Restrictions in the Workplace
Employers may dictate the terms for the use of company information technology (IT) and communication means but employees are entitled to keep their private use confidential, including the content of personal emails and Internet access. According to the Portuguese Data Protection Authority, the employer may define the rules on the admitted private use of IT and communication means made available at the workplace and rules should form part of internal company regulations.
Can the employer monitor, access, review the employee’s electronic communications?
Closed circuit TV (surveillance cameras) in office premises cannot be used to control the employee’s performance. In the workplace, surveillance cameras may be used to protect the safety of persons and goods or when the nature of the activity so requires. Before the GDPR, its use was subject to a prior authorisation from the Data Protection Authority, and employee work councils had to be consulted at least 10 days prior to the authorisation request being filed with the competent data protection authority. The employer is under the obligation to inform the employees of the existence of such equipment.
As with any other data processing activities, the employer, whilst acting as Controller in the processing of data regarding its employees, must fulfil the information duties set by the General Data Protection Regulation, as well as all other principles and duties resulting for the GDPR. In this light, the employee must, for example, be duly informed of the categories of his/her personal data processed by the employer, purposes of and legal basis for the processing, the recipients or categories of recipients of such data, and other information required by articles 13 or 14 of the GDPR. The data subject is also entitled to information on his/her rights of access to his/her data and on the rights to his/her data correction, erasure and updates and how to exercise same rights.
Generally, the transfer of personal employee data outside the EEA can only happen when the country of destination ensures the same level of protection for the rights and freedoms of the individuals, in relation to the processing of their data, as the Member States of the EEA or if there is an adequacy decision from the Commission regarding the State which will receive the data.
Employee’s Use of Social Media to Disparage the Employer or Divulge Confidential Information
As a general rule, employees are entitled to privacy in personal and family life, including in the workplace. The use by the employees of social media communication means, cannot be used or monitored, when evaluating the employee. The aforementioned principle does not grant the employee total freedom to do or publish discretionarily on social media, this meaning that, for example, if the employee disparages or divulges confidential information of or relating to the employer, its business, its customers, or its employees, sanctions could be pursued for such behaviour. The employee is subject to general loyalty and respect duties toward the employer. As such, if the employee does not comply with these general duties he/she may be subject to disciplinary measures available to the employer (which range from a reprimand to a dismissal with just cause), depending on the seriousness of the violation and the damages caused to the employer.