FOCUS GDPR and employees: what legal framework?

Legal Watch – May 2019.

Two recent cases involving a major online bookstore raise questions about the leeway employees have when processing the personal data of the company's customers.

Although data processing is now regulated in detail by law and by numerous guidelines – whether those of the CNIL or the European Data Protection Board (EDPB) – responsibilities within the company itself still raise many questions.

What is the employer's responsibility regarding how its employees process personal data? A few principles should be kept in mind:

The scope of the GDPR is broad[1]. Indeed, the automated processing of personal data covers operations carried out on data using software traditionally used in businesses: databases, email, spreadsheets for example, as well as, where applicable, data processing carried out using word processing software.

Responsibility for the actions of employees generally rests with the employer under the Civil Code2 but also under the GDPR, because the employer is the data controller: it is the employer who defines the means and purposes of the processing within the meaning of the law3.

For the same reason, the employer will be liable in the event of a security breach, even if it results from the actions of an employee, because it is the employer who has the obligation to secure data within his company4.

If the employer is liable to third parties, he can of course take action against the employee who has acted illegally, in particular for breach of trust or fraud, and impose a disciplinary sanction or even dismissal. Fraudulently accessing or maintaining access to all or part of an automated data processing system is also a criminal offense.

Independently of the employer's liability, the employee may also bear his own liability towards his employer but also towards third parties: the employee who deviates from the instructions given by the employer and pursues his own purposes becomes himself responsible for the processing within the meaning of the law (see the analysis of the European Working Party on Article 29 6 – now EDPB).

The same applies if he violates the company's IT charter to use the data for his own account.

In conclusion, it is essential for the employer to take the following precautions:

• Precisely define the purposes and means of processing and bring this framework to the attention of employees
• Have them sign a confidentiality clause attached to the employment contract as well as an IT charter
• Involve the DPO and the works council in the preparation of these documents.

These precautions will have the dual benefit of better protecting the people whose data is processed, and of clarifying the employer's liability in the event of abuse.

It should be noted that employees also benefit from protection of their privacy – and their personal data – in the workplace. This will be the subject of further developments.

And also:

In France :

On April 15, the CNIL published its activity report and announced that it would focus its future audits on respect for the rights of individuals, the processing of minors' data, and the distribution of responsibilities between the controller and the subcontractor.

Now chaired by Marie-Laure Denis, the CNIL has a new college.

In Europe:

On April 12, the EDPB adopted guidelines on data collection in the context of information society services, focusing in particular on the legal basis for collection in the context of a contractual relationship with the customer (Article 6 (1) (B) GDPR). This text is subject to public consultation until May 24.

In the world:

Nigeria adopts data protection law similar to GDPR.

1 Articles 2.1. and 4 1) and 2) GDPR.

2 See in particular article 1242 paragraph 1 and paragraph 5 of the Civil Code.

3 Article 4.7) GDPR.

4 Article 32 GDPR.

5 Article 323-1 of the Penal Code.

6 Page 16