Commission issues second stage consultation on data protection

In late October 2002, the European Commission launched the second stage of consultations of the social partners on the topic of data protection at the workplace. The European-level social partners have until mid-December 2002 to submit their comments or decide to take their own EU-wide initiative on the issue.

On 30 October 2002, the European Commission launched second-stage consultations of the social partners on the subject of the protection of personal data in the employment context. Under Article 138(2) of the Treaty establishing the European Community, theEuropean Commission consults the European-level social partners on the possible orientation of social policy before formulating proposals. In the first instance, the consultation focuses on the possible direction of Community action in a given field. In the case of data protection at work, the Commission launched the first stage of consultation at the end of August 2001. Having received a range of comments from social partner organisations and interested parties, the Commission’s second stage of consultation, on the content of the envisaged proposal (in accordance with Article 138(3) of the Treaty) is largely based on these replies and the views expressed.

The Commission states in the second-stage consultation document that two Directives currently regulate the processing of personal data. These are the Directive concerning the protection of individuals with regard to the processing of personal data and the free movement of such data (95/46/EC) and the Directive concerning the processing of personal data and the protection of privacy in the telecommunications sector (97/66/EC). However, it notes that the provisions contained in these Directives are general, with their application to the workplace not always elaborated in detail. The Commission therefore suggests a new European framework of principles and rules, building on those already in existence, clarifying how they apply at the workplace and complementing them where necessary.

The consultation covers data about employees, such as personal health records, as well as data created by or used by employees, such as e-mails or internet use.

Reasons for the consultation

The Commission states that there are a number of reasons why it has chosen to consult the social partners on this subject at this particular time. These are principally:

  • technological advances such as the increased use of e-mails, electronic files, increasing use of teleworking, which is blurring the boundary between work and private life, and cheaper genetic testing technology;
  • globalisation, in particular the growing trend of outsourcing the human resource function of large businesses. This may create difficulties if data protection laws differ from one jurisdiction to another; and
  • what it terms post '11 September insecurity'. In the USA, for example, companies may be expected to monitor workers as part of government efforts to increase security.

Subjects covered

The consultation covers a number of subjects which the Commission believes should be included in a new European framework on protection of workers’ data.


The question has been raised as to whether consent as a means for legitimising the processing of data, as stipulated in the two existing Directives in this field, is a suitable ground in the employment context. Broadly speaking, employers’ representatives replied to the Commission’s first consultation paper that it was, while employee representatives stated that they would like to see more formal requirements put into place. The Commission proposes in this second consultation that 'consent is, on its own, an inadequate safeguard for the worker, particularly in relation to the processing of sensitive data'.

Medical data

The Commission states that access to, and processing of, medical data require particular attention in the employment context. For example, it may be necessary for an employer to check whether a worker may be exposed to a health risk at work. However, the consultation document stresses that the information processed should be kept to an absolute minimum required for an employer to meet its obligations. The Commission believes that a European-level framework on the processing of medical data is necessary, given the different practices in operation in Member States.

Drug and genetic testing

As technology in this area has advanced, it is becoming more and more common for employers to test workers for drug and substance abuse. Legislation in many Member States allows this in order that the employer can ensure that the employee is fit for work. However, the Commission is proposing that the collection and processing of this kind of data be limited by a European-level framework.

The Commission also states that some employers are using genetic data (from the workers themselves and their families) to ascertain whether or not to employ or promote employees. Practice concerning the regulation of this varies across the EU, with some Member States, such as Austria, Portugal and the Netherlands, prohibiting or restricting use of genetic data in this way. In contrast, however, other Member States do not appear to have legislated in this area at all. The Commission therefore states that employers may as a result be confused about the legal status of such tests, particularly if the business has employees in Member States with differing practices.

Monitoring and surveillance

The Commission states that a number of Member States restrict the monitoring of workers’ e-mail traffic and internet use (eg BE0209302F). In some cases, provisions are contained in employment legislation, while in others, provisions are included in criminal legislation. In some Member States, trade unions and works councils have developed codes of practice on employee monitoring (EU0210205F).

Given that there appears to be no consistent EU-wide practice on this issue, the Commission suggests that an EU-level framework is necessary.

National legislation

The Commission states that most Member States do not have specific legislation governing the protection of workers’ data, even though they have more general legislation on the processing of personal data and the free movement of data.

Nevertheless, Denmark and Finland are making progress in this area and codes of conduct on the use of personal data at work have been adopted or are being drawn up in the UK and the Netherlands.

However, the Commission maintains that practice regarding this issue is diverse and can be incredibly complex.

The next steps

The social partners have an initial six weeks in which to consider their response to this consultation paper. They may either forward their views on this to the Commission or they might decide to try to negotiate a European-level framework agreement on this issue themselves.


Protection of data in the context of the employment relationship is becoming an increasingly important area, due to the huge technological advances that have been made over the past decade. Employee use of e-mail and internet facilities opens up new questions relating to monitoring practices. Similarly, advances in testing practices mean that employers have at their disposal a wider range of data about current and prospective employees that ever before. Although general data protection instruments already exist, it is arguably the case that they do not cater for the specific employer/employee relationship adequately enough. It is therefore logical that the Commission should be seeking to address this issue more narrowly, particularly as practice around the EU appears to be so diverse. A European-level framework, either in the form of a statutory instrument or a social partners’ agreement, would provide the clarification necessary to protect both employers and employees. (Andrea Broughton, IRS)

Useful? Interesting? Tell us what you think. Hide comments

Eurofound welcomes feedback and updates on this regulation

Add new comment