The Commissioner for Personal Data Protection issued the Directive No 1/2025 in relation to the use of personal mobile phones for work purposes based on the guidelines given by the European Data Protection Supervisor, Opinion 2/2017 of the European Commission and the European Data Protection Board.
The practice of using personal mobile phones in the context of the employment relationship is quite widespread these days. However, “Bring Your Own Device” (“BYOD”) practice may be associated with potential risks related to the monitoring of employees’ privacy, while it is also related to potential risks to the security of data registered in the employer’s systems and databases, to which the employee may have access through his personal device.
The main points of the Directive are the fact that employees are not obliged to use their personal mobile phone for work purposes, and that the use of a personal mobile phone for work purposes may be permissible when:
- the employee wishes to use their phone for such purposes
- such use facilitates the performance of their duties and
- it does not entail or involve the processing of the employee’s personal data by their employer.
Furthermore, if the employee does not wish to use their personal mobile phone for work purposes, even when no data processing is taking place, the employer must:
- provide him/her with an alternative solution and
- ensure that the employee is not subject to adverse consequences if he/she chooses this alternative solution i.e. the provision of a company device or sponsoring for the purchase of such device, as well as reimbursement for usage costs, where applicable.
Where an employee’s duties require occasional use of a personal mobile phone, e.g. to access documents by receiving a one-time password (OTP) and does not entail any processing of personal data by or on behalf of the employer, the use of personal mobile phone is permitted. The employer must in any case be able to adequately and appropriately document the absence of processing of personal data.
When the use of a personal mobile phone involves the processing of employee data by or on behalf of the employer, e.g. in the context of an application (app) to check working hours and/or remaining rest periods, the employer must ensure that:
- the basic principles of processing (Article 5 GDPR) are respected,
- the processing is based on one of the conditions of Article 6 GDPR, but not consent [Article 6(1)(a)], due to the employer’s position of power,
- the transparency procedure is followed, and the employer informs employees in advance of the processing in question,
- where possible, an alternative, less intrusive measure is offered, e.g. swiping a card instead of a mobile app,
- employees who choose the alternative measure are not subject to adverse consequences or discrimination and that,
- all other GDPR obligations are met
In cases where the employee’s duties require the use of a personal mobile phone on a systematic basis, whether or not their data is being processed, the employer must establish a policy and inform the employees of the same, which policy should regulate, among other things, what happens in the event that:
- the employee forgets the device at home,
- the device breaks down or malfunctions
- the employee no longer wishes to use the device for work-related purposes.
The Directive aims for a more uniform and consistent use of personal mobile phones, for the purposes of carrying out specific work tasks during working hours, in a manner that ensures the protection of personal data and the privacy of employees.
For any further guidance regarding the above matters or if you require an initial consultation, please do not hesitate to contact our Law Firm at [email protected], +357 22 251 777 or +357 25 261 777 or please visit our office in Nicosia or Limassol.