Benelux Employment Update – December 2023

In Belgium, specific legislation and guidelines apply to various types of workplace monitoring activities. Key attention points are:

• Geopositioning: Geopositioning is only permitted for certain purposes that relate to the business activities and justify the interference with the employee’s private life (eg worker safety, protection of company vehicles) and in specific circumstances. Generalised monitoring through geopositioning systems is not allowed.
• Phone conversations: In principle, recording or accessing employee phone calls is prohibited, except when consent is obtained from the participants to the conversation (or an exception applies). But obtaining valid consent in employee-employer relationships is challenging.
• Camera surveillance: CCTV in the workplace, with or without image retention, is only permitted for a number of exhaustively defined purposes.
• Monitoring of the use of IT tools: Collective Labour Agreement No. 81 requires a two-phased approach to this type of monitoring. Individualised monitoring by the employer is only allowed under stringent conditions.

Dutch employers may monitor employees but, as monitoring will most likely include collecting personal data, compliance with the General Data Protection Regulation (GDPR) is required. This includes having a legal basis (justification) for processing. Generally, relying on consent is not possible due to the power imbalance in the employer-employee relationship. So employers usually rely on the legal basis “legitimate interest.” When relying on legitimate interest, the chosen method/technology must be necessary, proportionate and implemented in the least intrusive manner possible.

The employer must also demonstrate that appropriate measures are in place to protect the fundamental rights of employees. These include limiting the ability to view documents/emails labelled “private,” ensuring employees are sufficiently informed (including reasons, timing, methods), and a Data Protection Impact Assessment is conducted. In the presence of a works council, prior approval is necessary.

In addition to the general conditions of the GDPR, Article L. 261-1 of the Labour Code regulates the monitoring of employees.

Employers have to inform each employee affected by the monitoring individually, and the staff delegation or, if there is no staff delegation, the ITM.

The information should include a detailed description of the purpose of the intended processing, the methods for implementing the monitoring system, the duration or criteria for storing the data where appropriate, and a formal commitment by the employer not to use the collected data for any other purpose.

The staff delegation or the employee may ask for a prior opinion by the CNPD regarding the compliance of the intended processing of personal data.

Processing operations that consist of or include regular and systematic monitoring of employees' activities might require a data protection impact assessment.

In principle, it’s not possible in the Netherlands to collect and process employees’ health data, only a company doctor may do so. An employer can discuss an employee’s functional limitations and capabilities, but only after the company doctor has identified them.

Health data is considered sensitive data under the GDPR and is subject to additional protection. Even if an employee voluntarily shares health information or consents to it when calling in sick, the employer should not record the information. The employer should only ask practical questions such as how the employee can be reached, for how long the employee thinks they will be off work, whether the illness is related to a work accident, whether it was a traffic accident with the right of recourse or whether the employee falls under the Sickness Benefits Act (Ziektewet).

By way of exception, the GDPR authorizes the employer to process sensitive data in accordance with the legal bases set out under art. 6 and art. 9 GDPR.

For example, to the extent permitted by law or a collective agreement, processing sensitive data must be necessary to fulfil the obligations and exercise specific rights of the individual in the fields of employment, social security, and social protection law.

Regarding criminal records, the law allows employers to ask for relevant criminal records under certain conditions. For example, at the time of recruitment, the request for a criminal record must be in writing, specifically justified in terms of the specific needs of the position and clearly indicated in the job advertisement.

The requested record can only be kept for one month when hiring employees, and two months when reassigning employees.

Belgian law does not in general restrict an employee's right of access to their personal data under the GDPR. But the right of access does have limitations.

A request can be refused to the extent that the answer prejudices the right and freedoms of others, such as those of the employer or (ex-) colleagues. In addition, the Belgian Data Protection Authority confirmed that the right to a copy of the personal data does not necessarily encompass a right to a copy of the original document that includes the employee’s personal data.

With regard to emails, it has been accepted that an access request to all personal data included in the mailbox of an employee who had a long-term relationship with the employer was disproportionate.

In certain cases, the fact that the request relates to an ongoing dispute, including legal proceedings relating to a dismissal, may be a ground for refusal.

Under the GDPR, employees are awarded rights, including the right to access their personal data. This may be any data in emails, recorded phone conversations, documents. To exercise this right, employees can submit a request without providing a reason. The employer must respond within a month or, if the request is considered complex, within a maximum of three months. Complex requests are, for instance, those where the data requested also contains personal data of others which must then be redacted (one person’s access request cannot impede the right to privacy of another).

Data subject rights may in principle not be restricted unless the requests are manifestly unfounded or excessive. An employee collecting evidence to file an unfair dismissal lawsuit will generally not fall under this restriction and the requested information should be provided.

A data subject, such as an employee, has the right to be informed about the relevant aspect of the processing and to be given access to their personal data.

The right of access is performed by a written request from the employee to the employer, who must respond within a reasonable time, limited to one month, but extendable to three months depending on the complexity and number of requests. The employer has to respond to the request free of charge and may only charge a reasonable fee in exceptional situations.

In the event of reasonable doubt, the employer can ask for additional information necessary to confirm the employee's identity. It cannot, however, ask for documentation that would be abusive, irrelevant or disproportionate to the request.

Additionally, the employer can only grant access to data whose disclosure would not disproportionately infringe the rights of third parties.