Data protection refers to limits on the processing and use of personal data. This includes data about employees, such as personal health records, and data created or used by employees in emails or internet use. Two Directives provide the framework for general EU regulation in this area, though they are not specifically concerned with the workplace: Directive 95/46/EC concerning the protection of individuals with regard to the processing of personal data and the free movement of such data, and Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector. The Commission has also initiated consultations with the social partners on the topic of data protection at the workplace, for various reasons. First, the principle of consent, which applies to data processing as regulated in the two general Directives, may not be adequate in the individual employment context as between employer and employee. Second, the processing of specific medical data in the employment context carries with it the need for elaborate protection both as to the quantity to be made available and the uses to which it may be put. A case is the use of drug and genetic testing, authorised by legislation in many Member States when related to employee assessments of fitness for work, the results of which are collected and processed. Third, monitoring of employees’ email and their use of the internet use is regulated in some Member States, but there is not a consistent EU-wide practice: the Commission proposes an EU level framework to meet the need.
The Commission has proposed in 2012 a new text which will in term replace Directive 95/46/EC and will be applicable within the 27 member states (28 in July 2013). The proposed Regulation is being debated within the European Parliament and the Council of the EU. The reform is available on the European Commission webpage.