Must an employer inform employees about monitoring if the purpose of monitoring is other than monitoring employees, e.g. monitoring the operation of the network and IT devices?

ANSWER

The information obligation under Article 13 GDPR must be fulfilled by the controller (employer) with regard to all purposes for which it processes employees' data. If employees' data are therefore processed in connection with IT infrastructure monitoring, employees should be informed of this in the privacy notice. As a rule, the legal basis for processing data for this purpose will be the legitimate interests of the controller (Article 6(1)(f) GDPR).

Labour Code obligations relating to the conduct of monitoring must be fulfilled where the employer conducts monitoring regulated in Articles 22² and 22³ of the Labour Code. In the situation described in the question, Article 22³ of the Labour Code could apply, i.e. monitoring of electronic mail and other forms of monitoring. Under that article, the employer may introduce monitoring where it is necessary to ensure work organisation that enables full use of working time and proper use of work tools made available to the employee. If the organisation therefore also uses IT infrastructure monitoring to control employees' working time or whether they properly use the work tools made available to them, the controller (employer) should meet the requirements indicated in the Labour Code articles referred to above, namely:

• describe in the work regulations or collective labour agreement (if the employer has one) the purposes, scope and manner of applying monitoring — if the employer does not have such documents, this should be done in a notice,
• inform employees that IT infrastructure monitoring will be applied in the workplace at least two weeks before such monitoring begins, and keep new employees informed on an ongoing basis,
• indicate (e.g. through signs, posters, stickers) that IT infrastructure is monitored.

However, if the controller processes data from IT infrastructure monitoring solely for the purpose of ensuring infrastructure security, understood as protection against external attacks, malicious software, etc., this will not be a form of monitoring regulated by the Labour Code, and the employer is therefore not obliged to fulfil the obligations indicated in Articles 22² and 22³ of the Labour Code.