Search for:

7 July 2014 – The Portuguese Data Protection Authority (CNPD) has made available on their website a special online notification form for obtaining authorization for “monitoring employees’ information and communication technologies private usage” which aims to reduce significantly the time period necessary for obtaining the required prior authorization for this type of monitoring. According to CNPD, if the applicant is in full compliance with CNPD’s existing guidelines on the subject (Guideline n.º 1638/2013 of July, 16), the authorization will be granted within a week. Otherwise, applicants should use the general online notification form, which may imply the authorization procedure taking several months or even years. One should recall that Guideline n.º 1638/2013 was published on 14 November laying down new rules on monitoring of phone calls, e-mail and internet usage by employees. It also has a reference to the prohibition of remote access to employees’ computers by the company. In the Guideline, CNPD emphasizes that employees’ monitoring activities should be balanced between the employer’s right to establish rules on how the work should be performed and work tools used and the employees’ right to privacy. It also (re)states that it is unrealistic and unreasonable to simply prohibit employees form private use of information and communication technologies. Instead, the employer should establish clear and precise rules on such private use and make them available to employees, detailing the level of tolerance admitted as well as the means of monitoring used. Such rules should be based on the principles of necessity, proportionality, and good faith, being the employer able to demonstrate that the means of monitoring used are the ones with less impact on the employees’ privacy. Thus, employer should privilege generic means of monitoring (time and duration of the connection) rather than individual ones (traffic data that reveals the private life of the employee, such as, number called, receiver’s e-mail address or the website visited) as those will be sufficient to ascertain whether there have been any abusive use. Using the above referred special online form and confirming that the company will abide by the Guideline, entails collecting and processing the data which is identified in this special notification form and applying not only the special security measures legally foreseen for sensitive data, but also those described in detail in the Guideline (including a Privacy Impact Assessment and digitally certified logs). Also, according to the referred Guideline, disclosure of data to third parties (apart from those regarding which there is a legal obligation to disclose data) will not be possible, nor will international transfers to outside the EU/EEA. Additionally, companies will have to implement the determined data retention periods. Furthermore, the controller shall have to put in place a Monitoring and Usage Policy, explaining the controlling activities and under which terms information and communication technologies can be used for private purposes. Said Privacy, however, does not need to be submitted with the notification form. In case there is a work council or other similar workers representative entities, the controller shall also be obliged to submit with the online notification form their opinion on such Policy.    

Author

Ricardo Henriques is an associated partner at Abreu Advogados. He has focused his practice on Intellectual Property Law, Information Society, New Technologies, Marketing and Advertising, Telecommunications and Competition Law.

Write A Comment