Data protection in the legislation of the European Union and the Netherlands finds its basis in the general principle of respect for one’s private and family life as set out in article 17 of the United Nations International Covenant on Civil and Political Rights (ICCPR), article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and article 10 of the Dutch Constitution. Furthermore, the rights and obligations on the scope of employment information and privacy are ruled by the good employment standards of article 7:611 Dutch Civil Code.

The fundamental right of privacy has been specified in greater detail for the European Union in the EU Privacy Directive 95/46/EC and for the Netherlands in the Personal Data Protection Act (PDPA) from 2000. The PDPA was followed by the Exemption Decree in 2001.

The purpose of both the European and Dutch legislation was and is to safeguard and protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, within the scope of the generally accepted European principle of free flow of personal data between the Member States. Only good data management can serve this principle. Consequently, personal data must be processed fairly and in a secure manner, and it may only be used for explicitly described and legitimate purposes. The spearheads of both European and Dutch regulations regarding privacy and the protection of data are the principles of proportionality and subsidiarity.

A new European General Data Protection Regulation (GDPR) became effective on 25 May 2018. This Regulation directly applies within EU Member States and for the Netherlands this means replacement of the Personal Data Protection Act (from 20000 by the GDPR combined (for certain detailed arrangements where the GDPR allows for national arrangements) with the Implementation Act General Data Protection Regulation per 25 May 2018.

Although the previous Dutch legislative framework was similar to the GDPR there are differences. Compared with the old legislation, the GDPR includes, amongst others:

• an extension of the rights of the data subject (employee) to inspect collected data, to restrict the processing of data, to obtain a copy or to erasure of data and to data portability;
• several safeguards in favour of the employee with respect to the processing of data and to providing information about the privacy policy (for example: explaining to employees how long data is saved);
• the obligation to appoint a data processing officer for certain companies;
• the improved protection of data by an early risk assessment (Data Protection Impact Assessment); and
• considerably higher penalties.

Do I need consent to process employee data?

Employee data to be retained by the employer, for example in a personnel file, will often qualify as personal data. According to the GDPR personal data may only be processed if:

• the data subject has unambiguously given his consent for the processing (almost impossible to use within employment context!); and/or
• the processing is necessary:
• for the performance of a contract to which the data subject is a party;
• for actions to be carried out at the request of the data subject and that are necessary for the conclusion of a contract;
• in order to comply with a legal obligation to which the responsible party is subject;
• in order to protect a vital interest of the data subject;
• for the proper performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible party; or
• for the purposes of the legitimate interests of the responsible party or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. processed in a personnel file if it is necessary in connection with the performance of the employment contract.

As indicated above, although the GDPR explicitly mentions the data subject’s consent as a valid legal ground, European case-law assumes this legal ground not to be valid in an employment relationship. The employee is in a dependent position towards the employer and therefore consent cannot be deemed to be freely given.

However, there are other – valid – legal grounds for processing employees’ personal data, e.g. when the processing of personal data is  necessary for the performance of a contract or to comply with a legal obligation. Whether a legal ground is sufficient for the processing of certain personal data will depend on the exact type of data to be retained. Sensitive data – such as medical data – are in principle not allowed to be processed by the employer.

Finally, in general the processing of personal data must always be strictly necessary and proportionate in relation to the purpose of processing. This means, amongst others, that the employer should respect the principle of data minimisation; it should not record more personal data than strictly necessary. The employer should also store the collected personal data securely. Finally, it is important that employees are informed properly about their personal data being processed; it is recommended to publish a separate privacy notice for this purpose.

What are the privacy and data protection issues inherent in alcohol / drug testing?

An applicant or an employee is in principle allowed to do whatever he wants in his free time as long as it does not influence the performance of his duties.

Questions about drugs and alcohol abuse

An applicant must inform the company about previous abuse of alcohol and drugs when there is a fair chance of relapse.

During the employment, questions about drugs and alcohol use can only be asked if the employer has a valid reason to do so, for instance in the case that the employee is suspected of abuse alcohol or drugs and such abuse influences the employee’s performance.

Drug or alcohol tests

Drug or alcohol tests are considered medical tests under Dutch law, and employers can therefore not require the employee to undergo an alcohol or drug test against his will, unless:  

• there is a specific legal basis to carry out such test such as in cases specifically mentioned in the Decision on alcohol, drugs and medicines in traffic (Besluit alcohol, drugs en geneesmiddelen in het verkeer), e.g., for pilots or train drivers; and
• appropriate measures are taken to protect the fundamental rights of the employees and to minimize the privacy risks; and
• the strict conditions for the processing of special categories of personal data (ex. article 9 GDPR) are met.

As indicate above, a legal ground to test an only exists for a limited number of professions (e.g. pilots or truck drivers). Testing for alcohol or drugs without a legal basis is a breach of the GDPR. Anyone who conducts a test without legal reason may be fined by the Dutch Data Protection Authority.

How can I legitimately monitor employees’ email, internet usage and social media?

Monitoring (online) employee behaviour qualifies as a form of processing personal data. The GDPR provides that processing of personal data is only allowed when necessary and when there is a valid legal ground for doing so. The employer could conceivably have a legitimate interest in monitoring employees’ e-mail, internet use and social media, for instance in light of security risks. Given the intrusive nature of such monitoring of behaviour, the employer will have to consider whether tracking employees is proportionate in light of that interest and whether there are no other means by which the same objective can be achieved. For example, an alternative to monitoring could be to block certain websites with security risks.

Since a tracking system is likely to have a significant impact on employee privacy, it is reasonable to assume that a DPIA (data protection impact assessment) is mandatory. Moreover, employee tracking is classified as an “employee tracking system” under the Dutch Works Councils Act  and stipulates that the introduction of such systems must be submitted to the works council.

What are the limits of using artificial intelligence in employment?

More and more companies are using Artificial Intelligence (“AI”). AI can not only be helpful in the application process to select suitable applicants but can also be used to improve and track employee performance.  AI, however, also carries risks.

Therefore, systems based on AI that process personal data are subject to privacy legislation and supervision of the Dutch supervisory authority. In addition, the NVP Recruitment Code requires AI systems to be validated and transparent and employers must be open and honest about the use of AI.

Overall, AI systems processing personal data should act in accordance with the privacy principles of lawfulness, fairness and transparency. Furthermore, certain basic conditions must be met. For example, there must be a valid legal ground for the processing of personal data, such as the performance of an agreement. Moreover, personal data may only be processed for specific and predetermined purposes. Personal data previously collected may not be processed for other purposes at a later date.

The data controller using AI is responsible for its proper use. For example, the data controller is required to keep a register, which describes activities involving the processing of personal data, including the purposes of such processing. In addition, prior to any particular processing, a user must conduct an assessment of its impact on the protection of personal data. If certain risks cannot be sufficiently eliminated, the Dutch supervisory authority should be consulted for advice.

In 2021, the European Commission submitted a legislative proposal for an AI Act. This new law distinguishes between different risk categories of AI. The AI Act establishes requirements and restrictions for AI systems based on the risk category of this AI system.

What are the data protection issues in whistleblowing?

Legislation update

Legislation with regard to the protection of a whistleblower, the Dutch Whistleblowers Act, came into force per 1 July 2016. This legislation protects a whistleblower who reports in good faith an act of abuse, malpractice or misconduct to the employer or to the House of Whistleblowers from being disadvantaged (and so presumably from being fired) for reason of such report disadvantaged (and so presumably from being fired) for reason of such report or during and after the period that this report is under investigation by the employer or an authorised organisation (such as the House of Whistleblowers).

The European Parliament and the Council of the European Union have approved the Directive for the harmonisation of the protection of whistleblowers (Directive EU 2019/1937; “Whistleblower Directive”). Member states should have implemented the provisions of the Whistleblower Directive on 17 December 2021. However, in the Netherlands a legislative proposal is still being debated in the Lower House of Parliament. Therefore, the Netherlands failed to meet the implementation deadline of 17 December 2021. 

Below we will describe two data protection issues relating to whistleblowing.

• Processing personal data

Personal data will be processed during proceedings resulting from whistleblower reports. This will include not only the whistleblower’s data, but also that of witnesses, the accused person and other persons whose data will be disclosed in the course of such proceedings. In order to comply with the current Dutch legislation and the Whistleblower Directive, the employer need to prioritize confidentiality and protection of both the whistleblower’s identity and the contents of the disclosure, and balance this with continued adherence to their GDPR obligations. The Whistleblower Directive explicitly contains a reminder that any processing of personal data carried out must be made in accordance with the GDPR.

• Conflict of the GDPR data subject rights and the public interest in protecting whistleblowers

Right to information

Pursuant to the GDPR the employer has the obligation to inform the whistleblower about i) the processing activities in connection with the reporting, ii) the subsequent investigation process and iii) the protection of his data (article 13 GDPR). The right to information and the effectiveness of the investigation of breaches are seemingly at battlegrounds, especially as the personal data contained in the report may not only relate to the whistleblower and therefore result in a right to information for the accused person. Providing information to such a person early in the investigation of a report may threaten the investigation.

Data subject access request

The GDPR gives individuals the right to request a copy of any of their personal data which are being ‘processed’, a so called “data subject access request” (article 15 GDPR).  If one employee discloses information about the other employee to the employer, and later, the other employee makes a data subject access request, he has a right of access to his personal data, including “where personal data are not collected from the data subject, any information as to their source” which would reveal the identity of the whistleblower.

The European Data Protection Board advises that if access is granted to a concerned individual, all the personal data of the whistleblower and any third parties should be redacted from those documents. Where this is not practicable, it may be possible to withhold the disclosure of an individual’s personal data on the basis that this would interfere with the rights and freedoms of another individual. This needs of course a case-by-case and country-by-country basis assessment.