CEDH · CASELAW;JUDGMENTS;GRANDCHAMBER;ENG — 5 septembre 2017
- ECLI
- ECLI:CE:ECHR:2017:0905JUD006149608
- Date
- 5 septembre 2017
- Publication
- 5 septembre 2017
Mes notes
privées · visibles par vous seulRésumé structuré
version préliminaireFaits
Non déterminable à partir du texte fourni.
Procédure
Non déterminable à partir du texte fourni.
Question juridique
Non déterminable à partir du texte fourni.
Solution
source officielleViolation of Article 8 - Right to respect for private and family life (Article 8-1 - Respect for correspondence;Respect for private life);Pecuniary damage - claim dismissed (Article 41 - Pecuniary damage;Just satisfaction);Non-pecuniary damage - finding of violation sufficient (Article 41 - Non-pecuniary damage;Just satisfaction)
Résumé généré automatiquement — à vérifier avec la décision originale.
Analyse IA non disponible
Générez un résumé intelligent de cette décision
Texte intégral
.s800EAC49 { font-size:12pt } .sFE10DC93 { margin-top:0pt; margin-bottom:0pt; text-align:center } .sBB9EE52A { font-family:Arial } .s29100277 { font-family:Arial; font-weight:bold } .sA36B60A1 { font-family:Arial; font-style:italic } .s2E932ED2 { margin-top:0pt; margin-bottom:0pt; font-size:11pt } .s4ACA9207 { page-break-before:always; clear:both; mso-break-type:section-break } .s9793A85B { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt } .sCB9E0544 { margin-top:0pt; margin-bottom:0pt; text-align:left } .sB9D5CABB { width:28.35pt; display:inline-block } .sD3B63DAD { margin-top:36pt; margin-bottom:12pt; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s4667C756 { margin-top:12pt; margin-left:19.85pt; margin-bottom:0pt; text-indent:-19.85pt; text-align:left; page-break-inside:avoid } .s98FBE5B1 { width:3.85pt; text-indent:0pt; display:inline-block } .s61E420C2 { font-family:Arial; font-variant:small-caps } .sF86C8886 { width:236.15pt; text-indent:0pt; display:inline-block } .s275CCCF2 { width:5.86pt; text-indent:0pt; display:inline-block } .s1A4282B1 { width:12.49pt; text-indent:0pt; display:inline-block } .s2E16A1A1 { width:27.18pt; text-indent:0pt; display:inline-block } .sCC257ADC { width:199.44pt; text-indent:0pt; display:inline-block } .s79DE5897 { margin-top:18pt; margin-left:17.85pt; margin-bottom:12pt; text-indent:-17.85pt; page-break-inside:avoid; page-break-after:avoid } .s34D46E87 { margin-top:12pt; margin-bottom:6pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sF7A86111 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; font-size:10pt } .sA8776625 { margin-top:18pt; margin-left:29.2pt; margin-bottom:12pt; text-indent:-17.6pt; page-break-inside:avoid; page-break-after:avoid } .sAADB120E { margin-top:6pt; margin-left:28.35pt; margin-bottom:6pt; text-indent:7.1pt; font-size:10pt } .s4DDA3AA3 { font-family:Arial; font-weight:bold; font-style:italic } .s72C8F48C { margin-top:12pt; margin-left:36.6pt; margin-bottom:6pt; text-indent:-15.05pt; page-break-inside:avoid; page-break-after:avoid } .sA20670C4 { margin-top:12pt; margin-left:48.75pt; margin-bottom:6pt; text-indent:-17pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s59DEA84 { margin-top:12pt; margin-left:59.5pt; margin-bottom:6pt; text-indent:-17.85pt; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s83BE5C30 { font-family:Arial; font-size:8pt; vertical-align:super } .sDDFF39D6 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; widows:0; orphans:0 } .s583D00FA { margin-top:0pt; margin-left:17pt; margin-bottom:0pt; text-indent:-17pt } .s26FF04E7 { margin-top:0pt; margin-left:17.3pt; margin-bottom:0pt } .s4B243ECC { margin-top:12pt; margin-bottom:0pt; text-indent:14.2pt; page-break-inside:avoid; page-break-after:avoid } .sF7A4323 { margin-top:36pt; margin-bottom:0pt; text-align:left } .sB81E279F { width:179.94pt; display:inline-block } .s5C148630 { width:171.61pt; display:inline-block } .s379BC09C { margin-top:36pt; margin-bottom:0pt; text-align:right } .s5E1364CA { margin-top:0pt; margin-bottom:12pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s76CF415B { page-break-before:always; clear:both } .sA26766EC { margin-top:18pt; margin-left:17.85pt; margin-bottom:12pt; text-indent:-3.65pt; page-break-inside:avoid; page-break-after:avoid } .s7ACB8D74 { margin-top:0pt; margin-left:14.2pt; margin-bottom:0pt; text-indent:14.2pt }     GRAND CHAMBER             CASE OF BĂRBULESCU v. ROMANIA   (Application no. 61496/08)                     JUDGMENT     STRASBOURG   5 September 2017         This judgment is final but it may be subject to editorial revision.   In the case of Bărbulescu v. Romania, The European Court of Human Rights, sitting as a Grand Chamber composed of:   Guido Raimondi, President ,   Angelika Nußberger,   Mirjana Lazarova Trajkovska, judges ,   Luis López Guerra, ad hoc judge ,   Ledi Bianku,   Işıl Karakaş,   Nebojša Vučinić,   André Potocki,   Paul Lemmens,   Dmitry Dedov,   Jon Fridrik Kjølbro,   Mārtiņš Mits,   Armen Harutyunyan,   Stéphanie Mourou-Vikström,   Georges Ravarani,   Marko Bošnjak,   Tim Eicke, judges , and Søren Prebensen, Deputy Grand Chamber Registrar , Having deliberated in private on 30 November 2016 and on 8 June 2017, Delivers the following judgment, which was adopted on the last ‑ mentioned date: PROCEDURE 1.     The case originated in an application (no. 61496/08) against Romania lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention”) by a Romanian national, Mr Bogdan Mihai Bărbulescu (“the applicant”), on 15   December 2008. 2.     The applicant was represented by Mr E. Domokos-Hâncu and Mr   O.   Juverdeanu, lawyers practising in Bucharest. The Romanian Government (“the Government”) were represented by their Agent, Ms   C.   Brumar, of the Ministry of Foreign Affairs. 3.     The applicant complained, in particular, that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence as enshrined in Article 8 of the Convention and that the domestic courts had failed to comply with their obligation to protect that right. 4.     The application was allocated to the Fourth Section of the Court (Rule   52 § 1 of the Rules of Court). On 12 January 2016 a Chamber of that Section, composed of András Sajó, President, Vincent A.   De Gaetano, Boštjan M. Zupančič, Nona Tsotsoria, Paulo Pinto de Albuquerque, Egidijus Kūris and Iulia Motoc, judges, and Fatoş Aracı, Deputy Section Registrar, unanimously declared the complaint concerning Article 8 of the Convention admissible and the remainder of the application inadmissible. It held, by six votes to one, that there had been no violation of Article 8 of the Convention. The dissenting opinion of Judge Pinto de Albuquerque was annexed to the Chamber judgment. 5.     On 12 April 2016 the applicant requested the referral of the case to the Grand Chamber in accordance with Article 43 of the Convention and Rule 73. On 6 June 2016 a panel of the Grand Chamber accepted the request. 6.     The composition of the Grand Chamber was determined in accordance with Article 26 §§ 4 and 5 of the Convention and Rule 24. Iulia Motoc, the judge elected in respect of Romania, withdrew from sitting in the case (Rule 28). Luis López Guerra was consequently appointed by the President to sit as an ad hoc judge (Article 26 § 4 of the Convention and Rule 29 § 1). 7.     The applicant and the Government each filed further written observations (Rule 59 § 1). 8.     In addition, third-party comments were received from the French Government and the European Trade Union Confederation, both having been given leave by the President to intervene in the written procedure (Article 36 § 2 of the Convention and Rule 44 § 3). 9.     A hearing took place in public in the Human Rights Building, Strasbourg, on 30 November 2016 (Rule 59 § 3). There appeared before the Court: (a)     for the Government Ms   C. Brumar ,   Agent , Mr   G.V. Gavrilă , member of the national legal service seconded to the Department of the Government Agent,   Counsel , Ms   L.A. Rusu , Minister Plenipotentiary, Permanent Representation of Romania to the Council of Europe,   Adviser ; (b)     for the applicant Mr   E. Domokos-Hâncu , Mr   O. Juverdeanu ,   Counsel .   The Court heard addresses by Mr Domokos-Hâncu, Mr Juverdeanu, Ms   Brumar and Mr Gavrilă, and also their replies to questions from judges. THE FACTS I.     THE CIRCUMSTANCES OF THE CASE 10.     The applicant was born in 1979 and lives in Bucharest. 11 .     From 1 August 2004 to 6 August 2007 he was employed in the Bucharest office of S., a Romanian private company (“the employer”), as a sales engineer. At his employer’s request, for the purpose of responding to customers’ enquiries, he created an instant messaging account using Yahoo Messenger, an online chat service offering real-time text transmission over the internet. He already had another personal Yahoo Messenger account. 12 .     The employer’s internal regulations prohibited the use of company resources by employees in the following terms: Article 50 “Any disturbance of order and discipline on company premises shall be strictly forbidden, in particular: ... – ... personal use of computers, photocopiers, telephones or telex or fax machines.” 13 .     The regulations did not contain any reference to the possibility for the employer to monitor employees’ communications. 14 .     It appears from documents submitted by the Government that the applicant had been informed of the employer’s internal regulations and had signed a copy of them on 20 December 2006 after acquainting himself with their contents. 15 .     On 3 July 2007 the Bucharest office received and circulated among all its employees an information notice that had been drawn up and sent by the Cluj head office on 26 June 2007. The employer asked employees to acquaint themselves with the notice and to sign a copy of it. The relevant parts of the notice read as follows: “1.     ... Time spent in the company must be quality time for everyone! Come to work to deal with company and professional matters, and not your own personal problems! Don’t spend your time using the internet, the phone or the fax machine for matters unconnected to work or your duties. This is what [elementary education], common sense and the law dictate! The employer has a duty to supervise and monitor employees’ work and to take punitive measures against anyone at fault! Your misconduct will be carefully monitored and punished! 2.     Because of repeated [disciplinary] offences vis-à-vis her superior, [as well as] her private use of the internet, the telephone and the photocopier, her negligence and her failure to perform her duties, Ms B.A. was dismissed on disciplinary grounds! Take a lesson from her bad example! Don’t make the same mistakes! 3.     Have a careful read of the collective labour agreement, the company’s internal regulations, your job description and the employment contract you have signed! These are the basis of our collaboration! Between employer and employee! ...” 16 .     It also appears from the documents submitted by the Government, including the employer’s attendance register, that the applicant acquainted himself with the notice and signed it between 3 and 13 July 2007. 17 .     In addition, it transpires that from 5 to 13 July 2007 the employer recorded the applicant’s Yahoo Messenger communications in real time. 18 .     On 13 July 2007 at 4.30 p.m. the applicant was summoned by his employer to give an explanation. In the relevant notice he was informed that his Yahoo Messenger communications had been monitored and that there was evidence that he had used the internet for personal purposes, in breach of the internal regulations. Charts were attached indicating that his internet activity was greater than that of his colleagues. At that stage, he was not informed whether the monitoring of his communications had also concerned their content. The notice was worded as follows: “Please explain why you are using company resources (internet connection, Messenger) for personal purposes during working hours, as shown by the attached charts.” 19 .     On the same day, the applicant informed the employer in writing that he had used Yahoo Messenger for work-related purposes only. 20 .     At 5.20 p.m. the employer again summoned him to give an explanation in a notice worded as follows: “Please explain why the entire correspondence you exchanged between 5 to 12 July 2007 using the S. Bucharest [internet] site ID had a private purpose, as shown by the attached forty-five pages.” 21 .     The forty-five pages mentioned in the notice consisted of a transcript of the messages which the applicant had exchanged with his brother and his fiancée during the period when he had been monitored; the messages related to personal matters and some were of an intimate nature. The transcript also included five messages that the applicant had exchanged with his fiancée using his personal Yahoo Messenger account; these messages did not contain any intimate information. 22 .     Also on 13 July, the applicant informed the employer in writing that in his view it had committed a criminal offence, namely breaching the secrecy of correspondence. 23.     On 1 August 2007 the employer terminated the applicant’s contract of employment. 24 .     The applicant challenged his dismissal in an application to the Bucharest County Court (“the County Court”). He asked the court, firstly, to set aside the dismissal; secondly, to order his employer to pay him the amounts he was owed in respect of wages and any other entitlements and to reinstate him in his post; and thirdly, to order the employer to pay him 100,000 Romanian lei (approximately 30,000 euros) in damages for the harm resulting from the manner of his dismissal, and to reimburse his costs and expenses. 25.     As to the merits, relying on Copland v. the United Kingdom (no.   62617/00, §§ 43-44, ECHR 2007 ‑ I), he argued that an employee’s telephone and email communications from the workplace were covered by the notions of “private life” and “correspondence” and were therefore protected by Article 8 of the Convention. He also submitted that the decision to dismiss him was unlawful and that by monitoring his communications and accessing their contents his employer had infringed criminal law. 26 .     With regard specifically to the harm he claimed to have suffered, the applicant noted the manner of his dismissal and alleged that he had been subjected to harassment by his employer through the monitoring of his communications and the disclosure of their contents “to colleagues who were involved in one way or another in the dismissal procedure”. 27.     The applicant submitted evidence including a full copy of the transcript of his Yahoo Messenger communications and a copy of the information notice (see paragraph 15 above). 28 .     In a judgment of 7 December 2007 the County Court rejected the applicant’s application and confirmed that his dismissal had been lawful. The relevant parts of the judgment read as follows: “The procedure for conducting a disciplinary investigation is expressly regulated by the provisions of Article 267 of the Labour Code. In the instant case it has been shown, through the written documents included in the file, that the employer conducted the disciplinary investigation in respect of the applicant by twice summoning him in writing to explain himself [and] specifying the subject, date, time and place of the interview, and that the applicant had the opportunity to submit arguments in his defence regarding his alleged acts, as is clear from the two explanatory notices included in the file (see copies on sheets 89 and 91). The court takes the view that the monitoring of the internet conversations in which the employee took part using the Yahoo Messenger software on the company’s computer during working hours – regardless of whether or not the employer’s actions were illegal in terms of criminal law – cannot undermine the validity of the disciplinary proceedings in the instant case. The fact that the provisions containing the requirement to interview the suspect ( învinuitul ) in a case of alleged misconduct and to examine the arguments submitted in that person’s defence prior to the decision on a sanction are couched in imperative terms highlights the legislature’s intention to make respect for the rights of the defence a prerequisite for the validity of the decision on the sanction. In the present case, since the employee maintained during the disciplinary investigation that he had not used Yahoo Messenger for personal purposes but in order to advise customers on the products being sold by his employer, the court takes the view that an inspection of the content of the [applicant’s] conversations was the only way in which the employer could ascertain the validity of his arguments. The employer’s right to monitor ( monitoriza ) employees in the workplace, [particularly] as regards their use of company computers, forms part of the broader right, governed by the provisions of Article 40 (d) of the Labour Code, to supervise how employees perform their professional tasks. Given that it has been shown that the employees’ attention had been drawn to the fact that, shortly before the applicant’s disciplinary sanction, another employee had been dismissed for using the internet, the telephone and the photocopier for personal purposes, and that the employees had been warned that their activities were being monitored (see notice no. 2316 of 3   July 2007, which the applicant had signed [after] acquainting himself with it – see copy on sheet 64), the employer cannot be accused of showing a lack of transparency and of failing to give its employees a clear warning that it was monitoring their computer use. Internet access in the workplace is above all a tool made available to employees by the employer for professional use, and the employer indisputably has the power, by virtue of its right to supervise its employees’ activities, to monitor personal internet use. Such checks by the employer are made necessary by, for example, the risk that through their internet use, employees might damage the company’s IT systems, carry out illegal activities in cyberspace for which the company could incur liability, or disclose the company’s trade secrets. The court considers that the acts committed by the applicant constitute a disciplinary offence within the meaning of Article 263 § 2 of the Labour Code since they amount to a culpable breach of the provisions of Article 50 of S.’s internal regulations ..., which prohibit the use of computers for personal purposes. The aforementioned acts are deemed by the internal regulations to constitute serious misconduct, the penalty for which, in accordance with Article 73 of the same internal regulations, [is] termination of the contract of employment on disciplinary grounds. Having regard to the factual and legal arguments set out above, the court considers that the decision complained of is well-founded and lawful, and dismisses the application as unfounded.” 29.     The applicant appealed to the Bucharest Court of Appeal (“the Court of Appeal”). He repeated the arguments he had submitted before the first-instance court and contended in addition that that court had not struck a fair balance between the interests at stake, unjustly prioritising the employer’s interest in enjoying discretion to control its employees’ time and resources. He further argued that neither the internal regulations nor the information notice had contained any indication that the employer could monitor employees’ communications. 30 .     The Court of Appeal dismissed the applicant’s appeal in a judgment of 17 June 2008, the relevant parts of which read: “The first-instance court has rightly concluded that the internet is a tool made available to employees by the employer for professional use, and that the employer is entitled to set rules for the use of this tool, by laying down prohibitions and provisions which employees must observe when using the internet in the workplace; it is clear that personal use may be refused, and the employees in the present case were duly informed of this in a notice issued on 26 June 2007 in accordance with the provisions of the internal regulations, in which they were instructed to observe working hours, to be present at the workplace [during those hours and] to make effective use of working time. In conclusion, an employer who has made an investment is entitled, in exercising the rights enshrined in Article 40 § 1 of the Labour Code, to monitor internet use in the workplace, and an employee who breaches the employer’s rules on personal internet use is committing a disciplinary offence that may give rise to a sanction, including the most serious one. There is undoubtedly a conflict between the employer’s right to engage in monitoring and the employees’ right to protection of their privacy. This conflict has been settled at European Union level through the adoption of Directive no.   95/46/EC, which has laid down a number of principles governing the monitoring of internet and email use in the workplace, including the following in particular. - Principle of necessity: monitoring must be necessary to achieve a certain aim. - Principle of purpose specification: data must be collected for specified, explicit and legitimate purposes. - Principle of transparency: the employer must provide employees with full information about monitoring operations. - Principle of legitimacy: data-processing operations may only take place for a legitimate purpose. - Principle of proportionality: personal data being monitored must be relevant and adequate in relation to the specified purpose. - Principle of security: the employer is required to take all possible security measures to ensure that the data collected are not accessible to third parties. In view of the fact that the employer has the right and the duty to ensure the smooth running of the company and, to that end, [is entitled] to supervise how its employees perform their professional tasks, and the fact [that it] enjoys disciplinary powers which it may legitimately use and which [authorised it in the present case] to monitor and transcribe the communications on Yahoo Messenger which the employee denied having exchanged for personal purposes, after he and his colleagues had been warned that company resources should not be used for such purposes, it cannot be maintained that this legitimate aim could have been achieved by any other means than by breaching the secrecy of his correspondence, or that a fair balance was not struck between the need to protect [the employee’s] privacy and the employer’s right to supervise the operation of its business. ... Accordingly, having regard to the considerations set out above, the court finds that the decision of the first-instance court is lawful and well-founded and that the appeal is unfounded; it must therefore be dismissed, in accordance with the provisions of Article 312 § 1 of the C[ode of] Civ[il] Pr[ocedure].” 31 .     In the meantime, on 18 September 2007 the applicant had lodged a criminal complaint against the statutory representatives of S., alleging a breach of the secrecy of correspondence. On 9 May 2012 the Directorate for Investigating Organised Crime and Terrorism (DIICOT) of the prosecutor’s office attached to the Supreme Court of Cassation and Justice ruled that there was no case to answer, on the grounds that the company was the owner of the computer system and the internet connection and could therefore monitor its employees’ internet activity and use the information stored on the server, and in view of the prohibition on personal use of the IT systems, as a result of which the monitoring had been foreseeable. The applicant did not avail himself of the opportunity provided for by the applicable procedural rules to challenge the prosecuting authorities’ decision in the domestic courts. II.     RELEVANT DOMESTIC LAW A.     The Constitution 32.     The relevant parts of the Romanian Constitution provide: Article 26 “1.     The public authorities shall respect and protect intimate, family and private life.” Article 28 “The secrecy of letters, telegrams, other postal communications, telephone conversations and any other lawful means of communication is inviolable.” B.     The Criminal Code 33 .     The relevant parts of the Criminal Code as in force at the material time read as follows: Article 195 – Breach of secrecy of correspondence “1.     Anyone who unlawfully opens somebody else’s correspondence or intercepts somebody else’s conversations or communication by telephone, by telegraph or by any other long-distance means of transmission shall be liable to imprisonment for between six months and three years.” C.     The Civil Code 34.     The relevant provisions of the Civil Code as in force at the time of the events were worded as follows: Article 998 “Any act committed by a person that causes damage to another shall render the person through whose fault the damage was caused liable to make reparation for it.” Article 999 “Everyone shall be liable for damage he has caused not only through his own acts but also through his failure to act or his negligence.” D.     The Labour Code 35.     As worded at the material time, the Labour Code provided: Article 40 “1.     The employer shall in principle have the following rights: ... (d)     to supervise how [employees] perform their professional tasks; ... 2.     The employer shall in principle have the following duties: ... (i)     to guarantee the confidentiality of employees’ personal data.” E.     Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 36 .     The relevant parts of Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Law no. 677/2001”), which reproduces certain provisions of Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24   October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (see paragraph 45 below), provide: Article 3 – Definitions “For the purposes of this Law: (a)     ’personal data’ shall mean any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; ...” Article 5 – Conditions for the legitimacy of data processing “1.     Personal data ... may not be processed in any way unless the data subject has explicitly and unambiguously consented to it. 2.     The consent of the data subject shall not be necessary in the following circumstances: (a)     where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; ... (e)     where processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject; ... 3.     The provisions of paragraph 2 are without prejudice to the statutory provisions governing the public authorities’ duty to respect and protect intimate, family and private life.” Article 18 – Right to apply to the courts “1.     Data subjects shall be entitled, without prejudice to the possibility of lodging a complaint with the supervisory authority, to apply to the courts for protection of the rights safeguarded by this Act that have been infringed. 2.     Any person who has suffered damage as a result of the unlawful processing of his or her personal data may apply to the competent court for compensation [for the damage]. ...” III.     INTERNATIONAL LAW AND PRACTICE A.     United Nations standards 37.     The Guidelines for the regulation of computerized personal data files, adopted by the United Nations General Assembly on 14 December 1990 in Resolution 45/95 (A/RES/45/95), lay down the minimum guarantees that should be provided for in national legislation. The relevant principles read as follows: “ 1.     Principle of lawfulness and fairness Information about persons should not be collected or processed in unfair or unlawful ways, nor should it be used for ends contrary to the purposes and principles of the Charter of the United Nations. 2.     Principle of accuracy Persons responsible for the compilation of files or those responsible for keeping them have an obligation to conduct regular checks on the accuracy and relevance of the data recorded and to ensure that they are kept as complete as possible in order to avoid errors of omission and that they are kept up to date regularly or when the information contained in a file is used, as long as they are being processed. 3.     Principle of purpose specification The purpose which a file is to serve and its utilization in terms of that purpose should be specified, legitimate and, when it is established, receive a certain amount of publicity or be brought to the attention of the person concerned, in order to make it possible subsequently to ensure that: (a)     All the personal data collected and recorded remain relevant and adequate to the purposes so specified; (b)     None of the said personal data is used or disclosed, except with the consent of the person concerned, for purposes incompatible with those specified; (c)     The period for which the personal data are kept does not exceed that which would enable the achievement of the purposes so specified. 4.     Principle of interested-person access Everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries and, when it is being communicated, to be informed of the addressees. Provision should be made for a remedy, if need be with the supervisory authority specified in principle 8 below. The cost of any rectification shall be borne by the person responsible for the file. It is desirable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence. ... 6.     Power to make exceptions Departures from principles 1 to 4 may be authorized only if they are necessary to protect national security, public order, public health or morality, as well as, inter alia , the rights and freedoms of others, especially persons being persecuted (humanitarian clause) provided that such departures are expressly specified in a law or equivalent regulation promulgated in accordance with the internal legal system which expressly states their limits and sets forth appropriate safeguards. ...” 38 .     The International Labour Office (ILO) issued a Code of Practice on the Protection of Workers’ Personal Data (“the ILO Code of Practice”) in 1997, laying down the following principles: “ 5.     General principles 5.1.     Personal data should be processed lawfully and fairly, and only for reasons directly relevant to the employment of the worker. 5.2.     Personal data should, in principle, be used only for the purposes for which they were originally collected. 5.3.     If personal data are to be processed for purposes other than those for which they were collected, the employer should ensure that they are not used in a manner incompatible with the original purpose, and should take the necessary measures to avoid any misinterpretations caused by a change of context. 5.4.     Personal data collected in connection with technical or organizational measures to ensure the security and proper operation of automated information systems should not be used to control the behaviour of workers. 5.5.     Decisions concerning a worker should not be based solely on the automated processing of that worker’s personal data. 5.6.     Personal data collected by electronic monitoring should not be the only factors in evaluating worker performance. 5.7.     Employers should regularly assess their data processing practices: (a)     to reduce as far as possible the kind and amount of personal data collected; and (b)     to improve ways of protecting the privacy of workers. 5.8.     Workers and their representatives should be kept informed of any data collection process, the rules that govern that process, and their rights. ... 5.13.     Workers may not waive their privacy rights.” 39.     With regard to the more specific issue of monitoring of workers, the ILO Code of Practice states as follows: “ 6.     Collection of personal data 6.1.     All personal data should, in principle, be obtained from the individual worker. ... 6.14.     (1)     If workers are monitored they should be informed in advance of the reasons for monitoring, the time schedule, the methods and techniques used and the data to be collected, and the employer must minimize the intrusion on the privacy of workers. (2)     Secret monitoring should be permitted only: (a)     if it is in conformity with national legislation; or (b)     if there is suspicion on reasonable grounds of criminal activity or other serious wrongdoing. (3)     Continuous monitoring should be permitted only if required for health and safety or the protection of property.” 40.     The ILO Code of Practice also includes an inventory of workers’ individual rights, particularly as regards information about the processing of personal data, access to such data and reviews of any measures taken. The relevant parts read as follows: “ 11.     Individual rights 11.1.     Workers should have the right to be regularly notified of the personal data held about them and the processing of that personal data. 11.2.     Workers should have access to all their personal data, irrespective of whether the personal data are processed by automated systems or are kept in a particular manual file regarding the individual worker or in any other file which includes workers’ personal data. 11.3.     The workers’ right to know about the processing of their personal data should include the right to examine and obtain a copy of any records to the extent that the data contained in the record includes that worker’s personal data. ... 11.8.     Employers should, in the event of a security investigation, have the right to deny the worker access to that worker’s personal data until the close of the investigation and to the extent that the purposes of the investigation would be threatened. No decision concerning the employment relationship should be taken, however, before the worker has had access to all the worker’s personal data. 11.9.     Workers should have the right to demand that incorrect or incomplete personal data, and personal data processed inconsistently with the provisions of this code, be deleted or rectified. ... 11.13.     In any legislation, regulation, collective agreement, work rules or policy developed consistent with the provisions of this code, there should be specified an avenue of redress for workers to challenge the employer’s compliance with the instrument. Procedures should be established to receive and respond to any complaint lodged by workers. The complaint process should be easily accessible to workers and be simple to use.” 41.     In addition, on 18 December 2013 the United Nations General Assembly adopted Resolution no.   68/167 on the right to privacy in the digital age (A/RES/68/167), in which, inter alia , it called upon States: “( a )     To respect and protect the right to privacy, including in the context of digital communication; ( b )     To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law; ( c )     To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law; ( d )     To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data[.]” B.     Council of Europe standards 42.     The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981, ETS no. 108), which came into force in respect of Romania on 1 June 2002, includes the following provisions in particular: Article 2 – Definitions “For the purposes of this Convention: (a)     ’personal data’ means any information relating to an identified or identifiable individual (‘data subject’); ... (c)     ’automatic processing’ includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination; ...” Article 3 – Scope “1.     The Parties undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors. ...” Article 5 – Quality of data “Personal data undergoing automatic processing shall be: (a)     obtained and processed fairly and lawfully; (b)     stored for specified and legitimate purposes and not used in a way incompatible with those purposes; (c)     adequate, relevant and not excessive in relation to the purposes for which they are stored; (d)     accurate and, where necessary, kept up to date; (e)     preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.” Article 8 – Additional safeguards for the data subject “Any person shall be enabled: (a)     to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file; (b)     to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form; ... (d)     to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.” Article 9 – Exceptions and restrictions “... 2.     Derogation from the provisions of Articles 5, 6 and 8 of this Convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of: (a)     protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences; (b)     protecting the data subject or the rights and freedoms of others; ...” Article 10 – Sanctions and remedies “Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.” 43 .     Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment, which was adopted on 1 April 2015, states in particular: “ 4.     Application of data processing principles 4.1.     Employers should minimise the processing of personal data to only the data necessary to the aim pursued in the individual cases concerned. ... 6.     Internal use of data 6.1.     Personal data collected for employment purposes should only be processed by employers for such purposes. 6.2.     Employers should adopt data protection policies, rules and/or other instruments on internal use of personal data in compliance with the principles of the present recommendation. ... 10.     Transparency of processing 10.1.     Information concerning personal data held by employers should be made available either to the employee concerned directly or through the intermediary of his or her representatives, or brought to his or her notice through other appropriate means. 10.2.     Employers should provide employees with the following information: –     the categories of personal data to be processed and a description of the purposes of the processing; –     the recipients, or categories of recipients of the personal data; –     the means employees have of exercising the rights set out in principle 11 of the present recommendation, without prejudice to more favourable ones provided by domestic law or in their legal system; –     any other information necessary to ensure fair and lawful processing. 10.3.     A particularly clear and complete description must be provided of the categories of personal data that can be collected by ICTs, including video surveillance and their possible use. This principle also applies to the particular forms of processing provided for in Part II of the appendix to the present recommendation. 10.4.     The information should be provided in an accessible format and kept up to date. In any event, such information should be provided before an employee carries out the activity or action concerned, and made readily available through the information systems normally used by the employee. ... 14.     Use of Internet and electronic communications in the workplace 14.1.     Employers should avoid unjustifiable and unreasonable interferences with employees’ right to private life. This principle extends to all technical devices and ICTs used by an employee. The persons concerned should be properly and periodically informed in application of a clear privacy policy, in accordance with principle 10 of the present recommendation. The information provided should be kept up to date and should include the purpose of the processing, the preservation or back-up period of traffic data and the archiving of professional electronic communications. 14.2.     In particular, in the event of processing of personal data relating to Internet or Intranet pages accessed by the employee, preference should be given to the adoption of preventive measures, such as the use of filters which prevent particular operations, and to the grading of possible monitoring on personal data, giving preference for non ‑ individual random checks on data which are anonymous or in some way aggregated. 14.3.     Access by employers to the professional electronic communications of their employees who have been informed in advance of the existence of that possibility can only occur, where necessary, for security or other legitimate reasons. In case of absent employees, employers should take the necessary measures and foresee the appropriate procedures aimed at enabling access to professional electronic communications only when such access is of professional necessity. Access should be undertaken in the least intrusive way possible and only after having informed the employees concerned. 14.4.     The content, sending and receiving of private electronic communications at work should not be monitored under any circumstances. 14.5.     On an employee’s departure from an organisation, the employer should take the necessary organisational and technical measures to automatically deactivate the employee’s electronic messaging account. If employers need to recover the contents of an employee’s account for the efficient running of the organisation, they should do so before his or her departure and, when feasible, in his or her presence.” IV.     EUROPEAN UNION LAW 44.     The relevant provisions of the Charter of Fundamental Rights of the European Union (2007/C 303/01) are worded as follows: Article 7 – Respect for private and family life “Everyone has the right to respect for his or her private and family life, home and communications.” Article 8 – Protection of personal data “1.     Everyone has the right to the protection of personal data concerning him or her. 2.     Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3.     Compliance with these rules shall be subject to control by an independent authority.” 45 .     Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24   October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive 95/46/EC”) states that the object of national laws on the processing of personal data is notably to protect the right to privacy, as recognised both in Article 8 of the Convention and in the general principles of Community law. The relevant provisions of Directive 95/46/EC read as follows: Article 2 – Definitions “For the purposes of this Directive: (a)     ’personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; ...” Article 6 “1.     Member States shall provide that personal data must be: (a)     processed fairly and lawfully; (b)     collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes . Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c)     adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d)     accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e)     kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 2.     It shall be for the controller to ensure that paragraph 1 is complied with.” Article 7 “Member States shall provide that personal data may be processed only if: (a)     the data subject has unambiguously given his consent; or (b)     processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c)     processing is necessary for compliance with a legal obligation to which the controller is subject; or (d)     processing is necessary in order to protect the vital interests of the data subject; or (e)     processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f)     processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).” Article 8 – The processing of special categories of data “1.     Member States shall prohibit the processing of persoArticles de loi cités
Citations
Aucune citation répertoriée pour cette décision.
Décisions connexes
Aucune décision similaire identifiée pour le moment.
Synthèse
- Juridiction
- CEDH
- Chambre
- CASELAW;JUDGMENTS;GRANDCHAMBER;ENG
- Formation
- 8
- Dispositif
- Satisfaction
- Date
- 5 septembre 2017
- Matière
- droits fondamentaux
Référence
ECLI:CE:ECHR:2017:0905JUD006149608