The Covid-19 has forced many employers to enable opportunities for employees to work from home and many digital solutions are used to facilitate remote work performance. While there is technology available that can track every second of an employee’s working day, Finnish law, however, includes rather strict provisions on the use of such technology for employee monitoring purposes and any monitoring should, therefore, be carried out with caution.
Below a few examples of employee technical monitoring that Finnish law considers allowed/not allowed:
- Monitoring employees’ use of the internet and online activity: This is not allowed. The right to confidential communication applies and an employee can also not consent to the employer monitoring his/her net browsing and online activity. Nevertheless, an employer may, naturally, provide its employees with guidelines relating to the use of the internet, for example inform them on what kind of sites they can visit. An employer may also block access to certain sites.
- Monitoring employee’s use of the intranet: An employee’s use of the intranet is not regarded as confidential communication (between the employer and the employee) and an employer is therefore regarded to have the right to monitor its employees’ intranet activities (for example collecting information on what messages have been read by the employee). However, this kind of technical monitoring would fall within the scope of application of the Finnish specific rules relating to technical monitoring of employees meaning that the implementation of such monitoring must be preceded by co-operation proceedings (as discussed below).
- Location of employees: As a rule, location data should not be used for monitoring such employee obligations that are set forth in mandatory Finnish employment law (such as, for example, working hours). According to the Finnish data protection authorities, however, the use of location data can be acceptable if the employer has a justified reason for this. As regards general office work carried out by the employee from his/her home there is probably very few well-grounded reasons for monitoring such an employee’s location data whereas the situation is different if the employer must be able to allocate certain resources to its employees (such as cars or other working tools).
Implementation of technical monitoring
The implementation of any technical monitoring must be preceded by co-operation proceedings. If the employer organization employs less than 30 employees, the employer must reserve the employees (or their representatives) an opportunity to be consulted in the matter before deciding on the technical surveillance. Also, a data protection impact assessment (DPIA) must typically, under the GDPR, be made if monitoring employees by technical means.
Transparency and privacy policies
Employers (data controllers) should make sure that all processing of their employees’ personal data is covered in the relevant data policy. To the extent an employees’ remote work gives rise to any new employee data processing activities undertaken by the employer, the employer should update the applicable data policy and communicate the new updated policy to its employees.