I’ve been re-reading the Article 29 Working Party’s report on workplace monitoring. I mean, who’d be rockstar when you can have my life?
Anyway, I thought this section merited reproduction in full:
5.8 Processing operations involving disclosure of employee data to third parties
It has become increasingly common for companies to transmit their employees’ data to their customers for the purpose of ensuring reliable service provision. These data may be quite excessive depending on the scope of services provided (e.g. an employee’s photo may be included). However, employees are not in a position, given the imbalance of power, to give free consent to the processing of their personal data by their employer, and if the data processing is not proportional, the employer does not have a legal ground.
Example: A delivery company sends its customers an e-mail with a link to the name and the location of the deliverer (employee). The company also intended to provide a passport photo of the deliverer. The company assumed it would have a legal ground for the processing in its legitimate interest (Article 7(f) of the Directive), allowing the customer to check if the deliverer is indeed the right person. However, it is not necessary to provide the name and the photo of the deliverer to the customers. Since there is no other legitimate ground for this processing, the delivery company is not allowed to provide these personal data to customers.
So, presumably, putting a mugshot of every employee on the internet as part of your corporate marketing is also not permitted. I suspect that will give rise to audible sighs of relief everywhere, except among professional photographers and the poor web-jockeys who are going to have to run-around removing all those pages.
Bit odd, really, given that most people spend the rest of their lives with one arm stuck out at a weird angle, phone akimbo, taking yet another selfie and crying “look at me!”. Still, that’s 29WP for you – Kafka really does have nothing on these guys.