Liechtenstein: Data protection and employment
Seeing as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') allows Member States to provide for more specific processing rules in the employment context, national approaches in this area should be taken into careful consideration. Dr. Josef Bergt, LL.M. discusses this with regard to Liechtenstein's legal framework and approaches taken herein.
The GDPR has been directly applicable in Liechtenstein, which is a member of the EEA, since 20 July 2018, given that the EEA Joint Committee decided to incorporate the GDPR into the EEA Agreement (Decision of the EEA Joint Committee No 154/2018; OJ L 183, 19.7.2018, p. 23).
This article attempts to shed some light on the data protection in the employment context in Liechtenstein, considering the GDPR as well as the Liechtenstein Data Protection Act (DSG) of 4 October 2018 ('the Act') and the Liechtenstein Data Protection Ordinance (DSV) of 11 December 2018.
Each organisation processes personal data from its employees. This cycle of data processing begins with the actual application documents and job interviews and continues during the whole employment relationship, including when wages are paid or business trips are booked, and does not end when leaving a job, as certain documents containing personal data will be archived and stored.
Employees have to be informed in a transparent manner about these sorts of data processing. In addition, all data protection provisions central to the GDPR also have to be adhered to, for example the legality, purpose, necessity, and proportionality of data processing, as well as the deletion of data records that are no longer required in due time.
Legal provisions in Liechtenstein
Article 88 of the GDPR contains an opening clause for Member States, according to which they may adopt special legal provisions to regulate employee data protection. However, there is no specific regulation concerning data protection in the employment context in Liechtenstein as a whole.
Instead, any processing of the personal data of an employee falls under the scope of the GDPR, as well as the Act. Although Liechtenstein has not enacted a separate law on the subject, some special standards apply, which relate to data processing in the employment relationship.
For example, there is one particular provision regarding data protection in connection with employees present in Liechtenstein. Section 1173a, Article 28a of the Liechtenstein Civil Code (ABGB) ('the Code') stipulates that an employer may process personal data about an employee, including personal data about criminal convictions and offences, to the extent necessary for: (i) the decision on whether to establish the employment relationship and to determine the suitability of the employee for the employment relationship; (ii) the execution or termination of the employment relationship; or (iii) the fulfilment of the rights and obligations arising from the Code.
The aforementioned legal provision further permits the processing of special categories of personal data contrary to Article 9(1) of the GDPR, if: (i) it is necessary for the exercise of rights or the fulfilment of legal obligations arising from Liechtenstein employment law, social security, and social protection legislation; and (ii) there is no reason to assume that the data subject's interest in excluding the processing operation outweighs the legitimate interest of processing the data of the data subject.
Another data protection provision may be found in Article 26 of the Act. Pursuant to this provision, anyone who processes personal data or has personal data processed must keep secret any personal data from processing operations which have been entrusted to him or her, or have been made accessible to him or her on the basis of their professional employment, notwithstanding any other statutory confidentiality obligations, unless there is a legally permissible reason for disclosure of the entrusted or accessible data.
Data processing in the employment context
In general, processing of personal data in an employment relationship may be justified by entering into an employment contract (Article 6(1)(b) of the GDPR). Other processing may be based on a legal obligation, such as the retention requirement for payroll accounting (Article 6(1)(c) of the GDPR).
However, data processing beyond this, such as the publication of employee photos on an employer's website, requires the consent of the respective employee (Article 6(1)(a) of the GDPR). Nevertheless, such consent oftentimes will not be genuinely voluntary in an employment relationship due to an inevitably diluted freedom of negotiation, even though refusal to give consent should not have any negative consequences for the data subject with regards to the employment relationship.
Lastly, the legitimate interest of an employer remains as a legal basis for certain processing of personal data of employees (Article 6(1)(f) of the GDPR). But this legal basis like giving consent to data processing will only in a few cases constitute a suitable legal basis for data processing of an employee and a careful evaluation and balancing of employee interests must be carried out processing personal data.
In the employment context, data processing is only permissible if it is suitable and necessary for the intended purpose and if the data subjects (employees) have been informed and made aware of their rights (Article 13 of the GDPR).
If the data concerned falls under special categories of personal data (e.g. biometric data for an automatic access system), the data processing is only permitted if one of the exceptions of Article 9(2) of the GDPR applies (e.g. giving consent).
Entering into an employment relationship
Before entering into an employment contract, it is necessary to assess the suitability of applicants as employees. For this purpose, an employer may request, view, and evaluate application documents and schedule a job interview. However, personal references (e.g. from a former employer) may only be obtained after the respective applicant has been informed and consent has been provided.
Documents of applicants who have not been employed have to be returned (e.g. original references or diplomas) or destroyed after approximately five to six months after the interview process. This period of time may only be extended with the express consent of the concerned person. Such a period of time also gives an employer the opportunity to defend himself/herself against possible accusations of discrimination in the application procedure (pursuant to Article 8 and/or 14 of the Liechtenstein Equality Act.
According to the Liechtenstein data protection authority ('DSS'), 'standard intelligence or personality tests or graphological assessments [...] are not allowed,' unless they are suitable pursuant to scientifically recognised standards and are necessary (e.g. fit and proper tests for C-level personnel of financial institutions). In such a case, giving consent, according to Article 6(1)(a) of the GDPR, does not constitute a suitable legal basis for recruitment tests, as such consent will hardly be given voluntarily .
Data protection during an employment relationship
Several aspects are to be considered during an employment relationship with regards to data protection. As this topic offers a vast range of potential for discussion, only specific points of practical relevance will be considered in this article.
During an employment relationship, an employer naturally keeps data records of his/her employees (e.g. contact data, application documents, payroll, and social security documents, etc.).
A particularly relevant question often arises as to whether an employer is allowed to view the email accounts which were provided for business purposes and the emails of (former) employees contained therein. If strictly adhering to the enacted data protection regulation, such a procedure is not allowed, unless clear provisions have been stipulated in the employment contract. Only in the case of very important interests of the employer (e.g. justified suspicion of a criminal offence) may the employer view an email account and its contents. This is also an issue if employees are absent for a longer duration and it is consequently advisable to agree on clear regulations on the use of business email accounts and the contents stored therein. Nevertheless, it must always be ensured that access is restricted to business emails.
Electronic devices provided by an employer to the employee may not be used to monitor employees (e.g. tracking services, etc.) unless there is a legitimate interest for doing so (e.g. detection of a crime, tracking of a money transporter, etc.).
An access system to the office premises using a fingerprint scanner or similar (special category of personal data) may be suitable for specific rooms which require particular security measures (e.g. central server rooms, etc.), but it is not suitable for general access to the office or for recording work times.
Data protection after the employment relationship
After the end of an employment relationship, several documents of the respective personnel file may be destroyed in accordance with the principle of data minimisation. However, the statutory retention requirement for specific data, for example for payroll statements, is ten years after an employee has left the job pursuant to the Liechtenstein Persons and Companies Act (PGR).
No specific regulation concerning data protection in the employment context in Liechtenstein exists and there are only few employment-specific regulations on data protection with regard to employment relationships. However, employees in general are granted a strong protection of their data under the GDPR and the Act. Nevertheless, the issue of a so-called diluted freedom of negotiation persists, and employees will oftentimes give consent to data processing involuntarily due to this diluted freedom and the stronger negotiating position of an employer. The only viable countermeasure to such behaviour would appear to encompass more sophisticated control and enforcement of data protection regulations by the DSS.