1

I am wondering if a company employing EU citizens is allowed to decrypt SSL traffic of those citizens in a MITM style attack without even informing them what data is collected (without even notifying this software is being installed!).

People will often log into banking (maybe they need to transfer cash to their card for lunch) or online forums when searching for answers related to the work they do.

I find it impossible to believe this can be compliant given the strict nature of GDPR and how data that is collected needs to be minimized and collected with a specific purpose (not to mention the requirement to be informed).

anonymous employee
  • 11
  • 1
  • 4
    This is a purely legal question. Please ask it at [law.se] to get answers from users who know the law instead of mainly the technology. – Steffen Ullrich Apr 12 '19 at 17:03
  • 1
    Decrypting SSL is not a GDPR problem. Not informing is the problem. But you probably were notified in a policy that you accepted but didn't read. – schroeder Apr 12 '19 at 18:53
  • I feel the wording of the policy is not accurate to the actual process they undertake - it states web monitoring tools may be put in use which track the websites you visit. It makes no mention of the fact all that information is decrypted and readable which is a different beast to the classic web monitoring of old. I am also unable to see the personal data they have collected about me and there is no communicated process to request its removal and certainly none to request access to that information... – anonymous employee Apr 15 '19 at 12:09

1 Answers1

3

The problem with the GDPR lies in the remark: "without even notifying this software is being installed". In that case: no it is not compliant.

If you dig a little deeper, you will find that in almost all cases there has been some form of communication about this, either in the contract or via the work council and publication to all employees.

In general, employees do not have the same liberties in the context of their work as they have in the free world. Some form of monitoring and/or command is allowed.

To be a bit more complete: of course, the grounds for the data processing in this case will not be consent. It may be 'necessary for the performance of the contract' (doubtful), but more likely 'necessary for compliance with a legal obligation' (in heavily regulated industries) or 'necessary for the purposes of the legitimate interests'.

In order to rely on [legitimate interest] as the legal ground for processing it is essential that specific mitigating measures are present to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated.

(last part is a quote from "Opinion 2/2017 on data processing at work", art 29 working group)

I work in a place where such a MITM-attack monitoring is deployed. I have not been directly involved in the implementation. But it was clear that:

  • some sites (e.g. banking sites, government sites etc.) needed to be white-listed, so no monitoring was done for these sites)
  • Contact with the work council, publication to all employees and making it part of contracts with contractors was necessary.
  • Not all employees will understand the implications of this monitoring.

If you want to have real fun in such an environment, exercise your art.13-15 rights. Make sure art. 15.3

The controller shall provide a copy of the personal data undergoing processing.

is respected.

Ljm Dullaart
  • 1,897
  • 4
  • 11