international employment law firm alliance L&E Global
Luxembourg | KLEYR | GRASSO
06. Social Media and Data Privacy in Luxembourg
Employment Law Overview Luxembourg
COVID-19: Back To Work in Luxembourg
Cross-Border Remote Work FAQs Luxembourg
Starting a business in Luxembourg

06. Social Media and Data Privacy in Luxembourg

Restrictions in the Workplace

Employers must inform the employees within which limits they tolerate the use of computer tools as well as the devices put in place for personal purposes and the monitoring procedures of these tools. Without being exhaustive, the employer may give the employees the following information:

  • periods and duration of use;
  • the reasons and objectives of the monitoring, the nature of the data collected, scope and circumstances of the monitoring, the recipients of the data;
  • the implementation of tools blocking websites;
  • the mode of collection and use of surveillance data;
  • who is authorised to use the surveillance data and under what circumstances;
  • the retention period of surveillance data;
  • decisions that may be made by the employer during a check;
  • the role of employee representatives in the implementation of the supervisory policy;
  • the terms of employee’s right to access their data.

In the interest of transparency and loyalty in employment relations, the National Commission recommends that the employer adopts a charter, internal regulations or any other document relating to the use of computer tools and control procedures. The employer can restrict the employee’s use of Internet and social media during working hours (ideally by including such a provision in the employment contract or an internal regulation). The employer may take disciplinary action should an employee not comply with the internal regulation. Consequently, for security reasons, the employer is authorised to impose browser configurations and to prohibit or restrict access to certain sites, the downloading of certain files or the connection to discussion forums (“chat”). This is strongly recommended by the National Commission for Data Protection (CNPD).

Surveillance of the employee’s use of Internet is strictly regulated by law. Even if the employer completely prohibits the personal use of computer tools, he does not dispose of the right to control the employee’s use of the computer tools in a continuous way, except where legal exceptions are applicable. Employers cannot individually supervise an employee without having carried out an overall and non-personal supervision. They are however, allowed to make a list of website addresses viewed in a global manner over a certain period, without identifying the employees individually. If the employer has any indication of an Internet use that is detrimental to the company by identifying an unusually long period of Internet consultation or mentioning of addresses of suspicious websites, he may subsequently take the appropriate control measures and pass, in a second stage, this on to an individualised supervision.

Can the employer monitor, access, review the employee’s electronic communications?

Usually, each employee is assigned an e-mail address for his/her professional activity by the employer. This e-mail address and the corresponding mailbox are, as the emails are supposed to be sent and received in the name of the employer, the property of the employer. However, this is a simple presumption and the email can have the character of a private correspondence by inserting “Private/Personal” in the subject field. In this case, the employer cannot open the private emails of its employees, under penalty of violating the secrecy of correspondence, which constitutes a criminal offense. Case law also holds that this prohibition to read private messages applies even in the case where the employer has prohibited the non-professional use of computer tools. The principle of secrecy of correspondence can, however, be removed in the context of a criminal investigation or by a court decision.

Anything not identified as “Private/Personal” is deemed professional and thus the employer is allowed to access it. The latter can obtain traffic and log data such as the volume, frequency, size, and format of their attachments. This information is checked without identifying the person concerned. In the event that irregularities are found, the employer can, in a second phase, identify the persons concerned and check the content of the professional emails. Moreover, the National Commission for Data Protection (hereinafter “CNPD”) suggests the following recommendations:

  • Distinguish private emails from professional emails: to prevent the employer from undermining the confidentiality of private messages, the CNPD suggests: (i) the installation of a twofold mailbox separating private messages and professional messages; (ii) storing private messages in a folder named “private”; and (iii) employees indicate the private and personal nature of the subject of the messages and encourage their correspondents to do the same.
  • Can the employer access the employee’s mailbox in the event of the absence of the employee to ensure business continuity? After informing employees and representative bodies, it is suggested to: (i) set up an automatic absence response from the office to the sender with an indication of who to contact in case of an emergency; (ii) designate a substitute who has a personalised access right to his colleague’s e-mail and who can read and process professional messages, but cannot read messages identified as personal; and (iii) transfer all incoming messages to an alternate.
  • The employee must know the identity of his/her substitute.
  • If an employee permanently leaves the company, it is recommended that: (i)the departing employee transfers all current professional documents to a predefined person (for example, his/her supervisor); (ii) he/she certifies that he has given his/her employer all the professional documents; (iii) he/she copies e-mail messages and other private documents to a private medium, then erases them from the company’s servers; (iv) the employer undertakes to block all computer accounts and to erase the employee’s mailbox(es) immediately upon departure; and (v) people who send a message to the blocked address are automatically informed of the deletion of the email address and receive an alternate address.

Employee’s Use of Social Media to Disparage the Employer or Divulge Confidential Information

By disparaging the employer, the employee violates his/her loyalty obligation and the employer may, as the case may be, take disciplinary action. Anonymous reports should however not be encouraged and should only be accepted by an employer in exceptional circumstances. To avoid abuses, employees are encouraged to use the normal reporting line.

Any questions

Ask our member firm KLEYR | GRASSO in Luxembourg