On 17 December 2015, the European Data Protection Supervisor (EDPS) published two sets of Guidelines for the EU institutions and bodies: one on personal data and electronic communications (eCommunications) and the other on personal data and mobile devices. These guidelines aim to offer practical advice to organisations to integrate data protection principles in their management of email, internet and telephony for work purposes.
Wojciech Wiewiórowski, Assistant EDPS, said:
‘eCommunications is a complex and dynamic field of technology that plays a central role for most of us in our day-to-day professional and personal lives. The use of mobile devices adds to the complexity. Our guidelines aim to help EU institutions to comply with their data protection obligations. However, anyone or any organisation interested in data protection in these two fields might find these guidelines useful since the Data Protection Regulation applicable to the EU institutions is similar in many respects to the data protection Directive which is implemented into the national laws of EU Member States.’
Organisations using eCommunications process the personal information of their employees, for instance, in the management of the eCommunication services, billing and verifying authorised use. In most cases, the private use of work equipment is permitted so interference by an employer on the use of eCommunications by employees is likely to touch upon aspects directly relating to their private lives. The convenience of mobile devices, such as phones, tablets, laptops and netbooks, is that they allow staff to work remotely. These devices present common risks due to their portability and small size; the measures to mitigate these risks – such as security access to office networks – need to be specifically tailored.
The guidelines are said to put a clear emphasis on the general principles of data protection that will help EU institutions comply with the data protection Regulation. They ‘build on the years of practical experience through the EDPS’ supervision work, on previous EDPS decisions and Opinions (on administrative consultations, prior checks and complaints), as well as on the work done by the Article 29 Working Party’.
According to the EDPS, though they are based on the current data protection legal framework, they will remain relevant when the new framework comes into force, particularly because of the focus on the accountability of organisations including, EU institutions, to demonstrate that they are complying with their data protection obligations.