Privacy at Work: Employment, Monitoring, BYOD & Whistleblowing

Domain five is where the abstract rules meet messy reality. It carries eight to sixteen scored questions and asks you to apply everything you have learned to four hard areas: the workplace, surveillance, direct marketing, and technology. These questions tend to be judgment-based, give the best answer for this situation, so your instincts from earlier domains, lawful basis, minimisation, proportionality, transparency, all come into play.

We start with the workplace, because employment data raises a special tension: the employer holds power over the employee, which complicates the usual lawful bases, especially consent.

Processing employee data needs a lawful basis like anything else, but the employment relationship changes which bases work. Because of the power imbalance between employer and worker, regulators, including the EDPB, take the view that consent is rarely freely given at work, so employers generally cannot rely on it. Instead, the usual bases are contractual necessity, for example paying salary; legal obligation, for example tax and social-security reporting; and legitimate interests for things like basic security, subject to the balancing test.

Sensitive staff data, such as health records for sick leave, also needs an Article 9 condition, often the employment-and-social-security exception. Article 88 lets member states lay down more specific rules for employment, so national law matters too. The exam expects you to reject consent as the default basis at work.

Handling personnel records is an exercise in the principles you already know. Data minimisation means collecting only what the role genuinely requires, not every detail just in case. Storage limitation means HR files have retention schedules, you do not keep a leaver's full record forever, only what law or legitimate need requires, for the period required.

Integrity and confidentiality means access to personnel files is restricted on a need-to-know basis, not open to every manager. And transparency means employees receive a clear notice explaining what the employer processes and why. The risks of mishandling employee data, discrimination, distress, identity theft, are exactly why the exam frames careful, minimal, well-secured HR processing as the right answer.

Workplace monitoring, of email, internet use, or with data loss prevention tools, is a classic Domain five topic. The guiding tests are necessity and proportionality: the employer must have a legitimate aim, choose the least intrusive method that achieves it, and not subject staff to blanket, continuous surveillance where a narrower measure would do. Employees must normally be told about monitoring in advance, transparency again, and because systematic monitoring is high risk, it will often require a data protection impact assessment under Article 35.

Covert monitoring is permitted only in narrow circumstances, such as investigating serious wrongdoing where notice would defeat the purpose, and even then it must be proportionate and time-limited. When the exam offers a monitoring option, the proportionate, transparent one is almost always correct.

Three more workplace topics the Body of Knowledge names. Bring your own device, BYOD, lets staff use personal phones and laptops for work; the pro is convenience and cost, the con is that personal and work data get blurred on one device, raising security and privacy risks. Good practice separates work data, often through containerisation, applies a clear policy, and limits the employer's reach into personal data.

EU works councils, the employee-representative bodies in many European companies, may have to be informed or consulted before new monitoring or HR processing is introduced, so consultation can be a compliance step in itself. And whistleblowing systems, now required for many organisations under the EU Whistleblowing Directive, Directive 2019/1937, process sensitive allegations, so they need a lawful basis, strict confidentiality, minimisation, and protection for the people named. The exam may test that whistleblowing data must be handled with particular care.

So workplace privacy comes down to this. Consent is generally not a valid basis because of the power imbalance, so rely on contract, legal obligation, or legitimate interests, and add an Article 9 condition for sensitive staff data. Apply minimisation, retention limits, restricted access, and clear notices to personnel records.

Make monitoring necessary, proportionate, and disclosed, with a DPIA for systematic monitoring and only narrow, justified covert monitoring. And remember the extras: BYOD separation, works-council consultation, and careful handling of whistleblowing data. Next, we cover surveillance and direct marketing.

First, go test yourself on employment privacy.