Is it legal to monitor the employees’ social network profile?

Oct 5, 2021

Traditionally, the tracking of electronic communications in the workplace (e.g. telephone, internet search, e-mail, instant messaging, VOIP, etc.) was considered as a major threat to the privacy of employees. In the  Working Document on the monitoring of electronic communications at the workplace of 2001 The working group referred to in Article 29 has set out a number of conclusions regarding e-mail tracking and internet use. While these conclusions remain valid, it is necessary to take into account technological advances that allow more recent, potentially intrusive ways of tracking. Consequently, when dealing with this issue, we should  also point out the tracking of employees through social networks.

Through the use of social networks, employers have a real opportunity to collect information on their employees and thus gain data, including those sensitive, relative to the private and family life of their employees and employers should not process of the profile of their employees in this way. In addition, employers should refrain from requiring employees or job candidates to give them access to information shared with other persons on social networks. In particular, the employer has no grounds to require an employee to accept it as a “friend” or to give him access to the content of his profile otherwise. 

However, there are also specific situations where the tracking of employees through social networks will be justified and that is, as a rule, in order for the employer to protect his or hr legitimate interests and when there are no available, less invasive ways.

Example 1

As an example, they could indicate when, during the anti-competitive clauses, the employer monitor profiles of former employees covered by those social network clauses for example, LinkedIn. The purpose of such monitoring shall be to establish compliance with those clauses and shall be limited only to those former employees. In doing so, employees who are monitored in this way have to be adequately informed as well on  the extent of the regular monitoring of their public communications on the social media.

Example 2

In the case of employment, an example of permitted tracking would be to check the profile of candidates on different social networks and including publicly available data from those networks and any other information available online in the verification process. Indeed, there is a situation where the nature of the work requires that information on candidates be checked on social media, for example in order to assess the specific risks associated with candidates for a particular function, and if the candidates are properly informed (for example in the text of the job vacancy), then the employer may have a legitimate basis on the basis of legitimate interest to monitor publicly available information about candidates.

Example 3

In matters of using social networks during work, it is important to note that employees should not be required to use the social media profile provided by their employer. Even when explicitly provided for in respect of their tasks (e.g. organisation spokesman), they must be able to use a “non-business” profile not reported instead of the “official” employer-related profile and should be specified in the terms of the employment contract.

We can conclude that modern technologies and new monitoring methods can help detect and prevent the loss of intellectual and material assets, improve the productivity of employees and the protection of personal data for which the controller is responsible, however, also face important privacy and data protection challenges. Therefore, there is a need for a very careful assessment of the balance between the legitimate interest of the employer to protect the business and reasonable expectations with regard to the privacy of the data subjects, namely employees.

Authors: Ines & Marko Krečak, Feralis Center, Croatia


Recent news

Join in now: Data Protection Day on January 28

Join in now: Data Protection Day on January 28

Data Protection Day is a day of action for data protection launched on the initiative of the Council of Europe. It has been celebrated annually since 2007 on January 28 - the date on which the European Data Protection Convention was signed in 1981. The aim of Data...

read more
Opinion on the change in the regulation of cookies

Opinion on the change in the regulation of cookies

In the Czech Republic, the Electronic Communications Act was amended with effect from 1 January 2022. This change introduced the opt-in principle for cookies and other similar network identifiers, which corresponds to the text of the ePrivacy Directive. Following...

read more