The right to be left alone. This 1890's approach to the "right to privacy" begins modern Western thinking about privacy. Background back then was the protection of famous Americans from the new media of the day ('newspaperization' with instant cameras, newspaper companies, etc.). Since then, 'privacy' has developed into the fundamental right 'protection of privacy' enshrined in many international treaties and in the Dutch Constitution.
Author(s): Melanie Hermes, Arjen van Halem
Since 1983, when the entire Constitution was modernized, Article 10 has stated, "Everyone has the right, subject to limitations to be imposed by or under the law, to respect for his privacy." By the way, privacy includes more than just the processing of personal data (which the AVG covers). It also includes the fundamental rights of home, mail secrecy and respect for physical integrity, as well as the right not to be spied on or overheard.
The Constitution also shows that the right to privacy is not absolute. Limits can be placed on this through legislation. The General Data Protection Regulation (AVG) is a good example of this. The Constitution seems to suggest that personal privacy relates only to what we call "private": the home, the letter or one's own body. However, privacy also relates to the public domain (think of the secrecy of votes and the prohibition of covert camera surveillance) and the employment relationship, among others. After all, entering into an employment relationship does not end the right to privacy protection. And this applies not only to the processing of personal data (checking e-mails), but also to bodily integrity (think of strip searches and drug testing), relational privacy (for example, a relationship between two colleagues) and spatial privacy (checking lockers).
In this book we focus on the protection of personal data, the domain of the AVG. It is a tool in the search for a balance between the employer's right to process data necessary for the functioning of the company and the employee's right to protection from the processing of personal data. Finding the right balance is not easy.
First, views on the boundaries of personal privacy are culturally determined. Even among Western countries, the differences are great. For example, data on income is much less sensitive in the United States, but data on age is more so. There are also differences between European countries. The European AVG does not change this and even allows for it in Article 88 for employees. In Germany, for example, employers register the religious beliefs of employees for the purpose of paying the 'Kirchensteuer'.(1) In the Netherlands there is no legal basis for this. There are also big differences between
people. Just look at the use of social media. For example, you sometimes hear employees say, "My boss can know everything about me, I have no secrets."
Second, what we think is ordinary is changing almost as fast as technology. Just look at camera surveillance. The first cameras led to much inconvenience and discussion. Now they hang everywhere in cities and along highways.
What makes this difficult is that laws and regulations offer few concrete boundaries about what is and is not allowed. It's always about context.
Against this background, the "reasonable expectation of privacy protection" standard was developed. What constitutes a reasonable expectation always depends on time and place. The AVG, in conjunction with many other laws, provides the framework for striking the right balance.
The AVG, as well as the European Directive preceding it, is based on eight principles established by the OECD in 1980:
Limit the collection of personal data.
Use only the data that is relevant to the purpose and sufficiently up-to-date.
Collect data only for a specific purpose.
Do not use the data for any other purpose than described.
Provide adequate security measures.
Provide transparency about the use of personal data.
The individual has the right to find out whether data is being collected about him and the right to correct, supplement or delete it.
The administrator is responsible for compliance with the principles.
These principles are also the foundation of much legislation outside Europe.
The name of the European regulation, the General Data Protection Regulation, may give the impression that - as with the Data Protection Act (Wbp) - the core of data privacy is the security of personal data. And that if that data security is in place (with encryption, ISO standards, contracts), then the AVG is met. But it isn't. Personal data protection is also about restricting access and limiting processing to what is strictly necessary. Good security is a necessary condition for the protection of personal data, but not sufficient.(2)
Indeed, personal data may only be "processed" for specified and explicitly defined purposes. After all, processing is not only collecting, but also storing, transmitting and viewing. Prior to security, usefulness and necessity must first be established. Security is necessary to ensure that only lawful processing takes place.
Prevention is better than cure. So protecting personal data starts with establishing utility and necessity, data minimization and limiting retention periods. In practice, by the way, in most applications there is not much discussion about the primary objective. Most attention is paid to limiting access to data(authorization matrix), reporting, current and possible future secondary use, and possible linkage with other files.
The AVG calls for "appropriate" security measures, i.e. appropriate to the risk to the data subjects and the capabilities of the organization. Technical measures (for example, two-factor authentication, encryption) are preferable to organizational measures (such as the instruction not to distribute downloaded Excel spreadsheets any further). Here, the AVG also mandates privacy-by-design.
(1) Church tax paid through the employer.
(2) Information security is receiving increasing attention due to the risk of cybercrime. Although cybercrime mainly targets confidential business information and intellectual property, security measures also affect the protection of personal data. On the one hand, there is a trade off: the level of protection of personal data becomes higher. On the other hand, monitoring the network and the use of applications such as e-mail also leads to increased processing of
personal data.
This text is a pre-publication from the book"Privacy in the Workplace. Written by Melanie Hermes and Arjen van Halem, the book covers the most common issues surrounding privacy in the workplace.
'Privacy in the Workplace' is eminently suitable as a practical guide for anyone active in the field of HR, labor law or otherwise dealing professionally with the processing of employee personal data. The book contains concrete tips and is indispensable as a reference book on everyone's desk.
Learn more about the book Privacy in the workplace
This article can also be found in the Privacy in the Workplace file
