BOUNDARIES OF THE EMPLOYEE'S PRIVACY IN EMPLOYMENT RELATIONSHIP *

. This article analyses the specifics of implementing employee privacy obligations in employment relationships. In employment relations, the employer has a general duty to make the employee aware of the local legislation governing his or her work. In this context, there is a clash between two legally protected interests: on the one hand, the employer's interest in protecting the business, ensuring business processes, the security of assets and the health and safety of employees, and on the other hand, the obligation not to infringe the employee's right to privacy. Technical means of monitoring employees are one of the simplest ways of collecting data and Information. At the same time, the question of proportionality of using such means is raised - whether all the Information collected by automated means is necessary to justify the specific purpose of data collection. Collecting data solely for personal interest without setting strict rules on the collection of Information and the limits of the Information collected restricts an employee's right to privacy. An employer is not entitled to collect data (monitoring) to control an employee's work process or behaviour but may record specific data if necessary to protect production, health and safety or to ensure the efficient running of an organisation. However, even in such cases, the employer must take additional measures to minimise such monitoring or evaluate its results as much as possible. The author analyses the problem in the context of the employment relationship, and through the implementation of the employer's obligation to establish specific local rules and the commitment to make the employee aware of those rules (transparency principle).


Introduction
Article 8(1) of the European Convention on Human Rights (ECHR) provides that everyone has the right to respect for his private and family life, the inviolability of his home and the secrecy of his correspondence.The exercise of these rights may not be restricted by public authorities, except in cases provided for by law and where such restriction is necessary for a democratic society in the interests of national security, public safety or the economic well-being of the country for the prevention of disorder or crime, or for the protection of human health or morals or the protection of the rights and freedoms of others (Art.8(2) ECHR).The requirements for properly processing personal data are laid down in the General Data Protection Regulation (GDPR).In employment relations, there is a confrontation between several interests: on the one hand, the employer's business interest and the need to protect it, and on the other hand, the employee's right to privacy and the employer's obligation to guarantee it.Employers are legally required to process specific employee data, even highly sensitive data.Still, in terms of protecting business interests in modern legal relations, the rapid adoption of new information technologies in the workplace, in terms of infrastructure, applications and intelligent devices, allows for new types of systematic and potentially invasive data processing at work, technologies can help detect or prevent the loss of intellectual and material company property, improving the productivity of employees (Petraityte, 2013).Thus, there are several challenges in this case as to how to strike an appropriate balance between the employer's legitimate interest (and in some cases even the fulfilment of a duty, e.g. in the field of occupational safety and health) and the employee's right to privacy, i.e. to ensure that the continuous monitoring of the employee does not create a climate of mistrust in the employment relationship, or create pressure, or otherwise interfere with the employee's personal space including the question of data collection ethics (Vermanen, Rantanen & Koskinen, 2022).Petraityte (2013) relates the legal protection of personal data to the individual's right to private life, pointing out that the legal protection of personal data is intended to ensure the individual's privacy and that the legal protection of personal data is only regulated to the extent necessary to protect the individual's informational privacy (Skendzic et al., 2018).
The right to privacy is enshrined in Article 8 of the European Convention on Human Rights (Convention, 1950) and Article 8 of the Charter of Fundamental Rights of the European Union (Charter, 2016;Syroid et al., 2021).The legal requirements for the protection of personal data are laid down in the General Data Protection Regulation.(GDPR, 2016).In pursuing its interests, the employer must respect the limits of the legal regulation on interference in the employee's private life, including the limits on the processing of personal data.At the same time, however, the employer is interested in the efficient organisation of work, i.e., exercising the right of control over the employees under its authority, which arises from the specific nature of the employment relationship.Companies can exercise this right through local regulations establishing transparent rules for monitoring employees and processing employees' personal data.
The objective of the study is to analyse the case law of the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) also national law doctrine in the context of the employer's obligation to ensure the privacy of the employee and explore the legal measures and limits applicable in the employment relationship.Tasks for the objective have been raised: reveal the concept of the balance between the employer's legal interest and employee's privacy; investigate the significance of local legal regulation for the assurance of employee's privacy and data protection as a part of privacy rights; reveal the fundamental principles to be followed establishing the balance between employer's interests and employee's privacy rights.The document analysis method was used to analyse legislation, case law and scientific doctrine; the systemic approach was used when analysing the content of legal norms and concepts.The article refers to case law (ECHR, CJEU, The Constitutional Court of the Republic of Lithuania), scientific research (Petraityte, 2013;Davulis, 2018;Stanev, 2019;Hueso, 2020) and others.

Employee's right to privacy in the employment relationship
Article 8(1) of the European Convention on Human Rights (ECHR) states that everyone has the right to respect his private and family life, home and correspondence.There shall be no interference by a public authority with the exercise of this right except such as is following the law and is necessary for a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or the protection of the rights and freedoms of others (Art.8(2) ECHR).
The European Court of Human Rights (the ECtHR) has interpreted the concept of "private life" broadly in its case law, stating that it is neither necessary nor possible to attempt a comprehensive (exhaustive) definition of the notion of "private life", and that it would not be correct to restrict the notion of "private life" to the concept of the "inner circle", in which an employee may live his personal life in complete isolation from the external world.In other words, a person's private life is closely linked to his external (public) activities since, in the employment relationship, the employee benefits from the experience and opportunities in his personal life.Conversely, in his private life, he benefits from the knowledge, social contacts, and opportunities he has acquired at work (Mircovic Case).The dividing line between an individual's private life and other social life is narrow.Most of the time, the individual meets his private personal needs through participation in social life, i.e., the individual's private life is intertwined with the individual's social (public) life.In a professional or commercial activity, a person has a certain right to private life, and this is particularly true of people exercising a liberal profession, whose domicile may also be a place of work, i.e. "it is possible to carry out professional or commercial activities at home and to engage in private activities in one's own office or commercial premises" (Niemetz Case).The CJEU has taken a similar position in its judgments, also referring to the case law of the ECtHR, explaining in cases that the notion of "private life" must not be interpreted restrictively and that there is no good reason to justify the exclusion of activities of a professional <…> nature from the notion of private life (Volker und Markus Schecke GbR and Hartmut Eifert Cases).Thus, the case law developed by the ECtHR (in the Niemetz case and its subsequent jurisprudence) has become particularly relevant and significant because of transformations in employment relations.The ECtHR's position on liberal professions has become acceptable since the significant change in the form of employment relationships, i.e., since the shift towards the concept of teleworking as a normal mode of work (in the context of Covid 19) (Suder, 2021), an ever-growing use of information technologies in work processes and almost no need to use workplaces provided by employers (by working from home or from any other location that is convenient for the employee) and in the context of the labour relationship, not only for self-employed persons.
The constitutional doctrine of the right to respect private life has been shaped broadly similarly in Lithuania.The Constitutional Court of the Republic of Lithuania, in its interpretation of Article 22 of the Constitution of the Republic of Lithuania, has noted that the norms enshrined in the article protect the individual's right to private life.This right includes personal, family and home life; physical and mental integrity; honour and reputation; the confidentiality of personal facts; prohibition to disclose confidential Information received or collected, etc. Arbitrary and unlawful interference in a person's private life also attacks the person's honour and dignity (Constitutional Court's ruling of 21 October 1999).The legal concept of personal life relates to the state of a person's expectation of respect for private life and his legitimate expectation of privacy.If a person performs acts of public nature and is aware of this, or should be and can be aware of this, even if from his own home or other private property, such acts of a public nature will not be granted protection under Article 22 of the Constitution and Article 8 of the Convention, and the person cannot expect privacy.† The author believes that a similar logic can be invoked in employment relations since the basic principle is that the employee must be guaranteed the right to respect for private life and protection of personal data in the first place.The specific nature of employment relationship requires that in the workspace the employee be made aware of the conditions governing his work (i.e., he must be aware of the rules that apply to him and must be kept informed of the conditions of his employment by the employer) (Article 42(4) of the Labour Code of Lithuania).
The principles governing the inviolability of private life and the right to secrecy have been transposed into the legal norms governing civil relations (Article 2.23(1) of the Civil Code of the Republic of Lithuaniaprivacy of natural person shall be inviolable.Information on person's private life may be made public only with his consent).
Article 27 of the Labour Code of the Republic of Lithuania (hereinafter referred to as the "LC") stipulates that the employer must respect the rights of employees to their private life and the protection of personal data (Article 27(1) of the LC).The employer's exercise of ownership or management rights over information and electronic communication technologies used in the workplace shall not violate the confidentiality of employees' private communications (Article 27(2) of the LC).Thus, the LC of the RoL protects two public goods: the employee's right to respect for private life and the protection of his personal data.The doctrine assumes that the employee's right to protect personal data is derived from the right to respect private life (an integral part of the latter); it may also be regarded as an independent right (Davulis, 2018).Whilst such a position may be seen as pl, the author considers that protecting an employee's data ensures the individual's right to respect for private life.The General Data Protection Regulation provides an extensive definition of personal data: "personal data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR).For the regulation, the employer is the data controller of the employee's data and is, therefore, under the obligation prescribed by the regulation on the data controller (Article 5 of the Regulation).The employer thus has to process and protect employees' personal data in such a way as to ensure that the employee's right to respect for private life, which constitutes a fundamental constitutional human right, is not infringed.Work arrangements (teleworking, flexible working hours, decreasing the need to work from an office) have a fundamental impact on the employee's right to respect for private life, primarily as a result of the obligation to ensure the protection of the employee's data and the various technical challenges to the implementation of this obligation.Any information from the content of which a person is identifiable or identifiable is considered to be Information containing specific personal data (GDPR).Protecting an employee's data, which is the employer's responsibility, thus also becomes crucial for protecting the employee's right to respect his and his family's private life (Stanev, 2019).In this context, it is also important to note that the right to respect personal life is passive.The exercise depends not on the subject (the employee) but on the employer's efforts to protect the employee's data.
When interpreting the provisions of the General Data Protection Regulation, it has to be acknowledged that the rapid technological progress and various new ways of communication in the employment relationship (also taking into account the atypical forms of working arrangements) create the preconditions for increased control and interference with the employee's private life (Limba et al., 2020;Dvojmoc & Verboten, 2023).For example, control over the activities of a teleworker can be exercised through a variety of means of power (monitoring of the desktop, waiting times, keystrokes on electronic devices, typing commands, the use of audio-visual tools in some instances, monitoring of the network's bandwidth, browsing history and many other means).As a result of market dynamics, changes and technological advances, the changing form of employment relationships, as already mentioned, makes the relationship between employee and employer more akin to a legal relationship between a service provider and a service recipient.However, the legal approach's specificities to regulate employment relationships also make it understandable for the employer to seek to control the employee to give him instructions to give effect to the principle of subordination laid down by the legislation.Article 32 of the Labour Code of the Republic of Lithuania sets out the characteristics of an employment contract (and thus of an employment relationship), which is an agreement under which the employee, as a subordinate to the employer, undertakes to carry out a work function for the benefit of the employer.The employer undertakes to remunerate the employee.Subordination refers to the performance of a work function where the employer has the right to control or instruct the whole or part of the work process and the employee is subject to the employer's instructions or to the rules of the workplace.Thus, the relationship of subordination also means that, in many cases, the employer has more leverage to influence the employee's will and interfere with the employee's private life.
In contrast, the employee can de facto waive the rights guaranteed to him to avoid conflict.Valerio di Stefano, in his studies, has called this aspect the "implicit threat mechanism", meaning that the employee, as a subordinate to the employer, to keep his job, deliberately "minimises" his rights in order not be "difficult" (Di Stefano, 2009).For this reason alone, the employee's consent to processing his data in an employment relationship cannot be considered a sufficient legal basis, as the employee is dependent on the employer (Svec, Horecky, Madlenak, 2018).There is a high risk that such consent would not be freely given by the employee but would be forced instead by the specific circumstances of the employment relationship (Article 29 Working Party).The employer's desire to control the employee, especially by technical means that make it easier to do so, is understandable.The employer has the right to lay down specific rules on the use of information technologies, the breach of which could result in liability for an employee.Such regulations laid down by the employer are generally aimed at protecting the employer's interests (intellectual property, assets, assessment of employee's performance (Vignesh & Prasad, 2022), but the employer's pursuit of such an aim/interest makes it equally important to protect the employee's interest in their private life.This is a perfectly standard working practice (Stanev, 2019).In pursuit of his interests, the employer monitors the employee in the following ways by (1) monitoring and controlling the workplace; (2) monitoring and controlling the employee; and (3) monitoring and controlling Information and communication in the workplace (Tamasauskaite-Janicke, 2016).Information technologies can help to detect and prevent the loss of the company's intellectual and material property, improve employees' productivity and protect the personal data for which the controller is responsible (Asvanyi, 2022).At the same time, they also raise several privacy and data protection issues.It is, therefore, necessary to assess the balance between the employer's legitimate interest to protect its business and the reasonable expectation of respect for the private life of its employees (Article 29 Working Party).Such an assessment is also directly linked to the principles of the genuine intention of the parties and the balancing of their mutual interests recognised in employment relationships (Maciulaitis, 2013).
In addition to the general duty of the employer to respect the rights of employees to private life and the protection of personal data (Art.27(1) of the LC), the legal framework of employment relations in Lithuania imposes several additional obligations on the employer to ensure the implementation of this duty through effective local regulation and the involvement of employee representatives in decision-making procedures.The employer must inform and consult employee representatives when deciding on local regulations relating to the use of information and communication technologies and the monitoring of employees, the establishment of measures that may interfere with the protection of employees' private life, the policy on the storage of employees' data and the measures for its implementation, and measures to reduce tension at work.Thus, the legal framework provides guidance (albeit not mandatory) on the cases in which the employer must (a) establish a local legal framework and coordinate its decisions with the employees' representatives.It should also be recalled that the employer is obliged to inform the employees in writing of the labour law rules governing their work (Article 42(4) of the LC of RoL).
The ECtHR, in its jurisprudence in the Marcx case, has laid down a three-step test to verify and potentially justify interference in a person's private life: (a) whether the specific acts are carried out following the established legal norms/rules, (b) whether the interference has a legitimate aim, and (c) whether the interference is necessary for a democratic society.Given the specific nature of the employment relationship, the last step could be reformulated as to whether such interference is following the employment relationship's essence and the parties' agreed will to the employment relationship.From the perspective of the legal regulation of the legal protection of personal data, the requirements for the legal protection of personal data are set out similarly: the processing of personal data must have a specific legitimate purpose, personal data may only be processed with a legal basis, only specific personal data necessary to achieve the goal may be processed and only for the time necessary to achieve the purpose (GDPR, 2016).Thus, both the analysis of the legal framework and the case law lead to the following conclusions: (a) employment relationships must provide for appropriate rules governing an employee's working conditions, including the guarantee of the employee's right to private life; (b) it must be assessed whether the measures taken by the employer are proportionate and can be justified in terms of reconciling the mutual interests of the parties; and (c) whether such interference of the employer into the employee's private life is justified and necessary for the protection of business or employer's economic activity.The employer implements the protection of the employer's business interests in employment relations through local legal regulationthe internal regulations of an undertaking, institution, or organisation.

The role of local regulation in employment relations
The Lithuanian labour law, alongside other sources of labour law, establishes local regulation as very specific and from a practical point of viewperhaps one of the more critical forms of regulation (Article 3(7) of the LC of RoL).When organising the work of the employees subordinate to it, the employer must lay down the rules for managing work, which apply to all the employees in general (individual agreements are set out in specific employment contracts with employees).There are several reasons justifying this need.Firstly, the principle of equal treatment in employment relations and non-discrimination between employees must be respected.The judgments of the Court of Justice of the European Union have clarified that discrimination is where similar situations are treated differently, and different conditions are treated equally unless such treatment is objectively justified (Javier Rosado Case).Disparate (different) treatment is considered discriminatory if it cannot be objectively and reasonably justified; otherwise put, if it does not pursue a legitimate aim, or if there is no reasonable relationship of proportionality between the means employed and the aim pursued (Burden, Schalk and Kopf, Vallianatos Cases).Thus, local regulation in employment relations can ensure equal treatment of employees and, in addition, establish transparent rules for employers vis-à-vis employee relationships.Local regulatory rules protecting the employees' private life are no exception and, as already mentioned, are also governed by the LC.In summary of the above, the legislative mechanism of the rules applicable to employment relations is unique: in addition to the legal regulation of employment relations by the state, the employer has the right to establish legal norms which are valid only in specific employment relations (in a particular undertaking, institution, or organisation).The employer can determine the legal norms applicable to a specific relationship by involving the employees in the local legislative process.
The ECtHR interprets the notion of "legal norm" very broadly, as legal norms are promulgated by different institutions with different levels of application and purpose.In particular, rules of law are formulated in normative legislation, usually issued by legislative bodies, and the courts also lay down rules of application in cases deliberated by them.In addition, in interpreting the concept of a legal norm, the ECtHR also includes written and non-written rules, established practices of organisations, etc., as legal norms.Moreover, the employment relationship has its own specificity as a source of law: the hierarchy of sources of labour law also includes local legislation, the specific legislative mechanism, with the employer becoming the legislator.Consequently, there is a risk and a possibility that the employer enjoys the right in certain cases to establish local rules that are more in his own rather than in the employee's interest.Such a situation would entail a disproportion between the mutual rights and obligations of the parties to the employment relationship.Thus, the question of possible interference in an employee's private life by the employer to control the employee's work activities cannot be based solely on the criterion of a legal basis or legal norm.Equally important is the quality of the legal framework, which is achieved, on the one hand, by establishing appropriate objectives and proportionate procedures for local legislation and, on the other hand, by adopting such local legislation under local legislative procedures, i.e., by involving employees' representatives in the decision-making process, through information and consultation procedures.In addition, local legislation used in employment relations is subject to other specific requirements: the local legislation must be known to employees (legal obligation to make employees aware of the local legislation governing their work), employees must understand and be aware of the content and scope of the local legislation (the legislation must be actually in force and be used as a reference when organising work processes within the company), the employer must ensure control over the application of, and compliance with, local legislation (the application of local legislation must be real, not notional, where some procedures in the company are carried out "by default").On the other hand, not all of the only of aid down by local legislation can be regarded as legal norms, as many of them have a regulatory function to ensure the work process rather than a regulatory function meant to establish mutual rights and obligations.Thus, local regulatory action must be qualitatively framed in such a way as to create corresponding rights and responsibilities for employees while at the same time seeking to influence the behaviour of the worker.

Principles for balance seeking
The principle of balancing the interests of the employer and the employee in working arrangements by the employer and in the protection of the employer's property and the employee's right to private life was analysed by scholars (Rucker et al., 2022) and on its merits by the ECtHR in Burbulescu v Romania (Burbulescu Case).In this case, the Court recognised that, in performing their job functions and using the means of work provided by the employer (in this particular case, a work email login), the employee could not expect complete personal privacy.The work tool in question, i.e., the work email account, was developed for work purposes.The employer reasonably expects that the work tool (the work email account) provided will be used exclusively for work purposes.The Court recognised the employee's right to personal private life within an employment relationship.Still, it also realised that certain exceptions to using employer-provided work tools are possible.Seen from the perspective of the employment relationship, as already mentioned, one of the legal requirements is that the employee is made aware of the requirements of the local legislation governing his work.Thus, if there is a clear rule laid down in advance for the employee that a certain measure has to be used exclusively for work purposes, and there are clearly defined rules and conditions for checking certain measures (e.g.correspondence, monitoring, mobility control), such a situation must be regarded as a more appropriate means of safeguarding the employer's interests, that is to say, the employer is entitled to carry out acts of monitoring and control of the employee if there have been clear rules laid down in advance for this activity.Moreover, in the earlier Copeland case, where the ECtHR interpreted a similar situation in a slightly different way, one of the essential criteria for monitoring an employee was the aspect of the employee's prior knowledge of certain rulesthe essential distinguishing factor in Copeland case was that the employee was monitored without his knowledge (Copland Case).The Court also acknowledged that the employer's right to monitor employees derives from the specific nature of the regulatory framework of the employment relationship and the right to monitor the performance of the employee's work functions (professional duties).Such control is preventive to protect the employer's information technologies and information and prevent unlawful activities in the information space and social networks or to protect the employer's valuable information.In this case, the Court essentially echoed the basic principles of the processing of an employee's data: (a) the consequences of the monitoring for the employee must be assessed; (2) employees have the right to have access to the Information collected during the monitoring of their electronic communications; (3) there should be no indiscriminate monitoring of each employee's electronic communications; (4) the employer should inform recipients of emails about the monitoring of employees (for example, it may include warning messages attached to all outgoing messages/emails to this effect and the use of the email address exclusively for work-related purposes); accordingly, measures should be taken to inform the senders of incoming messages/emails; (5) a specific time limit for the retention of the data collected from the monitoring of the employee's electronic communication should be established.
The Grand Chamber of the European Court of Human Rights (ECtHR), in its judgment of 17 October 2019 in Lopez Ribalda v. Spain, held that, in certain circumstances, covert video surveillance of employees does not violate their right to respect their private life.The employer's legitimate interest in ensuring the protection of property and the smooth functioning of the company overrode the employees' right to respect their life in the given circumstances.
Over five months, a cash shortage of more than EUR 82,000 was reported.Employees were informed about the installation of CCTV cameras in their workplace, but some of the cameras were covert.A review of the CCTV footage showed that some cashiers, in collusion with customers, were cancelling cash transactions, and customers were not returning goods.In total, 14 employees were acting in collusion.
The ECtHR noted that in deciding whether there has been an interference with an employee's right to respect their private life, it is necessary to assess whether, in particular circumstances, the employee can reasonably expect to be monitored.Thus, the worker must be aware or at least reasonably expect to be observed in the workplace, as the Court considered.Such a condition is necessary not only for monitoring using video surveillance but also in any other way.Because of the specific nature of the employment relationship, it is necessary, as already mentioned above, to comply with the legal requirements laying down the employer's obligation to inform the employee of his working conditions.Moreover, the Court did not regard this obligation as critical, justifying the employer's legitimate interest as a higher value than personal privacy.In this context, it is also important to consider the employee's conduct.Moreover, regardless of how the employees are monitored, the monitoring of employees should be used as an ultima ratio measure when there is no other way to achieve the specific purpose of the monitoring.In other words, using this or that type of employee monitoring must be necessary because there is simply no other way to achieve the required monitoring objective (necessity criterion).
Thus, it can be stated that the restriction of an employee's right to privacy can be justified in cases where the employer suffers or is likely to suffer significant damage (specifically, in this case, financial loss, but such an approach could also be used be in other instances in which there is not yet any direct financial damage, but there is a real risk of such damage occurring, or where there is a critical threat to the business's safety, e.g., in the event of the employee's illegal transfer of important Information of the company to its competitors, or other similar cases).The Court also assessed the duration of the covert surveillance and the number of persons who had access.There were no other means of discovering the shortage of money in the cash register (necessity test).In the case of employee monitoring, the criterion of necessity is also relevant.This means that the employer's mere curiosity or assumption about the alleged purpose of the monitoring may not be a sufficient condition for monitoring employees.There must be a valid justification (necessity) for monitoring measures to achieve a specific objective or to protect a vital business interest, i.e. the potential harm must not be presumed but real.In addition, as mentioned above, it is a necessary condition that the damage cannot be prevented by other means (ultima ratio).The Court warned that mere suspicion of misappropriation or any other wrongdoing by employees would not be sufficient to justify the installation of covert video surveillance cameras.An important justification for covert surveillance of employees would be a reasonable suspicion that serious misconduct had been committed and a significant extent of the losses.This is particularly important where the smooth functioning of a company was endangered not merely by the suspected misbehaviour of one single employee but rather by the suspicion of concerted action by several employees, as that created a general atmosphere of mistrust in the workplace.
The employer must have strong evidence to support a reasonable suspicion of serious wrongdoing.Thus, monitoring an employee by any possible means is only possible when there is a severe risk.An employer could monitor employees for purely preventive purposes only if the prevention is justified by critical necessity, e.g.fragmented employees in the field of monitoring, protection of property, occupational health and safety, and only if such objectives cannot be achieved by other means that are less restrictive of the employees' privacy.
This could include, in particular, local regulation -an appropriate legal environment that sets a certain standard of behaviour for employees.The cases and procedures for monitoring or possible monitoring by any means must be made known to the employees (the employer's obligation to draw up local regulations and to make them known to the employees) (Art.206 LC RoL).In addition, the purpose of the monitoring must be clearly defined, and the employees must be informed of the monitoring carried out in the company.It could be concluded here that the mere knowledge that local rules protect specific processes or values is preventive.Additional possible monitoring measures, of which employees must be informed and have the right to influence the development of such rules through employee representatives (Art.206 of the LC), could only be used in exceptional cases where: (a) legal measures alone are no longer sufficient; (b) damage is occurring, or there is a high risk of severe damage; (c) there is sufficiently strong evidence which can only be verified by monitoring measures; and (d) no other means are available to achieve the objective (the necessity criterion).It must always be assessed whether alternative measures less intrusive on the worker's privacy are not feasible to achieve the objective.The employer must determine such alternative measures, document its reasoned assessment in local regulations, and communicate it to employees.Employee-specific monitoring measures must be the only and last means of achieving a specific objective.Thus, an employer cannot use a combination of several monitoring measures, either: for each very specific objective to be communicated to the employees, a specific and unique method of employee monitoring must be used, without which it is not possible to ensure the achievement of the objective by other means.Moreover, monitoring of employees should not be of a permanent nature (except in specific justified cases where monitoring is necessary for safety reasons or is required by law in the particular nature of the work performed).The employer's method of monitoring workers should last only as long as necessary to achieve the objective.In other cases where monitoring is needed for security, business process or health and safety purposes, the employer must put in place additional measures to ensure the right to privacy of employees: 1) inform employees before the introduction of information systems and technologies enabling the monitoring of their activities.The Information provided should be kept up to date and consider principle 10 of the present recommendation.The Information should include the purpose of the operation, the preservation or backup period, as well as the existence or not of the rights of access and rectification and how those rights may be exercised; 2) take appropriate internal measures relating to the processing of that data and notify employees in advance; 3) consult employees' representatives in accordance with domestic law or practice, before any monitoring system can be introduced or in circumstances where such monitoring may change.Where the consultation procedure reveals a possibility of infringement of employees' right to respect for privacy and human dignity, the agreement of employees' representatives should be obtained; 3) consult, following domestic law, the national supervisory authority on processing personal data (Recommendation 2015).
Combining the requirements of the legal regulation of employment relations and the legal protection of personal data, on the one hand, the obligation to organise work in accordance with the employer's rules and, on the other hand, the responsibility to ensure the employee's privacy, any information relating to the employee in the employment relationship must be accessible only to those persons who have the relevant specific obligations for the fulfilment of which the processing of personal data is necessary.Thus, where the employer carries out specific monitoring measures, the data should be reviewed and evaluated by the narrowest possible range of authorised personnel.For example, in the Ribalda case, the Court indicated that the material obtained by covert filming would, first of all, be subject to the obligation to be reviewed by a single person, and once sufficient evidence had been gathered, the employees would be informed of the covert video surveillance carried out.And only after the designated person has assessed whether the data may be relevant to further investigations into the duties of the job or possible damage to the employer could the relevant information be made available to the persons entitled to take decisions in the employment relationship or, as the Court considered if there is a need to review the material, the circle of persons should also be pre-determined and extremely limited.

Conclusions
The employer must process the employee's data to protect the employee's right to privacyone of the fundamental human rights.The challenge to implement this obligation is rapid technological progress that allows an easy way to surveillance employee's performance, actions, and position, which means the possibility to make a significant intervention in employee's private life.As the technical options are almost unmeasurable, the critical problem is how to limit the possible intervention to employee privacy.The employment relationship is specific due to the subordination principle (employer's power to give orders), so the challenge to ensure the employee's right to privacy becomes problematic in this context.
The employer has the right to set local rules that are in the employer's interest rather than the employee's.Such a situation would entail a disproportion between the mutual rights and obligations of the parties to the employment relationship and, therefore, the possible interference in the employee's private life by the employer to control the employee's working activities cannot be based solely on the criterion of a legal basis or a legal rule.Equally important is the quality of the legal framework, which is achieved, on the one hand, by the establishment of appropriate objectives and proportionate procedures for local legislation and, on the other hand, by the adoption of such local legislation following local legislative procedures, i.e. by involving workers' representatives in the decision-making process, through information and consultation procedures.
Regardless of the monitoring method, the monitoring of employees should be used as an ultima ratio measure when there is no other way to achieve the specific objective of monitoring.Using this or that type of staff monitoring must be necessary because there is simply no other way to achieve the required monitoring objective (necessity criterion).It should be noted that a restriction on an employee's right to privacy may be justified in cases where the employer is or is likely to be seriously harmed and that the general interest in monitoring employees is not sufficient on its own.Moreover, if the monitoring of employees is carried out and justified by the principles of processing employees' personal data, the processing of the monitoring results must be carried out by the most restricted circle of persons.