Part I of the blog about privacy and the Works Council discussed the main points of the EU’s General Data Protection Regulation (the “GDPR”). We focussed in particular on the introduction of accountability and the new obligations for organisations in the context of the new Regulation. We concluded that the GDPR would most likely lead to existing arrangements being altered and new ones introduced. The question that then arises is whether – and if so how – the Works Council will be involved. In the GDPR, the Works Council is not mentioned at all, but that doesn’t mean that it does not have a role to play, quite the contrary. This part of the blog will therefore consider the role of the Works Council in implementation of the GDPR. We will focus, on the one hand, on its right to information and its right of initiative and, on the other, on its right to advise and endorse.
Right to information and right of initiative
The right to information will be relevant if the GDPR is not (yet) on the management’s agenda or if the Works Council is not involved (or hardly involved) in implementation of the GDPR. In that case, the Works Council can ask the management for information about how the GDPR will be complied with within the organisation. The right to information obliges the management to provide the Works Council with all information that the latter may reasonably require to carry out its duties, i.e. to exercise its statutory powers. This may involve its right to advise and/or endorse, but also the right of initiative on the basis of which it can proactively submit proposals to the management. The right of initiative could be used, for example, in the context of a proposal by the Works Council for a Data Protection Officer to be appointed (voluntarily).
Right of endorsement
In connection with policy changes that must be implemented pursuant to the new GDPR obligations, Section 27(1)(k) of the (Dutch) Works Councils Act (the “WOR”) will in any event apply. That section provides that the Works Council has the right of endorsement with regard to a proposed resolution to establish, amend, or withdraw arrangements relating to the processing and protection of the personal data of persons working within the business.
It is relevant in this context, however, that the right of endorsement pursuant to paragraph (k) only applies in the case of compliance with a statutory obligation. The Works Council in fact only has the right of endorsement if the management has discretionary power as regards complying with the law. In our opinion, however, the right of endorsement will often be on the agenda in the light of implementation of the GDPR. When drawing up policy, employers will in most cases make use of this discretion, meaning that the decision-making will be subject to the Works Council’s right of endorsement, at least for that part of the decision-making for which the management’s discretionary power has been exercised.
In addition, Section 27(1)(l) of the WOR may also apply. This gives the Works Council the right of endorsement with regard to proposed resolutions concerning arrangements regarding “digital employee tracking systems”. This includes, for example, arrangements relating to GPS or CCTV systems. Given that these systems often also process personal data (for example someone’s face on CCTV images), then implementation of the GDPR may necessitate revising or drawing up such arrangements. The relevant decision-making will be subject to the Works Council’s right of endorsement.
Works Council’s advisory right
The Works Council’s right to advise may also play a role in implementation of the GDPR. Due to the new GDPR obligations, the management may feel obliged to adapt or replace IT systems. Such a decision may be prompted, for example, by the obligation to improve system security and/or to comply with the principle of “data protection by design” and “data protection by default”. Adaptation or replacement of an IT system may be subject to the Works Council’s right to advise pursuant to Section 25(1)(k) WOR, which applies to a proposed decision relating to the introduction or modification of an important technological facility. However, we consider the likelihood of the Works Council having an advisory right to be only small, given that paragraph (k) is only applicable if the technological facility results in a significant change for the company and the employees.
If you have any questions in the light of the above about privacy and the Works Council, or employee participation law issues in general, please contact Carola Meyer-de Swaan.