Surveillance at the Workplace

Information and Communication Technology (ICT) | Surveillance in the Workplace | Technical and Organisational Measures (TOMs)

The use of Information and Communication Technology (ICT) by a company’s personnel can harbour risks, have legal and financial consequences and can possibly damage the company’s reputation. For example, excessive internet consumption by the personnel during work hours or the installation and use of private applications on the company’s IT infrastructure or even the disclosure of confidential information as well as conducts causing reputational damage on social media platforms come to mind. Furthermore, compliance with work and rest time regulations and the documentation obligation associated therewith must be taken into account. This can be particularly relevant for home office work.

According to Swiss law it lies in the company’s discretion how to utilise its operational resources and to instruct its personnel accordingly (article 321d paragraph 1 CO). Within certain limits and taking into account proportionality, the company may (or must) supervise the use of resources. Especially, when the company has restricted or prohibited a specific use or such cases where supervisory obligations are in place for regulatory reasons, such as in the financial sector to combat corruption, insider trading and money laundering. However, the company must take into consideration that such supervision can infringe on personal privacy and even constitute Surveillance in the Workplace with a harmful effect on health and also fall within the scope of article 8 of the European Convention on Human Rights (ECHR). This is the case when supervisory and control systems as for example Key-Logger, Content Scanner or Spyware are used, allowing a detailed control of the personnel and thereby constituting an inadmissible behavioural surveillance (article 26 paragraph 1 of the Ordinance 3 to the Labour Code). Therefore, the admissibility and implementation of supervisory and control systems, must always be determined on a case-by-case basis. It is advisable to carry out a risk assessment, balance of interests and proportionality check in this regard.

For reasons of transparency the use of information and communication technologies as well as a possible control of such use as well as the underlying requirements should be codified in appropriate regulations. Furthermore, the personnel should be schooled in the proper use of the operational resources. As an accompanying step technical protection measures should be taken in order to minimise the risks of the use of operational resources by the personnel. In this context, for example, password protection, access control, virus protection, frequent updating, backups, recovery measures, limitation of interfaces and blocking of services come to mind. Correspondingly, such measures have to be understood as part of the Technical and Organisational Measures (TOMs), which a company has to implement according to article 8 of the Federal Act on Data Protection (Data Protection Act, FADP) and article 3 of the Ordinance on Data Protection (Data Protection Ordinance, DPO; cf. also article 32 of the General Data Protection Regulation (GDPR; Regulation (EU) 2016/679)). TOMs have to be adapted to the circumstances of the specific case and especially to the expected risks in connection with the use of particular devices, applications and technologies.