The Regulation defines ‘biometric data’ in article 4(14) as personal data which results from specific technical processing relating to an individual’s physical, physiological, or behavioural characteristics, and which can uniquely identify that individual. The Regulation provides examples of biometric data, namely facial images and dactyloscopic data (i.e., fingerprint data). The European Data Protection Board in their Guidelines 05/2022 further clarify that other characteristics such as an individual’s voice, iris structure, and blood vessel patterns are also considered biometric data, because they allow or confirm the unique identification of that individual.  

Due to its inherently sensitive nature, when biometric data is processed for the purpose of uniquely identifying an individual, it is classified as a special category of personal data in terms of article 9(1) of the Regulation. Accordingly, biometric data is afforded enhanced protection, and its processing is prohibited unless one of the specific conditions for processing under article 9(2) of the Regulation applies.

If an employer wishes to introduce biometric systems in the workplace, this will inevitably involve the processing of biometric data. Given that biometric data is classified as a special category of personal data under article 9(1) of the Regulation, then one of the conditions for processing under article 9(2) of the Regulation would have to be identified in order for that processing to be considered lawful. The conditions set out in article 9(2) of the Regulation are deliberately stringent due to the invasiveness of the processing of special category personal data, and accordingly, most of the conditions require the controller to demonstrate that the processing is actually “necessary” to achieve the purpose pursued.

By way of example, if an employer wishes to implement a biometric system (such as a fingerprint or facial scanning device) for the purpose of monitoring the attendance or recording the working hours of employees, it would have to be shown that the implementation of that biometric system is genuinely necessary in the circumstances, and that there are no other less intrusive systems that could be utilised instead to achieve the same objective. This is also in line with the principle of data minimisation in article 5(1)(c) of the Regulation, which provides that only that personal data which is strictly necessary to achieve the purpose pursued should be processed. Accordingly, it is generally difficult for an employer to justify that the processing of its employees’ biometric data is necessary and cannot be achieved through less intrusive alternatives. This could include the introduction of proximity cards or tokens which do not involve the processing of biometric data. While recognising that such systems may be susceptible to misuse such as ‘buddy-punching’, the risks could be mitigated by installing a CCTV camera which, in the event of suspected misuse, could be used to verify who has used the cards or tokens.

Exceptions to the general rule may exist, for example where employees handle classified information which may require strict security measures and access controls, including the verification of the employees’ identities through the processing of their biometric data.

In most cases, the explicit consent of the data subject (as outlined in article 9(2)(a) of the Regulation) may be the only viable condition for processing. However, the controller should be mindful that even this condition poses its limitations:

• The data subject’s consent must not only satisfy the Regulation’s standard of consent - in that it must be freely given, specific, informed, and unambiguous (as outlined in article 4(11) of the Regulation), but it must also be “explicit” - in that it cannot be inferred, and must be affirmed by means of a clear statement made by the data subject (for example, through the signing of a consent form explicitly indicating the employee’s consent).
• Furthermore, in an employment context, the European Data Protection Board has repeatedly emphasised in its guidelines that due to the inherent power imbalance present in employer-employee relationships, it is generally unlikely for the employee’s consent to the processing to be freely given. Employees might feel pressured to give their consent due to concerns about repercussions they might face if they were to refuse. Therefore, explicit consent is unlikely to constitute a valid legal basis for processing in an employment context, unless the controller is able to show that the employee has been given a real and meaningful choice.

While the employment relationship is ongoing:

Yes, in addition to identifying a condition for the processing of the biometric data in terms of article 9(2), a DPIA in terms of article 35 of the Regulation must also be carried out where the controller intends on processing biometric data.

In doing so, the controller should make a careful assessment of the impact which the biometric data collection will have on the employees, ensuring that the processing complies with the fundamental data protection principles and the overall provisions of the Regulation, and that the biometric processing is necessary and proportionate in the given circumstances.  

The assessment and its outcome should also be documented and recorded, in line with the controller’s accountability obligations under the Regulation.

(These responses have been prepared knowing that current systems do not retain a copy of the actual biometric data but convert such data into a template which cannot be reversed engineered.)

As a general rule, employers cannot retain police conduct certificates of employees, including prospective employees.

However, employers can have a legitimate interest (see article 6(1)(f) of the Regulation) to request police conduct certificates for the purpose of verifying whether a current or prospective employee, as the case may be, has a clean conduct and no prior criminal convictions. Requesting employees to present their police conduct certificate is particularly relevant for certain roles which involve contact with vulnerable individuals (e.g., care workers at elderly homes, or teachers at schools). Furthermore, the Fourth Schedule of the Conduct Certificates Ordinance (Chapter 77 of the Laws of Malta) provides a list of competent authorities that have the right to request a complete record of criminal convictions from the individual.

Once the individual has presented the certificate to the employer, the employer may document the confirmation of the individual’s (clean) conduct. However, the certificate itself should not be retained on file. If the certificate was provided by the individual in hard copy, it should be returned to the individual, whereas if it was received electronically (e.g., via email), it should be securely deleted.

From a data protection perspective, requiring prospective job candidates to undergo medical examinations / testing during the recruitment process is inherently intrusive, and does not satisfy any of the legal bases for the processing of personal data under the Regulation.

With regards to candidates who have already been selected for a role (i.e., chosen candidates), medical examinations / testing may be permissible where, because of the nature of the role (e.g., where the job is physically demanding), it would be necessary for the employer to know whether the chosen candidate is medically fit to carry out the role.  

In such cases, it is advisable that employers adopt a practical approach, by including a specific section or clause within the employment contract stating that the commencement of employment is subject to the satisfactory outcome of the medical examination / testing, and by ensuring that this takes place only after the employment contract has been signed by the individual. This ensures that the chosen candidate can make an informed decision before actually assuming the role.

In addition, and in line with the principle of transparency under the Regulation, it is also good practice to inform employees about this procedure during the interview stage itself.

However, a prospective candidate cannot be rejected solely on the basis that he/she has refused to undergo a medical check. This is particularly important given that prospective candidates, who would naturally be motivated by the prospect of securing the role, would not generally be in a position to freely give or withhold their consent to the processing of their personal data by a prospective employer. In this context, while article 9(2)(a) of the Regulation permits the processing of special category data where the data subject has given “explicit consent”, this is not considered to constitute a valid legal basis in the field of employment, due to the inherent power imbalance that exists in employment relationships and the potential consequences that candidates may be concerned about facing if they were to refuse to consent to the processing.

Medical data constitutes a ‘special category of personal data’ in terms of article 9 of the Regulation. As this personal data is more sensitive, it merits enhanced protection and cannot be processed unless one of the specific conditions set out in article 9(2)(a) to (j) of the Regulation applies. The controller must therefore ensure, prior to the processing, that the processing activity is legitimised on the basis of an appropriate ground in article 9(2).

In this regard, article 9(2)(h) of the Regulation provides that the processing of special category personal data is permitted where it is necessary “for the assessment of the working capacity of the employee”. One may also note that this provision explicitly refers to “the employee”, indicating that it is limited to individuals who are already in employment, and not to prospective job candidates. Importantly, when relying on this provision, any such examinations or tests should be limited to ascertaining whether the employee is fit and capable of working and does not suffer from any medical conditions which could prevent him/her from being able to carry out the particular role.

Article 9(2)(b) also applies in an employment context, permitting the processing of special category data where it is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, but only where such processing is authorised pursuant to EU or national law. The applicability of this provision is therefore subject to an important caveat, which is that the processing must be grounded in a specific obligation or right set out in law.

Article 9(2)(a) permits the processing of special category data where the data subject has given “explicit consent”, however this is generally not considered to constitute a valid legal basis in an employment context. This is because of the inherent power imbalance that exists in employer-employee relationships, wherein the employer naturally has more power over the employee such that consent to the processing cannot generally be regarded as having been genuinely and freely given.

Where a controller determines that one of the grounds in article 9(2) of the Regulation is applicable, a thorough proportionality assessment should be carried out in order to evaluate whether the medical examinations / testing are actually justified and necessary based on the particular circumstances and the nature of the employee’s role, and whether there are any other less intrusive means that could be used to achieve the same objective. This assessment should be documented and retained in accordance with the accountability obligations under the Regulation, including under article 5(2) of the Regulation, which requires the controller to be able to demonstrate compliance.

Where an employer has determined that it is necessary and proportionate to require medical examinations / testing of its employees, the following considerations should be kept in mind:

• Any such medical examinations / tests must be carried out by and under the responsibility of a healthcare professional (who, in terms of Maltese law, are subject to professional secrecy obligations), and this is also in line with article 9(3) of the Regulation;  
• They must only take place after the employment contract has been signed. However, it would be considered good practice to inform prospective candidates about this requirement at interview stage, so that the candidates are fully informed before proceeding further in the interview process; and
• In accordance with the principle of data minimisation under article 5(1)(c) of the Regulation, the healthcare professional should not disclose any specific health conditions or diagnoses of the employee to the employer. Instead, the employer should only be provided with a ‘fit’ or ‘not fit’ result regarding the health of the employee. In certain circumstances there may be exceptions to this, however this would have to be assessed on a case-by-case basis.

To begin with, a distinction should be made between situations where an employer requests the employee to switch on his/her webcam at certain times during work hours for legitimate work-related purposes (e.g. during virtual meetings, where the employee’s visual presence during the meeting may be needed), and scenarios where an employer uses the webcam to continuously and systematically monitor the employee during working hours.

In line with the principles of proportionality and data minimisation, both of which are key principles under the Regulation, any proposed measure to monitor employees would have to be strictly necessary and proportionate when weighed against the purpose it intends to achieve. In the context of remote working, an employer may consider the possibility that employees might leave their desks during working hours to carry out personal errands as a risk to be addressed. The employer, however, must consider what would be the least invasive measure that could achieve that objective (i.e., the measure that collects and processes only the minimum personal data necessary to address that risk).   

Accordingly, requiring an employee to keep their webcam switched on at all times or remotely accessing the employee’s webcam throughout the workday involves continuous video and/or audio surveillance. This form of monitoring would be considered a highly invasive and intrusive form of processing of personal data. In most cases, an employer would not be able to justify that processing as being necessary and proportionate. By contrast, an employer may, depending on the particular context and circumstances, be able to identify a legal basis which justifies requesting the employee to enable their webcam where this is needed for work-related interactions (and therefore, not on a continuous basis). Yet, even in such cases, the employer must make its own assessment and weigh the intended measure against the risks it seeks to address, to ensure that the measure is not disproportionate to the aim being pursued.

Having said that, any processing of personal data - including via webcams - must be based on an applicable legal basis under article 6 of the Regulation. Certain legal bases present challenges in an employment context, and therefore, employers should carefully consider which legal basis to rely on for the processing of employee personal data. As to whether an employee can be “asked” to have his/her camera switched on, employers should be mindful that relying on consent (under article 6(1)(a) of the Regulation) of the employee as a legal basis is problematic, since employees are rarely in a position to genuinely, freely consent to processing due to the power imbalance that exists in employer-employee relationships.

As outlined by the European Data Protection Board in its Guidelines 05/2020 on Consent, “given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal”, and that, “it is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera observation in a workplace […] without feeling any pressure to consent”. Therefore, other than in exceptional situations, employers would have to rely on another legal basis for processing other than consent.

The Regulation does not explicitly regulate the use of webcams, nor does it go into the issue of whether employers can require employees to keep them switched on for specific durations of time. Rather, the responsibility lies with the employer (the controller) to make its own judicious assessment, based on its specific circumstances, as to whether there is a valid legal basis under article 6 of the Regulation that would justify the processing of employees’ personal data via the webcams.

An employer may, in certain circumstances, seek to rely on its own ‘legitimate interests’ (under article 6(1)(f) of the Regulation) as a legal basis to process employee personal data. However, it should be noted that the threshold to rely on this legal basis is high, and requires that the following 3-part test, as laid out by the Court of Justice of the European Union, be satisfied:

1. there must be a legitimate interest pursued by the controller or by a third party that justifies the processing of personal data;
2. the processing must be strictly necessary to achieve that legitimate interest; and
3. after balancing the interests of the employer with those of the employee (i.e., the data subject), the employer’s interest must be such that it outweighs the interests or fundamental rights and freedoms of the data subject.

By way of example, if the legitimate interest pursued by the employer is to prevent employees from abusing of their remote working arrangements, this must be weighed against the employees’ interests and fundamental rights and freedoms which require the protection of personal data. The employer would also have to demonstrate that the processing activity (i.e., having the cameras switched on for a duration of time in the day) is strictly necessary to achieve that legitimate interest and that no other less intrusive alternative exists (such as employee performance assessments) that could effectively achieve the same legitimate interest.

The employer does have a legitimate interest to ensure that its employees are carrying out their work tasks, and so, it stands to reason that an employer may feel the need to ask its employees for information about how they are managing their workday and work responsibilities. However, the employer’s inquiries about the employee’s daily plans should generally not extend to his/her personal activities outside of working hours (for example, asking for personal information about what the employee intends to do during their work break), and should be limited to the employee’s plans for the workday.

This approach respects the individual’s fundamental right to the protection of his/her personal data under the Regulation (as per recital 1 of the Regulation) as well as under the Charter of Fundamental Rights of the European Union (as per article 8 of the Charter).

Yes, the Regulation requires that the data subject (in this case, the employee) must be informed about the processing of his/her personal data, and this includes the use of activity monitoring software on company devices. This is in line with the overarching obligation of transparency imposed on the controller under the Regulation, which requires that controllers act openly and honestly with data subjects about how their personal data is processed. Accordingly, employees must be given clear information about the processing (in accordance with article 13, and where applicable, article 14 of the Regulation) that enables them to understand the purposes and extent of any monitoring that is being carried out.

As a final point, employees should not be informed after the monitoring has already started. In this regard, the Article 29 Data Protection Working Party Guidelines on Transparency, which have been endorsed by the European Data Protection Board, clearly state that: “Articles 13 and 14 [of the Regulation] set out information which must be provided to the data subject at the commencement phase of the processing cycle”, and that, “pursuant to the principles of fairness and purpose limitation, the organisation which collects the personal data from the data subject should always specify the purposes of the processing at the time of collection.”

When an employee leaves an organisation, the employer might wish to get access to the former employee’s email account in order to manage the incoming emails being sent to that address and to ensure business continuity. However, the employer’s interest in ensuring business continuity within the organisation must be carefully balanced against the data protection rights of the individuals concerned under the Regulation.

The automatic forwarding of emails would generally not be compliant with the Regulation.

As a starting point, while employers may implement internal policies that require employees to use their organisation’s email addresses strictly for work purposes, any personal emails in the employee’s mailbox remain personal and are not considered to be the property of the employer. 

Therefore, implementing an automatic forwarding rule that sends emails received at a former employee’s company email address to another employee would not be compliant with the requirements of the Regulation, because this would lead to any private or personal emails sent to that address to be disclosed to third parties.

Yes, and this approach is strongly recommended upon an employee’s departure from the company, in order to safeguard the data protection rights and respect the privacy of all the individuals concerned, including of both the departed employee and any individuals who may be sending emails to that address. By adopting this approach, it remains at the discretion of the sender whether to forward the email or not.

As to the contents of the message, it should clearly inform the sender that the intended recipient (i.e., the departed employee) is no longer with the company, and should provide an alternative contact for any queries the sender may have as well as details on how to contact that person. The message should also specify a timeframe within which the former employee’s email account will continue to receive emails and the date when it will be closed, following which, emails sent to that email address will no longer be deliverable.

As to the timeframe, the automatic reply message should not remain active indefinitely, but only for a reasonable period (for example, one month). The decision regarding the exact timeframe ultimately rests with the controller to be determined based on the specific circumstances, such as the nature of the employee’s departure, and whether the employee had a key role within the company which might require that the email account remain active for a slightly longer period.

While the employment relationship is ongoing:

• During the employment relationship, it is crucial that employees are well informed about the organisation’s approach on managing employee email accounts. This should be clearly outlined in an internal policy which is effectively communicated to employees, so that they fully understand and know what to expect upon departure from the company. In this regard, it is advisable that a ‘read-and-sign’ approach is adopted so that the employer can be sure that the employee has actually read the policy. Implementing such a policy is in line with the principle of transparency under the Regulation (as per recitals 39, 58, and article 12 thereof), which requires that information be provided to the data subject (i.e., the employee) in a manner that is “easily accessible and easy to understand, and that clear and plain language be used.”
• Ideally, the policy should specifically set out how employees are to organise their inboxes from the start of the employment, so that personal emails are easily distinguishable from work emails - for example by creating a separate folder within the inbox for personal emails. This would significantly facilitate the retrieval of personal emails in the event of an employee’s departure from the organisation. 

On the day of the employee’s departure:

• On the last day of work, the company should give the employee the opportunity to take a copy of and delete any personal or private emails, and should set up an automatic reply rule for any incoming emails that may continue to be sent to the employee’s email address following the date of his/her departure.
• Depending on certain factors, including but not limited to, the nature of the business activity and the role which the former employee used to occupy, the organisation should determine whether for the purpose of business continuity the contents of the employee’s mailbox should be archived.
• Finally, as a best practice that fully respects the employee’s data protection rights under the Regulation, the departing employee should still be given the opportunity to retrieve or delete any personal emails in the inbox if this has not been done on the last day of work, especially if in practice the organisation permits limited personal use on the work email accounts.

Following the employee’s departure:

• The organisation must not allow other employees to access the mailbox of the former employee. This includes, for example, sending emails from this mailbox as if they are originating directly from the former employee. Such an approach would be considered invasive and intrusive and would result in the excessive processing of personal data, which is not in line with the principle of data minimisation (under article 5(1)(c) of the Regulation), since this requires that the processing of personal data should be limited only to what is strictly necessary to fulfil the intended purpose.
• The company should not implement an automatic forwarding rule for emails sent to the former employee’s email address, even if the forwarding is to another email address of the same organisation. Implementing such a practice would risk the unauthorised disclosure of potentially sensitive personal information relating to the former employee and/or other individuals that may be contained in the emails. This would likewise go against the principle of data minimisation, since automatic forwarding involves indiscriminately transferring all incoming emails, regardless of whether the content of each of those emails is relevant and necessary for work-related purposes.

The company should have in place a clear, comprehensive policy which addresses these points from the outset, so that employees will know what to expect regarding the handling of their company email accounts upon their departure.

Ideally, the policy should specifically set out how employees are to organize their inboxes, so that personal emails are easily distinguishable from work emails, for example, by creating a separate folder within the inbox for personal emails. This would significantly facilitate the retrieval of personal emails in the event of an employee’s departure from the company. 

Having said that, where this has not been done a priori, as a best practice that fully respects the employee’s data protection rights under the Regulation, the departing employee should still be given the opportunity to retrieve or delete any personal emails in the inbox, especially if in practice the company permits limited personal use on the company email accounts.

With reference to the retention periods for keeping personal data, article 5(1)(e) of the Regulation stipulates that personal data collected should not be retained for any longer than is necessary for the purposes for which it is processed.

Given that the Regulation adopts a risk-based approach, this Office advises that it is the responsibility of the controller to ensure that the retention periods it is adopting are justified and reasonable, and are not longer than what is strictly necessary for the purpose for which it is processed.

Having said that, due to the absence of a specific retention period in the Regulation, this Office generally recommends that controllers should carry out an assessment regarding the data processing, the purpose(s) for processing, and determine whether there may be any legal and operational constraints or impediments that may affect the removal of the personal data, and the possible time frames during which the personal data may be required.

By way of example, our national tax laws require records related to taxation to be kept for a minimum of ten years. With regards to other categories of personal data, such as vacation leave records and sick leave records, where the law does not prescribe a retention timeframe, we advise the controller to keep these records for a period it deems justifiable after making its own careful assessment - this could be one to two years maximum, provided that there are no disputes regarding the amount of leave days that have been taken and/or brought forward to the following year.