Contributed By Vondst Advocaten N V
Network monitoring and other cyber-security defensive measures are generally permitted in accordance with the applicable rules laid down in the GDPR. Where the monitoring takes place in the workplace, applicable employment law should be taken into account as well. Moreover, applicable sector-specific law should be complied with, including the Dutch Telecommunications Act.
The AP has investigated the use of deep packet inspection by several Dutch mobile operators. Deep packet inspection is used to analyse data traffic on the mobile network, such as data on visited websites and used apps, inter alia to detect and solve network problems. In its 2013 reports, the AP clarified that collected traffic data should be deleted as soon as possible after collection or irreversibly anonymised, and that the principle of transparency should be adhered to.
As discussed above, the AP has developed guidelines for monitoring the internet and email usage of employees, and the ArtWP29 has published several guidelines on the use of monitoring measures in the employment context that may still serve as a useful starting point when dealing with monitoring related questions.