New Technologies in the Workplace

New Technologies in the Workplace. Time Management v. Privacy and the Right to Disconnect

In the last couple of months, the French Courts have had the opportunity to consider how new technologies can be lawfully used in the workplace. It is a hot topic in France, where employees’ rights are generally well-protected, but where modernisation is necessary in order to ensure efficiency and productivity for the employer’s business.

A Digital Society brings with it an increased risk for employees and their wellbeing.

With the growth of the digital economy and the place that technology and artificial intelligence has in our society, it is more difficult now than ever before to maintain a proper balance between monitoring because we can (i.e., via more accessible technology), and because we should.
This balance so complicated in a work context, due in part to the ever-increasing case law and also due to the employment relationship itself – the imbalance of power between an employer and its employee, the blurring of the line between private and professional activities, and to what extent an employee can have a reasonable expectation of privacy during working hours, and when they can reasonably expect to disconnect from work and/or from workplace surveillance.

GeoTracking of Employees – Recent Case Law.

The French Courts recently had the opportunity to consider the use of geotracking systems in the workplace, and discussed how employers need to set certain limits on the use or such systems in order to ensure that employees’ wellbeing and privacy rights are safeguarded.

What exactly is GeoTracking?

According to PCMag[1], Geotracking means “Identifying a person’s current, physical location by obtaining GPS data from their smartphones or other GPS-enabled device”.

Employers have unsurprisingly noticed the advantages of geotracking technologies, and such systems are being increasingly used in order to monitor employee activities, especially when they are remote workers, are regularly on the road, or when they are working on a client’s premises to check that employees are fulfilling their contracted hours, whether they are making stops on the way or carrying out personal errands, whether the time spent on the job is profitable and in accordance with company guidelines (i.e., is the employee too slow – or too quick at completing an allocated task).

France: Latest Case Law

Two of the highest Courts in France recently had the opportunity to discuss the use of Geo-Tracking systems.

In one matter, before the State Court (or in French, Conseil d’Etat)[2], the employer was in the business of supplying mobile IT technicians to clients for on-site IT maintenance. To ensure that the technicians’ time logs matched actual work carried out at the client (and the associated travel time), the employer installed geotracking devices in the technicians’ vehicles.

In another matter, before the Supreme Court (in French, Cour de Cassation)[3] the employer ran an electrician company and installed real-time geo-tracking equipment in all of its vehicles electricians in order ensure a better management of employees’ time.

The Role of the Data Protection Authority (“CNIL”)

The case before the State Court came about following the employer’s appeal of a decision from the CNIL. The employer had actually been subject to an audit from the CNIL, which resulted in the data protection authority formally putting them notice to stop processing data which had been collected from the geo-tracking equipment, and which was being used to check-up on employee working time. The employer complained and said that the notice was unfair, since employers have the right to check that their employees are actually working.

In the case before the Supreme Court, the employer had actually organised an information meeting with the staff delegates, and then made the relevant declaration to the CNIL regarding its decision to use geo-tracking systems. A few months after the systems had been implemented, the employer sent each member of staff affected an individual letter which explained the basis of the processing, the reasons behind it and the aim the employer wished to achieve. The Supreme Court noted that this letter should actually have been sent to the employees before the system was implemented. In this matter, we assume that the CNIL did not object to the use of geo-tracking.

Aside from thoughts about employee well-being, personal data considerations are also important and the role of the CNIL is not to be forgotten. When implementing any kind of new technology in the workplace (or elsewhere) it is important to make sure that the relevant declarations have been made, and that you are transparent and cooperate with your national supervisory authority.

Will General Data Protection Regulation (“GDPR”) change things?

Under the GDPR, the traditional CNIL declaration procedure will be largely replaced. Instead, companies will need to be responsible for their own compliance with data protection rules, by keeping relevant documentation to evidence compliance. However, whilst the declaration process is unlikely to be applicable, the CNIL has stated that companies can still seek their advice before they implement any system which aim at processing personal data or which might have an impact on individual privacy rights. Under the GDPR, the European Data Protection Supervisor (the EDPB which will benefit from the EDPS secretariat) will be created and will act as a supervising authority for data protection matters, and will also be responsible for providing guidance and information, and ensuring that the GDPR is implemented in a harmonised way across all member states by local authorities, such as the CNIL. It will therefore be important to monitor the EDPS’s activities, as they are likely to be quite active in the area of new technologies.

As a side note, the French Courts, of course, decided these matters on the basis of the existing French Law on IT and Freedoms from 1978 (as amended), and it will be interesting to see whether similar facts would be decided differently under the GDPR, or indeed as the use of technological monitoring systems becomes more common-place.

How did the French Courts decide – geo-tracking is ok if there are no better options?

The French State Court considered that if geo-tracking is used to check up on an employee’s working time when there are other efficient methods available to it, the collection and processing of such data would be considered as disproportionate when analysed in accordance with data protection laws. The State Court took a strict approach and rejected the employer’s appeal to overturn the CNIL’s decision, meaning that the employer has to cease all use of geo-tracking of its employees concerning their working-time.

The French State Court did nonetheless state that the CNIL’s decision, whilst preventing any use relating to surveillance of employee working time, did not prevent the employer to use the data in order to invoice its clients for the provision of services.

In the French Supreme Court, there was a slightly more employer friendly approach, probably because the employer did attempt to inform employees, and also had a justified reason for using geotracking methods – to ensure better time management which contributes to employee wellbeing, rather than it being used for disciplinary or sanction methods, as was arguably the employer’s intention in the case before the State Court.

The Supreme Court stated that whilst geo-tracking systems are irregular, their use by employers to track employees can be legitimate if there are no other ways to check an employee’s working time, and that the use of such systems does not give an employee automatic grounds to sue his/her employer for constructive dismissal.

However, we do need to look further to see whether or not employers in France can safely implement geotracking systems. In this regard, we can seek guidance from the European Court of Human Rights, which has also been quite busy recently, deciding on a range of workplace surveillance cases.

Strike a balance between an employer’s legitimate interests and an employee’s right to privacy

Several cases from the European Court of Human Rights remind us that it is important to strike a proper balance between protecting an employer’s interests (for example, using geotracking for client billing purposes, or to ensure proper time management) and respecting an employee’s right to privacy, which is a Human Right under Article 8 of the European Convention on Human Rights (Right to a Private Life).

In all of these cases, whilst admittedly not specifically related to geo-tracking devices, general principles from the Court state that:

  • For employee monitoring to be lawful, employers are actually required to inform their staff that they are susceptible to being monitored before such monitoring takes place.
  • Employees should be informed of the methods of surveillance and the aim sought, by being provided with privacy policies, or by notices displayed in the workplace or in vehicles, and be given the right to object[4], and also challenge any findings or evidence gathered via such methods.
  • Employers should see if their employees can be monitored in any other way aside from automatic or potentially intrusive surveillance. If it is possible to monitor employee working time by less intrusive means, then the employer should do so, otherwise any geotracking system is likely to be criticised.
  • If an employer does choose to implement new technologies in the workplace, such as geotracking, it is probably better to ensure that the use of such systems is very limited in scope, and doesn’t go further than is necessary in order to achieve the aim sought.[5]
  • Finally, employers should keep a record (such as a Privacy Impact Assessment under the GDPR) to justify that the balance between a potential breach of employee privacy is tipped in the favour of a proportionate aim sought by an employer.

So how this link in with an employee’s “Right to Disconnect”?

In an attempt to combat excessive working hours which occur with remote working and Bring Your Own Device policies, and the blurring of employees’ professional and personal lives, the French legislator updated Article L2242-17 of the Employment Code via the ordinance of 22nd September 2017. Since this law, French workers have the “Right to Disconnect“, which should be implemented by employer policies or agreements regulating the use of electronic devices in the workplace. Such policies should set out the ways in which the right to disconnect is implemented within the company.

Obviously, the right to disconnect seems quite at odds with the right for an employer to geolocalise its staff, especially when employees might be using their own vehicles for company purposes, or are permitted to use company cars for personal use, outside of working hours. In order to reduce any risk of a breach of privacy rights, unlawful employee surveillance and a breach of the right to disconnect, employers need to ensure that they have a robust policy in place which permits employees to deactivate any tracking devices once they have finished work, and to ensure that no data is collected or monitoring carried out once the employee is off the clock.

As such, the employer should ensure that all employees, managers and management teams are aware of the policy and that training and guidance sessions are provided across to board to ensure that everyone within the company uses electronic devices (not limited to geotracking) in a reasonable manner.

Can I Implement New Technologies, such as Geo-Tracking Systems?

The easiest advice would be to say: Do not geotrack your employees.

However, as we have seen from the above examples, it is important for employers to be able carry out surveillance in order to protect their rights, their interests, their financial investments and also in order to properly bill their clients. From a legal perspective, geotracking is possible and has been judged potentially lawful by the courts, depending on how it is done, and whether the balance between employer interests and individual privacy rights and freedoms has been upheld.

© Charlotte Gerrish, Lawyer, February 2018 – This note is for guidance only and does not constitute definitive legal advice.

About Charlotte Gerrish

Charlotte Gerrish

Charlotte is the founding lawyer of Gerrish Legal and has over 10 years of legal experience working in international law firms and companies in London, Paris, Brussels and Luxembourg. Charlotte’s expertise focuses on commercial law, NTIC, IP, GDPR and contract issues. Most recently, Charlotte held an in-house position as a Senior Legal Counsel for the France/Benelux region of a global professional services company. Alongside Gerrish Legal, Charlotte also tutors in international corporate compliance on the International Commercial Law LL.M at Edinburgh Law School.


As Miss Gerrish, Lawyer, indicates from a legal and ethical standpoint in the case of management of people, the means (methods or technics) have to be justified and proportionate to the goals. They have to be used without second thought and in a loyal way with employees.

The employee’s upfront agreement is necessary in case of surveillance, evaluation, or follow up and he must be aware of his right to oppose it and in some cases request the presence of a third party.

The HR professionals should also be reminded of the absolute necessity for them to file with the CNIL the setup of any data collection and processing system affecting personal data of their employees prior to its implementation.

As Charlotte Gerrish, Lawyer, indicates from a legal and ethical standpoint in the case of management of people, the means (methods or technical systems) have to be justified and proportionate to the goals sought by the employer.

They have to be used with care and thought and in a loyal way in respect of employees.

The employee’s upfront agreement is necessary in the event of surveillance, evaluation, or follow-up mechanisms, and he or she must be aware of his or her right to oppose such mechanisms, and in some cases request the presence of a third party.

HR professionals should also be reminded of the absolute necessity for them to file the setup of any data collection and processing system affecting personal data of their employees with the CNIL prior to its implementation, at least until the GDPR comes into force. Once the GPDR comes into force, as Charlotte Gerrish stated, the CNIL will remain available in an advisory capacity to assist HR professionals on privacy questions, and employers will need to document and evidence compliance in the event of a Data Protection audit or inspection.

The use of digital data in corporations goes back to the creation of emails in the early 70’s, last century.
But what is new is that the digital culture pushes us to take advantage of its technological progress to always perform better, faster, bigger and stronger… to such a point that we often witness a proliferation of workaholics, with some of them ending up being diagnosed with a burn out.

How could an employee serenely disconnect to the benefit of his body and his mind if he feels permanently watched by his employer?

Therefore a consequence for such employees is a decreasing sense of self-efficiency, a loss of autonomy and a loss of confidence in themselves and their employer.

To work in the same way as our predecessors is no longer possible. The cult of electronic data is sustained by the explosion of start-ups, by the media that give them their strongly sought visibility, by marketing campaigns and the adoption of specific technologies that were just unimaginable in the past.

For instance, we can bet that in the eyes of our parents, digital implants seem disproportionate to the goal sought by an employer, when they are being used to replace a work clock-in, clock-out system at the factory entrance, even if such implants can appear attractive in the medical field. (A Belgian company recently offered implants to volunteer employees instead of using the clock-in, clock-out system).[6].

As Charlotte Gerrish mentioned, a new European agency (supervising the CNIL for France) is being created to enforce the GDPR.

The GDRP reminds that we are not at total liberty regarding the data we create or hold (with increasingly smart tools) and also reminds us of the freedom data-subjects are entitled to in respect of their personal data (whether digital or not).

About Carole Blancot

Carole Blancot

Carole Blancot is CEO of SpotPink, an HR communication agency created in 2011.
She’s also a noted speaker, trainer and co-writer of several books related to HR, technology, and social media. She holds a master’s degree in psychology. Carole Blancot consults with corporations in the field of collective bargaining, implementation of the right to disconnect and runs digital disconnection seminars.



[1] See, in English –

[2] See decision in French – reference: Conseil d’Etat, 10ème – 9ème ch. Réunies, decision of 15/12/2017.

[3] See decision in France – reference: Cour de cassation, civile, ch. Sociale, decision of 20/12/2017.

[4] See decisions against Romania and Spain here:{“itemid”:[“001-177082 and here:{“itemid”:[“003-5966572-7628703”]}

[5] See the case against Germany here:{“itemid”:[“002-782”]}

[6] Implants de puces RFID d’une entreprise belge sur ses employés –

Carole Blancot About Carole Blancot

Carole Blancot est conférencière, formatrice, co-auteure de plusieurs ouvrages, blogueuse, psychosociologue clinicienne psychothérapeute (Numéro ADELI : 78 93 1059 6), IPRP (n°IDF/2018/34), présidente de SpotPink (agence de communication pour les acteurs des domaines RH et SIRH), et DPO (Désignation CNIL : N° DPO-37620 et N° DPO-37624).
Elle intervient par exemple en entreprise pour faciliter la négociation du droit à la déconnexion et la mise en œuvre des outils et des mesures de régulation associées. Elle met aujourd'hui son passé de consultante RH au service d'interventions psychosociologiques dans des contextes qui sont parfois compliqués. Elle maîtrise les tenants et aboutissants du RGPD. Par ailleurs spécialiste de la production de contenu pour les sujets traitant de la gestion des RH, du SIRH (Système d’Information en Ressources Humaines) et des médias sociaux, elle a (co)réalisé en 2015 la première étude portant sur le phénomène du FoMO et sur le niveau de dépendance des Français vis-à-vis des médias sociaux. Twitter : @CaroleBlancot


  1. Avatar Isabella Ravenhill says

    Please be aware, the EDPS is an already existing supervisory authority. The European Data Protection Board (EDPB) will be created under the new GDPR.

    • Charlotte Gerrish Charlotte Gerrish says

      Thank you for your comment. Yes, the EDPS exists today, but does not have the overarching supervisory function envisaged under the GDPR. In the event of any confusion, of course, the European Data Protection Board (EDPB) will succeed the existing “Article 29 Working Party” and will be responsible for ensuring a consistent application of the GDPR by national authorities, but it is envisaged that the EDPS will provide the secretariat for the EDPB including administrative and logistic support and shall assist in performing analytical work to contribute to the EDPB’s tasks, and in this sense will have new functions.
      Charlotte Gerrish

error: ©SpotPink