Ch 14.6.4 - Necessity

Necessity and the DPIA

Before monitoring, the employer must be confident it is really necessary and consider less-intrusive methods first. A DPIA is required where monitoring is likely to result in a high risk to individuals' rights and freedoms - in particular where it is a systematic and extensive evaluation based on automated processing producing legal or similarly significant effects. The WP29 cites systematically monitoring employees' workstations and internet activity as needing a DPIA.

The employer must consider less-intrusive methods of supervision before monitoring.
A DPIA is required where monitoring is likely to result in a high risk to rights and freedoms.
A DPIA is required if monitoring is a systematic and extensive evaluation based on automated processing on which decisions producing legal/similarly significant effects are based.
The DPIA is transparent and consultative and should start at the beginning of the initiative.
WP29 example: a company systematically observing employees' activities by monitoring workstations and internet activity is likely to require a DPIA.

DPIA timing

Start the DPIA at the beginning of the initiative - e.g. before deploying DLP software to monitor employee activity - so risks are identified early and mitigated.

Key terms - quick answers

What is “DPIA”?

Data protection impact assessment; a transparent, consultative process assessing privacy risks before processing, required for high-risk monitoring.

What is “Automated processing”?

Processing without human intervention; a DPIA trigger where it underpins decisions with legal or similarly significant effects.

What is “WP29”?

Article 29 Working Party; its DPIA guidelines (revised 4 October 2017) cite systematic monitoring of employees as likely to require a DPIA.

← Workplace monitoring: principles, background checks, DLP Legitimacy and proportionality of monitoring →