Despite the evolution of the legal system and its laws and regulations, the parties to the labour relation continue to face difficulties in establishing the boundaries on what it is considered private and what is to be considered public, struggling with it.

The use of social networks and internet, among other developed technologies, raise questions of personal and employment data protection, and is a focus of permanent conflict between two fundamental rights: the employee’s right to privacy and the employer’s right to property of the working tools.

Do I need consent to process employee data?

According to the Portuguese Labour Code, and other legislation, including the GDPR regulations, and the recommendations of the CNPD (National Commission for Data Protection), the employer may process its employees’ personal data within the limits and for the purposes defined in the Labour Code, namely with reference to the execution of the employment agreement, without depending on the legitimacy of the
employee’s consent.

The foregoing type of processing of employee personal data is also applicable when liaising with third parties, provided the employer ensures, under a contract for the provision of services and subject to equal guarantees of confidentiality, that the processing of the employee’s personal data related to the management of the employment relationship is solely collected and processed for this purpose.

Where the data subject’s consent is the appropriate basis of legitimacy for data processing, then it must be ensured that the consent is valid because it is given under the legally required conditions: a free, specific, informed, and unambiguous expression of will, and the data subject (Employee) must be informed beforehand.

What are the privacy and data protection issues inherent in alcohol/drug testing?

By law, in Portugal, the treatment of health and other specially protected data is as a general rule not allowed, despite the employer’s continued duty to prevent occupational risks and illnesses and to adopt the appropriate measures regarding health at work.

In addition, any test or exam performed to determine if the employee consumed any drugs or alcohol is considered private and, an invasion of employee’s privacy. Notwithstanding, specific circumstances may justify testing of some of the employees.

Therefore, even under the justification of occupational health and safety, to prevent accidents during the employee’s work activity, and to be able to carry out the appropriate disciplinary procedures potentially arising from the use of drugs and alcohol, the employer is bond to, prior and in order to execute tests and examinations, establish internal regulations, of which the employees must be clearly informed determining that the tests are exclusively intended to ascertain the employee’s ability to perform its duties and that they may only be carried out in strict compliance with the law, specifying, e.g. substances targeted, professional categories, frequency, and that the consumption is subject to disciplinary procedure.

Nevertheless, these tests and examinations must be necessary, adequate, and proportional for the protection and safety of the employees as well as of third parties.

How can I legitimately monitor employees’ email, internet usage and social media?

In Portugal, the labour code foresees that the employer cannot, under any form of control, access to the content of information of the private area of the employee as user of the technologies, e.g, email, internet usage and social media, even though access is made through the working tools provided by the employer.

Regarding the legitimacy of the employers to monitor the employees’ email, internet usage and social media, it is recommended by the CNPD (National Commission for Data Protection) that the employer establish the terms and conditions of use via an internal regulation and inform the employee of its content. The employer, during the execution of the internal regulation must consult the employees committee, the inter-union
committees, union committees.

In addition, before the data treatment, the employer must inform the employee about the conditions of use of company resources for private purposes and how they are monitored (forms and methods adopted), about the existence of the associated data processing, its purposes, the data processed and its retention period, as well as the degree of tolerance allowed, and the consequences of misuse or improper use of the communication resources made available to the employee.

What are the limits of using Artificial Intelligence in employment?

The use of algorithmic management has been on the rise and was strongly boosted with the COVID-19  pandemic through the use of remote working software that allows the collection and monitorization of the labour performance data.

Several initiatives have been developed and guidelines have been produced aiming at an ethical, fair, and transparent Artificial Intelligence, in order to promote transparency and accountability in its use, namely in the scope of labour relations.

Within the Portuguese national government program “Digital Transition Action Plan” the use of Artificial Intelligence must comply with the following principles:

• Respect of human rights, diversity, and non-discrimination
• Fairness
• Transparency
• Data privacy and data governance
• Accountability
• Human-centred approach
• Participation of workers

What are the data protection issues in whistleblowing?

The processing of personal data under the general regime for the protection of whistleblowers must comply with the Portuguese General Data Protection Regulation, which ensures the enforcement of the rules relating to the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.

Thus, the implementation by the companies of an internal whistle-blower channel must ensure, among other things, the confidentiality of the identity or anonymity of whistleblowers and the confidentiality of the identity of third parties named in the complaint, the integrity and preservation of reports, the access to the information by unauthorized persons, the independence, impartiality, confidentiality, data protection, secrecy and absence of conflicts of interest of the persons or services designated by the company for the receipt and follow-up of complaints.

A record of complaints received must be kept and, verbal complaints shall be recorded when made by telephone, verbal whistleblowing channel and face-to-face meeting, through durable and recoverable support that allows an accurate transcript of the communication, minutes of the communications, etc, and the whistle-blower has the right to see, correct and approve the above referred transcript or minutes of the communication or meeting, signing it.

Complaints shall be kept for at least five years, and regardless of that period, while judicial or administrative proceedings relating to the complaint are pending.