19 September 2022 · Article

Make sure your next sustainability project is GDPR compliant

The Swedish Authority for Privacy Protection (IMY) is now initiating a review of a bus company following complaints from the union. The bus company has monitored the driving behavior of bus drivers in order to achieve a more environmentally conscious driving behavior. The mapping involves personal data processing and therefore needs to take place in accordance with GDPR.

Sometimes a company’s sustainability work can encounter difficulties from unexpected directions. The Authority  for Privacy Protection (IMY) has chosen to initiate a review of a bus company that monitored bus drivers’ driving behavior following a complaint from the union. Among other things, speed, energy consumption and braking have been mapped with the aim of achieving driving behavior that is both environmentally friendly and traffic safe.

Mapping of driving style involves processing of personal data

An issue for consideration is that this mapping in practice means a personal data processing, which means that the EU’s General Data Protection Regulation (GDPR) becomes applicable. With this comes a battery of obligations that the employer needs to fulfill. The employer needs, among other things, to explain how the personal data processing is carried out, the purpose of the processing, state a legal basis and manage storage times, and fulfill the obligation to provide information.

In the present case, IMY has initiated the supervision by sending a list of 13 questions that the employer has to answer. For an employer who has not already taken height for personal data processing even before it began, it can be extremely difficult to heal the shortcomings afterwards when the supervisory authority is standing with one foot inside the door.

It is important that data is not used for purposes other than the original purpose

It is true that an employer may have legitimate purposes for measuring employee performance. Planning, organizing, leading, following up and quality-assessing the work of employees, as well as measuring individual performance, belongs to the category of personal data processing that is normally allowed for private employers in accordance with good practice in the labor market.

However, it is generally prohibited to use compilations of such data for any purpose other than the original purpose. It is therefore conceivable that data collected on driving behaviour for the purpose of mapping the energy consumption of the business may not be used for salary setting or grounds for dismissal.

Sometimes there is clear support in collective agreements for a certain personal data processing, either through an obligation or right that belongs to the employer. Even if the personal data processing in question is itself supported by collective agreements, the employer still needs to fulfill the obligation to provide information under the GDPR to its employees.

The purpose of these rules is to create predictability for the employees. Job performance mapping should never come as a surprise to the employee. Therefore, it is important that all employers establish a privacy policy for employees. This is a policy that is often overshadowed. Companies generally meet the requirement to have a public privacy policy for customers on their website, but how companies process their employees’ personal data internally is just as important from the perspective of the GDPR.

Secure that your next sustainability project is compliant from a GDPR perspective, to ensure that personal data processed within the framework of the project is fair and predictable for your employees.