Posted on Categories privacy/personal data protection

“Bossware” under labour and data protection law

The proliferation of remote work, combined with the development of monitoring technologies, has led employers around the world to implement various, sometimes technologically advanced methods to check employees’ performance and commitment to their work. In this area, IT solutions and programs commonly called “bossware” are gaining popularity.

In practice, bossware can include a variety of solutions and technologies, such as:

  • Keyloggers monitoring the employee’s use of the keyboard on a company computer
  • Downloading and analysis of screenshots from the employee’s business device
  • Tracking mouse movements
  • Constant or periodic observation of employees using the camera (e.g. eye movement) or microphone on a business device
  • Tracking the employee’s online activity
  • Monitoring the use of business email, calendar and business messaging
  • Analysis of the performance of applications and programs run by the employee.

A specific feature of bossware solutions is the frequent use of automated analysis to flag employees whose productivity, commitment or manner of work deviates from the employer’s expected norm, without their superiors’ involvement.

Polish employers are also reaching for bossware. In this regard, we describe below what they should take under consideration in light of Polish labour law and data protection law.

Bossware as employee monitoring

In many cases, the use of bossware solutions can be regarded as conducting forms of employee monitoring within the meaning of the Labour Code. Therefore, before installing bossware, the employer should carefully analyse whether the proposed solutions may qualify as employee monitoring. If so, certain measures must be taken under the Labour Code before starting to use them:

  • Establish the objectives, scope and method of application of monitoring in a collective bargaining agreement or workplace rules, or in a notice if the employer is not covered by a collective bargaining agreement and is not required to establish workplace rules
  • Inform the employees of the introduction of monitoring in a manner adopted by the employer, no later than 2 weeks before launch
  • Use (if possible) visible and legible signage to signal and remind employees that they are subject to monitoring.

If the solutions implemented by the employer may qualify as employee monitoring within the meaning of the Labour Code, the purpose of the employer’s use of these solutions will be limited to ensuring organisation of work allowing full use of working time and the proper use of the work tools provided to the employee. This is vital, as it may turn out that a number of functionalities offered by external providers cannot be fully utilised by the employer, as they may monitor employees and collect information exceeding these lawful purposes.

Bossware and the rules for processing personal data

As a rule, the operation of bossware will involve the processing of employee personal data. Therefore, implementation and exploitation of such solutions by the employer (as a controller of employee data) must be done in compliance with the rules for processing of personal data under Art. 5 of the General Data Protection Regulation. In particular, this means that:

  • In view of the principle of minimisation of data processing, the scope of processing of personal data using bossware must be limited to what is necessary to achieve the purposes for which the data will be processed. If the bossware is part of employee monitoring, the purposes for using bossware will derive from the provisions of the Polish Labour Code on monitoring, and the scope of data processing must be limited to what is necessary to fulfil those purposes.
  • The solutions should be implemented in accordance with the principles of “privacy by default” and “privacy by design,” with due regard for the employer’s internal data protection procedures (e.g. by involving the data protection officer, if one is appointed). Also, the measures aimed at ensuring compliance of the employer’s activities with the GDPR should be documented, to ensure implementation of the accountability principle under the GDPR.
  • The personal data collected by bossware may be retained in a form that identifies the employee for a period no longer than necessary for the purposes for which the data are processed. The provisions of the Labour Code regarding other forms of monitoring do not indicate the permitted data retention periods. Thus, if the bossware is an element of employee monitoring, each employer will have to set its own retention period, which in practice can be a challenge. A period too short will make the bossware less effective and reduce the business rationale for using it. In turn, setting a period that is too long can create a risk of violation of the GDPR by the employer.

Automated decision-making

As mentioned, bossware products often flag employees on their own, without the supervisors’ participation, based on an analysis of their on-the-job behaviour. Therefore, it is advisable to assess bossware solutions prior to implementation to determine whether and to what extent they may constitute automated decision-making, as referred to in Art. 22 GDPR. Pursuant to Art. 22(1) GDPR, “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Indeed, if bossware is found to fall within the scope of Art. 22(1) GDPR, its implementation may raise a number of other significant legal challenges for the employer, such as the need to identify an additional basis for such measures in Art. 22(2) GDPR, or the need to ensure the employee the right to obtain human intervention with respect to decisions taken by the bossware affecting the employee.

The bossware solution may lead to automated decision-making within the meaning of the GDPR if three conditions are all met:

  1. The bossware processes employee personal data. Considering the broad definition of personal data (which can also include information about the behaviour of specific individuals) and that the essence of bossware solutions is to observe the behaviour of specific employees, record and analyse it, it should be assumed that the operation of most types of bossware will involve the processing of employee personal data.
  2. The operation of bossware leads to making decisions regarding the employee exclusively based on the operation of the program. If the software merely generates, for example, guidelines or a summary of the employee’s activity, which is subsequently analysed by a supervisor or other person in the organisation, and only that person makes decisions regarding the employee based on information generated by the program, it can be argued that the decision was not based solely on the software. In this context, the view expressed by the European Data Protection Board in its Guidelines on Automated Decision-Making in Individual Cases and Profiling for the Purposes of Regulation 2016/679/EU is relevant: “The controller cannot avoid the Article 22 [GDPR] provisions by fabricating human involvement. … As part of their [data protection impact assessment], the controller should identify and record the degree of any human involvement in the decision-making process and at what stage this takes place. … To qualify as human involvement, the controller must ensure that any oversight of the decision is meaningful, rather than just a token gesture. It should be carried out by someone who has the authority and competence to change the decision. As part of the analysis, they should consider all the relevant data.” Therefore, it is necessary to consider how the information from bossware will be used and whether certain actions or decisions regarding the employee will be made with appropriate, real and documented participation of the employee’s human superiors.
  3. The decision referred to in point 2 has legal effects on the employee or similarly significantly affects the employee. An example of a legal effect is a change in the employee’s rights or obligations, such as termination of an employment contract. Bossware is unlikely to have such an effect. However, the risk that the operation of bossware in practice may lead to similarly significant effects on employees cannot be ruled out. According to the view expressed by the European Data Protection Board in the aforementioned guidelines: “For data processing to significantly affect someone the effects of the processing must be sufficiently great or important to be worthy of attention. In other words, the decision must have the potential to: significantly affect the circumstances, behaviour or choices of the individuals concerned; have a prolonged or permanent impact on the data subject; or at its most extreme, lead to the exclusion [of] or discrimination [against] individuals.” If, for example, operation of the bossware generates a critical evaluation of an employee or issuance of a reprimand sent to an employee by the software, the risk cannot be excluded that such actions in the context of the employment relationship may in certain cases (depending among other things on the form and content of the message) be considered to have significant effects on the employee, affecting his behaviour at work or the way he performs his duties. Therefore, when deciding on the use of bossware, employers should be aware of whether and how the operation of bossware itself may affect their employees. This will allow an assessment of whether such an impact may “significantly affect” the employee within the meaning of Art. 22 GDPR.

As indicated in points 2 and 3 above, within the meaning of the GDPR, whether a solution involves automated decision-making may depend on detailed circumstances and nuances, so it is advisable before implementing bossware solutions to conduct a detailed analysis of these issues in the specific case. This requires taking into account both the general features and functionality of the given software, as well as settings that can be configured individually by the employer.

Data protection impact assessment of processing

Pursuant to the GDPR, if a type of processing of personal data, in particular using new technologies, is likely, due to its nature, scope, context and purposes, to result in a high risk of violating the rights or freedoms of a natural person, before starting the processing the controller should carry out a data protection impact assessment (DPIA).

When analysing the rationale for conducting a mandatory DPIA and the authorities’ guidelines in this regard, the risk that bossware solutions may require such an assessment by the employer before implementation cannot be ruled out. The failure to conduct a DPIA in a situation where one was required is a violation of the GDPR.

Therefore, to minimise the risk of violating the GDPR, employers should evaluate the given solution for the need to conduct a DPIA. If a DPIA proves necessary, it is worth remembering that in the case of high-tech solutions, this can sometimes be quite time-consuming and require the involvement of specialists from various fields (e.g. lawyers or IT or cybersecurity specialists), as well as the support of the external supplier. Therefore, when planning the implementation of such solutions, it is worthwhile to provide adequate resources and time for a DPIA.

Personal data flows in connection with the use of bossware

Sometimes, in practice, bossware solutions are implemented within capital groups and involve multiple entities. As a result, the personal data processed by such solutions may be transferred between different group companies, or different group companies (not just the immediate employer) may have access to such data. To minimise the risk of violating the GDPR (by allowing the employees’ personal data to be accessed by unauthorised persons employed by other entities), it is advisable to analyse such data flows in light of the GDPR and regulate the issue accordingly, in particular if the flows involve transfers of personal data outside the European Economic Area.

Additionally, bossware is often offered by external providers. If in connection with the implementation of such solutions an external supplier gains access to personal data of employees (e.g. in connection with data storage or support and troubleshooting services), it may be necessary to enter into a data processing agreement with the supplier.

In very general terms, we have outlined above the challenges and considerations involved in the implementation of bossware solutions by Polish employers. But even such a cursory outline of the issues to be considered shows that employers should exercise prudence in implementing such solutions, taking into account labour and data protection provisions that may apply. Otherwise, the legal risks may outweigh the potential benefits of using bossware.

Karolina Romanowska, Łukasz Rutkowski