Employee Privacy Policy — Monitoring, BYOD, CCTV

In the recruitment process the employer is allowed to collect data that is genuinely relevant to the job — and only that. Allowed: education, professional experience, recommendations (with candidate consent), basic background check for sensitive positions, fitness questionnaire if the job justifies it (driver, security worker). Not allowed: questions about marital status, pregnancy plans, religion, sexual orientation, political views, criminal record (except in specific cases authorized by law). Allowed in a limited way: psychometric tests if relevant to the job; reference checks with candidate consent. Pre-hire data must be deleted within a defined period for candidates not hired (we recommend up to 12 months unless candidate consented to retention).

The active employee file is divided into three categories. Required: full name, ID number, contact details, salary and payslips, attendance reports, professional training, performance evaluations. Allowed under conditions: medical data (only with documented consent and only when necessary for the job — accessibility accommodations, occupational health), biometric data for time-clock (only with explicit consent + alternative — see below), family details (only what is necessary for tax / National Insurance / pension purposes). Prohibited: religion, political views, sexual orientation, drug-use history (unless authorized by law), private medical issues unrelated to ability to perform the job.

Workplace email and computer monitoring is one of the most sensitive areas. The Labor Court ruled — case Issakov 2011 and later rulings — that monitoring is allowed only when: (a) there is a clear, written, and signed monitoring policy in advance; (b) the employee was specifically notified of monitoring; (c) the monitoring is proportionate to the legitimate purpose; (d) less intrusive alternatives were considered; (e) there is a clear distinction between work email and personal email — and the employer cannot read personal email even if used at the workplace. Practically: a written policy + employee signature + monitoring tool that flags emails as "personal" and excludes them = compliance. Random monitoring without policy = labor lawsuit waiting to happen.

Workplace CCTV is allowed under strict conditions established by the Authority and Labor Court: (1) Legitimate purpose — physical security, theft protection, occupational safety — and not employee monitoring; (2) Clear signage at every workplace entrance and at every monitored location; (3) Proportionate location — common areas yes, private rooms no, bathrooms and changing rooms absolutely never; (4) Limited retention period — usually 30 days, except for an active investigated incident; (5) Limited access — only those who need to view; (6) Audio — additional layer that requires separate justification; (7) Notice in employment contract or employee privacy policy. Many organizations install cameras without complying — and pay heavily when an incident reaches court.

Use of a personal device for work (Bring Your Own Device) is a difficult intersection between employer right to protect data and employee right to privacy. Key rules: (1) Written BYOD policy with employee signature; (2) Clear distinction between organizational data and personal data on the device; (3) MDM (Mobile Device Management) that monitors only the organizational layer — and cannot read personal WhatsApp, photos, browsing; (4) Remote wipe only of the organizational layer on resignation or device loss — not full device wipe; (5) Explicit consent to the policy. A common scenario: an employee left the organization, the employer wiped the entire device including personal photos and family contacts = labor lawsuit + significant compensation.

A biometric time-clock (fingerprint, facial recognition, palm) requires special conditions, as the data is highly sensitive and unchangeable. Authority and Labor Court require: (1) Explicit written consent from every employee, separate from the employment contract; (2) A clear non-biometric alternative — magnetic card or login code — without negative consequence; (3) Storage of biometric template only, not the original image, and on a local secure server; (4) Limited retention — only as long as the employment relationship + a brief reasonable period afterward; (5) Documented risk survey showing the biometric is genuinely needed (not just convenience). Many organizations rolled out a biometric clock as the default without alternative = labor lawsuit and Authority sanction.

On termination of employment relationship, not all data is deleted at once. Retention periods by data type: Payslips and tax data — 7 years (Income Tax Ordinance); Employment contract and performance evaluations — 7-15 years depending on contract type and litigation potential; Email and personal files — usually 30-90 days for handoff and continuity, then deletion; Workplace CCTV footage — 30 days from incident date if no active investigation; Biometric data — deletion as close to termination as possible. A written, documented deletion procedure is mandatory under the 2017 regulations. An old employee whose data is still in the organization 10 years after termination without legal basis = direct breach.

In DPO as a Service retainer we draft a custom employee privacy policy, aligned with all monitoring and CCTV practices in the organization, with employee signature forms. For tech organizations and startups — see SaaS & startups sector page — we add specific clauses on BYOD, source code, intellectual property, and remote work. We also conduct annual employee training on the policy and on data subject rights — see the related security procedure template.