view to establishing their own EU-wide initiative in this area.
Anna Diamantopoulou, European Commissioner for Employment and Social Affairs, said : « The EU needs clearer, simpler rules on protection of workers' personal data which take better account of the employer/worker relationship. A clear and simple framework of principles and rules, applicable throughout the EU, will be good for workers and good for business ».
The Commission consultation establishes the need for EU action on data protection at the workplace and sets out the possible content of a European framework of principles and rules in this area. The consultation covers protection of data about employees (e.g. personal health records) and protection of data created by or used by employees (e.g. employees' e-mails and internet use). Processing of workers' personal data is, in many instances, a necessary and reasonable consequence of the employer/employee relationship but may entail some risks for workers. Member States address and regulate these risks in very different ways. Significantly different rules on treatment of workers' personal data within the EU may create barriers to the internal market, affecting both the free movement of workers and the need for business, in a globalised economy, to circulate data about their employees throughout the EU and beyond.
The main drivers of the Commission's decision to consult social partners on this subject at this point in time are : i) technological advance (e.g. e-mails, electronic files, the emergence of the 'home office' or telework which is increasingly blurring the boundary between work and private life, and cheaper genetic testing technology) ; ii) globalisation (outsourcing of the human resource function of large businesses is new and offers efficiency gains but may be difficult if data protection laws are radically different from one jurisdiction to another) ; iii) post 11 September insecurity (in some jurisdictions, such as the US, businesses may be expected to monitor workers or prospective workers as part of broader government efforts to step up security monitoring).
The substance of the consultation
(See text of consultation decision for the Commission's detailed proposals on each point web address below)
A worker or prospective worker is often in the position where it is difficult to refuse, withdraw or modify consent owing to the relationship of subordination between employer and employee. The Commission proposes that consent is, on its own, an inadequate safeguard for the worker, particularly in relation to the processing of sensitive data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or health or sex life).
Access to and processing of medical data require particular attention in the employment context. It may be necessary for an employer to check whether a worker may be exposed to a health risk at work but the information processed should be kept to the absolute minimum required for an employer to meet his obligations. Some Member States only allow employers to be informed of the outcome of medical examinations, i.e. whether the worker is fit to work or not. In these countries, the medical diagnosis and the rest of the medical record remain confidential and only the occupational health physician ("médecin du travail") can have access to it. Given the high sensitivity of medical data, the Commission proposes a general framework at the European level on the processing of such data.
Drug testing and genetic testing
Testing of workers for drug and substance abuse is becoming commonplace in some Member States. Much of Member States' legislation allows testing of a worker or a prospective worker's health to ensure that they are 'fit to work', which may include testing a worker for drug and substance abuse. The Commission proposes to limit employers' collection and processing of this kind of data.
The Commission also proposes to circumscribe the practice by employers of genetic testing and to limit the use of data which result from such testing. It is recognised that some employers are using genetic data to determine whether a worker should be employed or promoted. Genetic data relates not only to DNA analysis of the worker in question but may also extend to access to details of family members' medical history.
Several Member States prohibit or restrict the use of data resulting from genetic testing (for example Austria, Portugal and the Netherlands). Other Member States do not appear to have legislated to restrict genetic testing in the workplace. As a result, the employer may not be clear about the legal status of such tests, particularly in situations where the employer is based both in a country which prohibits tests and also in one where there are no current guidelines.
Genetic features are included as a ground upon which discrimination is prohibited in the EU Charter of Fundamental Rights . The Council of Europe states that genetic data should, in principle, not be used for purposes outside the detection, prevention or treatment of diseases, a judicial procedure or a criminal investigation. Employment relations would fall outside the scope of these provisions.
Monitoring and surveillance
According to the information available to the Commission, a number of Member States have provisions restricting monitoring of workers' behaviour and correspondence (for example e-mails, internet use). Some of these provisions are contained in employment law, others are part of criminal law, whilst trade unions and works councils in some of the Member States have developed their own codes of practice on employee monitoring. The Commission proposes a set of transparent and clear-cut EU principles.
The majority of Member States have general legislation on the processing of personal data and on the free movement of such data but no specific legislation as regards the protection of workers' personal data. There are Member States who have adopted, or are in the process of adopting, specific legislation aiming at protecting workers' personal data (Denmark, Finland). Furthermore, there are Member States who have launched, or are in the process of launching, codes of conducts on the use of personal data in the employer/employee relationship (United Kingdom and the Netherlands). In other countries, possible future legislation is under consideration. However, provisions in the Member States differ considerably and can be excessively complex (e.g. interaction between data protection rules, rules on secrecy of correspondence and general employment principles in the case where the employer checks employees e-mails and internet use).
Both the International Labour Organisation (ILO) and the Council of Europe have recognised that specific guidelines are required in relation to data protection in the employment relationship. There exists an ILO Code of Practice on protection of workers' personal data and a Council of Europe Recommendation on the Protection of Personal Data used for Employment Purposes .
It should also be noted that Article 8 of the EU Charter of Fundamental Rights refers to the protection of personal data. In addition, Articles 21, 26, and 31 have specific relevance to workers and the protection of their private data.
Consulting the social partners on this subject is one of the initiatives provided for in the Commission's Social Policy Agenda endorsed by the Nice summit in December 2000. The first stage consultation was launched at the end of August 2001. This second consultation is based upon an analysis of the social partners' replies to the first stage consultation, a number of studies prepared by the Commission, and a series of meetings with experts and other stakeholders.
Processing of personal data is currently regulated at EU level by Directives 95/46/EC and 97/66/EC. Both directives apply fully to workers' personal data. However, the principles laid down by the existing EU legislation are general in scope and their application to the workplace is not always elaborated in detail. The suggested European framework of principles and rules set out in this new consultation document builds on the principles established in the existing EU directives whilst at the same time clarifying how they apply at the workplace and complementing them where needed.
This Commission decision launching formal consultation of the social partners is based on Article 138(2) of the Amsterdam Treaty which provides that the Commission must consult management and labour on the possible orientation of EU social policy before submitting any proposals. The Commission gives the social partners an indicative period of six weeks in which to react. If after that first consultation the Commission deems EU action necessary, the Commission then consults the social partners on the content of the envisaged proposal. Management and labour again have an indicative period of six weeks in which to submit an opinion or a recommendation.
At any point in the consultations, the social partners can signal to the Commission that they wish to conclude their own agreement in the policy area in question. They normally have nine months (extendable with the agreement of both sides and the Commission) in order to finalise such an agreement. If there is no agreement, the Commission retains its right of initiative.
For the complete text of the consultation decision, please see :
Specific issues focused upon in Commission's consultation paper
UNICE: Directive 95/46 provides for other means/reasons, which may legitimise, the data processing. Furthermore, European and national regulations ensure non-discrimination of workers.
UEAPME: There is no need for more formal requirements. Relationships between contracting parties should be governed by trust.
ETUC: The principle of consent is not strong enough to offer adequate protection, due to the weaker position of workers.
CEC: It favours a catalogue of personal data to which employers have no access whatsoever, even with the worker's consent.
EUROCADRES: Consent cannot be used as an excuse in data processing, giving rise to illegal discrimination.
b) Medical data
UNICE: This issue is dealt with in the Health and Safety directives.
UEAPME: Article 6 of dir. 95/46 is sufficient. Further regulation preferable at national level.
ETUC: The employer should only be informed whether the worker is fit to work or not. No information on further detailed medical data.
EUROCADRES: Processing of such data requires particular attention, due to their sensitivity and the risk of discrimination.
c) Drug testing data
UNICE: Processing of such data is legitimate for safety reasons.
UEAPME: Article 6 of dir. 95/46 is sufficient. Further regulation preferable at national level
ETUC: There is no need for a compulsory generalised drug testing.
EUROCADRES: Processing of such data requires particular attention, due to their sensitivity and the risk of discrimination.
d) Genetic data
UNICE: Its regulation is preferable at national level, due to rapid changes in this field.
UEAPME: Article 6 of dir. 95/46 is sufficient. Further regulation is preferable at national level.
ETUC: Absolute prohibition of pre-employment genetic screening. Employers may offer, on a voluntary basis, genetic monitoring, under specific safeguards, including that the results of such monitoring may be only controlled by the worker concerned.
EUROCADRES: Strict prohibition of discrimination based on genetic testing.
UNICE: There are legitimate reasons for monitoring/surveillance of workers. Moreover, there are sufficient relevant instruments on national/international level.
UEAPME: This issue differs from the others dealt with above. It should be tackled through collective agreements at company level.
ETUC: It favours a prohibition of permanent, automatic control, notably when it takes place in real time and without previous information of workers.
CEC: It opposes to monitoring of workers' Internet and e-mail use, unless justified on specific grounds. On the other hand, it favours the establishment of company's code concerning private use of Internet and e-mail.
EUROCADRES: It lays particular emphasis on this issue. It requests clear rules and rejects the use of the worker's consent as a means legitimising monitoring. With reference to the ILO Code of Practice (1996) and the Council of Europe Recommendation R (89) 2, it expresses its favour for co-operation (information and consultation) between employers, workers and workers' representatives in this regard.