What is the difference between business data and personal data?
The entry into force of the withholding tax on 1 January 2019 has placed new obligations on employers. They become tax collectors and therefore know the tax rate of each of their employees.
This system has thus generated questions and concerns about the privacy of employees. This is an opportunity to discuss the collection and processing of personal data in the professional context.
What is the dividing line between professional and personal data?
The boundary between personal and professional data seems less and less clear. This is due to digital and technological innovations. Thus, personal data is considered to be “any information relating to a natural person who is identified or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to that person”.
Thus, a person’s contact details, both professional and personal, are considered personal data. In the same way, any video surveillance image, geolocation data from a professional vehicle, telephone conversation or biometric data are therefore personal data. Their collection and processing are subject to the General Data Protection Regulation (GDPR).
E-mail addresses, professional data or personal data?
As far as e-mail addresses are concerned, a distinction exists. “Nominative” addresses, such as email@example.com, correspond to a person and are therefore considered as personal data. This is not the case for so-called “generic” addresses, taking forms such as firstname.lastname@example.org.
In addition, some specificities apply to messaging systems as well as to IT tools used in a professional context. When they are provided by the company, the employer cannot exercise control over them to monitor every action of the employees. And passwords do not have to be given to the employer without reason.
However, the contents of e-mails and computers (or any other IT devices) are by default considered to be of a professional nature. This implies that the employer can consult all of them, even without the presence of the employee. Only e-mails with the words “Private” or “Personal” in the subject line cannot be checked, except in exceptional circumstances. Similarly, files with one of these two words in their names cannot be examined without the employee being present or notified, except in special cases designated by the authorities.
Security and the use of personal tools in a professional context
A phenomenon that is becoming more and more common within organisations is called BYOD (Bring your own device). This involves employees using their own tools, such as their smartphones or computers, in a professional context. The employer is responsible for the security of his company’s personal data. The employer therefore has the right to monitor its devices, even if they belong to the employees. Employees must therefore inform their company of the personal tools they wish to use for work. Of course, only company-related business data should be available for inspection and secured by the company. Private personal data stored on these devices must remain so, hence the importance of good compartmentalisation.
The employer can install MDM (mobile device management) or MAM (mobile application management) solutions, but these must only apply to business data and must allow it to be secured by applying the company’s security rules. For example, it could delete them if the device is stolen.
Essential security features
In addition to business data, companies collect considerable amounts of personal data about their employees during their careers. Employees have been given more rights as a result of the new requirements of the GDPR, which has placed limits on this collection. This is the subject of the second article in our dossier on personal data in companies.