Lost in Translation: Is Data Protection Labour Law Protection?

Authors

Michele Molè, University of Groningen

Abstract

This article critically examines how the European General Data Protection Regulation (GDPR) defines and applies the legal categories of “data subject” and “data controller” within employment relationships. Under the GDPR, employers who collect and process personal data are classified as data controllers, while employees are designated as data subjects. However, this article argues that such a “translation” of data protection categories, rights, and obligations into the regulation of workplace dynamics requires closer examination. The focus is on evaluating whether the GDPR’s rights and obligations for data subjects and data controllers accurately capture the agency and interests of employee and employer roles in the workplace. Through an analysis of data subject rights (GDPR, Articles 12–22) and selected data controller obligations (GDPR, Articles 24, 25, and 35), this article identifies a “Lost in Translation” effect, where the GDPR’s assumptions of autonomy and agency conflict with the hierarchical nature of employment relationships and with the information asymmetries between employers and data processors (GDPR, Article 28). Ultimately, this analysis highlights the need to reconsider and adapt these legal categories to better reflect the unique characteristics of employment in the regulation of data processing.

Recommended Citation

Molè, Michele (2025) "Lost in Translation: Is Data Protection Labour Law Protection?," Comparative Labor Law & Policy Journal: Vol. 45: Iss. 3, Article 6.
DOI: https://doi.org/10.60082/2819-2567.1067
Available at: https://digitalcommons.osgoode.yorku.ca/cllpj/vol45/iss3/6

References

Abraha, H. H. (2022). A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace. International Data Privacy Law, 12(4), 276–296. https://doi.org/10.1093/idpl/ipac015

Abraha, H. (2023). Regulating algorithmic employment decisions through data protection law. European Labour Law Journal, 14(2), 117–332. https://doi.org/10.1177/20319525231167317

Adams-Prassl, J., Abraha, H., Kelly-Lyth, A., Silberman, M. S., & Rakshita, S. (2023). Regulating algorithmic management: A blueprint. European Labour Law Journal, 14(2), 124–151. https://doi.org/10.1177/20319525231167299

Albin, E. (2025). The three-tier structural legal deficit undermining the protection of employees’ personal data in the workplace. Oxford Journal of Legal Studies, 45(1), 81–107. https://doi.org/10.1093/ojls/gqae033

Aloisi, A., & De Stefano, V. (2024, March 16). “Gig” workers in Europe: The new platform of rights. Social Europe. https://www.socialeurope.eu/gig-workers-in-europe-the-new-platform-of-rights

Aloisi, A., & Gramano, E. (2019). Artificial intelligence is watching you at work: Digital surveillance, employee monitoring, and regulatory issues in the EU context. Comparative Labor Law & Policy Journal, 41(1), 95–121. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3399548

Article 29 Data Protection Working Party. (2001). Opinion 8/2001 on the processing of personal data in the employment context. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf

Article 29 Data Protection Working Party. (2010). Opinion 1/2010 on the concepts of “controller” and “processor.” https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf

Article 29 Data Protection Working Party. (2014). Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf

Article 29 Data Protection Working Party. (2017a). Guidelines on Data Protection Impact Assessment (DPIA). https://ec.europa.eu/newsroom/article29/items/611236/en

Article 29 Data Protection Working Party. (2017b). Opinion 2/2017 on data processing at work. https://ec.europa.eu/newsroom/article29/items/610169

Article 29 Data Protection Working Party. (2018). Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679. https://ec.europa.eu/newsroom/article29/items/612053

Bogoeski, V. (2023). Nonwaivability of labour rights, individual waivers and the emancipatory function of labour law. Industrial Law Journal, 52(1), 179–213. https://doi.org/10.1093/indlaw/dwac020

Cabrita, J., & Böhmer, S. (with Galli da Bino, C., & European Foundation for the Improvement of Living and Working Conditions). (2016). Working time developments in the 21st century: Work duration and its regulation in the EU. Publications Office of the European Union. https://doi.org/10.2806/888566

Calacci, D., & Stein, J. (2023). From access to understanding: Collective data governance for workers. European Labour Law Journal, 14(2), 253–282. https://doi.org/10.1177/20319525231167981

Cogito: Real-Time AI Coaching & Guidance for Contact Centers. (n.d.). [Computer software]. https://cogitocorp.com

Cohen, J. E. (2013). What privacy is for. Harvard Law Review, 126(7), 1904–1933. https://harvardlawreview.org/print/vol-126/what-privacy-is-for/

Collins, H. (1986). Market power, bureaucratic power, and the contract of employment. Industrial Law Journal, 15(1), 1–14. https://doi.org/10.1093/ilj/15.1.1

Collins, H. (2010). Employment law (2nd ed.). Oxford University Press.

Collins, P. M. (2022). Putting human rights to work: Labour law, the ECHR, and the employment relation (1st ed.). Oxford University Press. https://doi.org/10.1093/oso/9780192894595.002.0005

Council of Europe. (1989). Recommendation No. R(89)2 of the Committee of Ministers to member states on the protection of personal data used for employment purposes. https://rm.coe.int/1680500b15

Cristofolini, C. (2024). Navigating the impact of AI systems in the workplace: strengths and loopholes of the EU AI Act from a labour perspective. Italian Labour Law E-Journal, 17(1), 75–103. https://doi.org/10.6092/issn.1561-8048/19796

Dagnino, E., & Armaroli, I. (2019). A seat at the table: Negotiating data processing in the workplace. A national case study and comparative insights. Comparative Labor Law & Policy Journal, 41(1), 173–195.

Davidov, G. (2016). A purposive approach to labour law. Oxford University Press. https://doi.org/10.1093/acprof:oso/9780198759034.001.0001

Davidov, G. (2020). Non-waivability in labour law. Oxford Journal of Legal Studies, 40(3), 482–507. https://doi.org/10.1093/ojls/gqaa016

De Schutter, O. (2013). Human rights in employment relationships: Contracts as powers. In F. Dorssemont, K. Lörcher, & I. Schömann (Eds.), European convention on human rights and the employment relation (pp. 105–140). Bloomsbury Publishing. https://doi.org/10.5040/9781474200301

Delfanti, A. (2021). Machinic dispossession and augmented despotism: Digital work in an Amazon warehouse. New Media & Society, 23(1), 39–55. https://doi.org/10.1177/1461444819891613

European Data Protection Board. (2020a). Guidelines 4/2019 on article 25 data protection by design and by default. https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf

European Data Protection Board. (2020b). Guidelines 07/2020 on the concepts of controller and processor in the GDPR. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf

European Data Protection Board. (2022). Guidelines 01/2022 on data subject rights — Right of access. https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf

European Data Protection Supervisor. (2014). Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the digital economy. https://edps.europa.eu/sites/edp/files/publication/14-03-26_competitition_law_big_data_en.pdf

Fenwick, C., & Novitz, T. (2010). Human rights at work: Perspectives on law and regulation. Bloomsbury Publishing. http://dx.doi.org/10.1353/hrq.2011.0051

Finkin, M. W. (1995). Privacy in employment law (1st ed.). Bureau of National Affairs.

Freedland, M. R., & Kountouris, N. (2011). The legal construction of personal work relations. Oxford University Press. https://doi.org/10.1093/acprof:oso/9780199551750.001.0001

Hendrickx, F. (2022). Protection of workers’ personal data: General principles (ILO Working Paper No. 62). International Labour Organization. https://webapps.ilo.org/static/english/intserv/working-papers/wp062/index.html

Kalsi, M. (2024). Still losing the race with technology? Understanding the scope of data controllers’ responsibility to implement data protection by design and by default. International Review of Law, Computers & Technology, 38(3), 346–368. https://doi.org/10.1080/13600869.2024.2324546

Kerber, W. (2016). Digital markets, data, and privacy: Competition law, consumer law and data protection. Journal of Intellectual Property Law & Practice, 11(11), 856–866. https://doi.org/10.1093/jiplp/jpw150

Koulierakis, E. (2023). Certification as guidance for data protection by design. International Review of Law, Computers & Technology, 38(2), 245–263. https://doi.org/10.1080/13600869.2023.2269498

Lee, S. (2024). The “AI mode”: How food delivery riders in the Netherlands and South Korea experience algorithmic management. Italian Labour Law E-Journal, 17(2), 67–88. https://doi.org/10.6092/issn.1561-8048/20869

Lynskey, O. (2014). Deconstructing data protection: The “added-value” of a right to data protection in the EU legal order. International and Comparative Law Quarterly, 63(3), 569–597. https://doi.org/10.1017/S0020589314000244

Malgieri, G. (2023). Vulnerability and data protection law. Oxford University Press. https://doi.org/10.1093/oso/9780192870339.001.0001

Mantouvalou, V. (2014). The right to non-exploitative work. In V. Mantouvalou (Ed.), The right to work — legal and philosophical perspectives (pp. 39–60). Bloomsbury Publishing.

Molè, M. (2022). The internet of things and artificial intelligence as workplace supervisors: Explaining and understanding the new surveillance to employees beyond Art. 8 ECHR. Italian Labour Law E-Journal, 15(2), 87–103. https://doi.org/10.6092/ISSN.1561-8048/15598

Molè, M. (2024). Commodified, outsourced authority: A research agenda for algorithmic management at work. Italian Labour Law E-Journal, 17(2), 169–188. https://doi.org/10.6092/issn.1561-8048/20836

Molè, M., & Mangan, D. (2023). “Just more surveillance”: The ECtHR and workplace monitoring. European Labour Law Journal, 14(4), 694–700. https://doi.org/10.1177/20319525231201274

Moore, P. V. (2022). Problems in protections for working data subjects: The social relations of data production. Global Political Economy, 1(2), 257–270. https://doi.org/10.1332/UKGE7444

Negrón, W. (2021). Little tech is coming for workers: A framework for reclaiming and building worker power. CoWorker.org. https://home.coworker.org/wp-content/uploads/2021/11/Little-Tech-Is-Coming-for-Workers.pdf

Netradyne. (n.d.). Driveri. https://www.netradyne.com/

Niezna, M. (2024). Consent to labour exploitation. Industrial Law Journal, 53(1), 3–33. https://doi.org/10.1093/indlaw/dwad036

Niezna, M., & Davidov, G. (2023). Consent in contracts of employment. The Modern Law Review, 86(5), 1134–1165. https://doi.org/10.1111/1468-2230.12802

Otto, M. (2016). The right to privacy in employment: A comparative analysis. Hart Publishing. http://dx.doi.org/10.5040/9781509906147

Perceptyx. (n.d.). [Computer software]. https://www.perceptyx.com

Ponce Del Castillo, A. (2016). Occupational safety and health in the EU: Back to basics. In B. Vanhercke, D. Natali, & D. Bouget (Eds.), Social policy in the European Union: State of play 2016 (pp. 131–155). European Trade Union Institute; European Social Observatory. https://www.etui.org/sites/default/files/Chap%205.pdf

Ponce Del Castillo, A., & Molè, M. (2024). Worker monitoring vs worker surveillance: The need for a legal differentiation. In A. Ponce Del Castillo (Ed.), Artificial intelligence, labour and society (pp. 157–173). European Trade Union Institute. https://www.etui.org/sites/default/files/2024-03/Chapter13_Worker%20monitoring%20vs%20worker%20surveillance%20the%20need%20for%20a%20legal%20differentiation.pdf

Potocka-Sionek, N., & Aloisi A. (2025). The spillover effect of algorithmic management and how (not) to tame it. In K. Vandaele & S. Rainone (Eds.), The Elgar companion to regulating platform work: Insights from the food delivery sector (pp. 253–271). Edward Elgar Publishing

Prassl, J. (2015). The concept of the employer (1st ed.). Oxford University Press. https://doi.org/10.1093/acprof:oso/9780198735533.001.0001

Ratti, L. (2023). The sword and the shield: The directive on adequate minimum wages in the EU. Industrial Law Journal, 52(2), 477–500. https://doi.org/10.1093/indlaw/dwad001

Risak, M. E., & Dullinger, T. (2018). The concept of “worker” in EU law: Status quo and potential for change. European Trade Union Institute. https://www.etui.org/publications/reports/the-concept-of-worker-in-eu-law-status-quo-and-potential-for-change

Schermer, B. W., Custers, B., & van der Hof, S. (2014). The crisis of consent: How stronger legal protection may lead to weaker consent in data protection. Ethics and Information Technology, 16(2), 171–182. https://doi.org/10.1007/s10676-014-9343-8

Simitis, S. (1986). Gesetzliche regelungen für personalinformationssysteme — Chancen und grenzen. In A. Von Schoeler (Ed.), Informationsgesellschaft oder Überwachungsstaat? (pp. 43–64). VS Verlag für Sozialwissenschaften https://doi.org/10.1007/978-3-322-89373-4_3

Simitis, S. (1987). Reviewing privacy in an information society. University of Pennsylvania Law Review, 135(3), 707–746. https://doi.org/10.2307/3312079

Supiot, A. (2015). Critique du droit du travail. Presses Universitaires de France.

Svantesson, D. J. B. (2018). Enter the quagmire — the complicated relationship between data protection law and consumer protection law. Computer Law & Security Review, 34(1), 25–36. https://doi.org/10.1016/j.clsr.2017.08.003

Trzaskowski, J. (2011). Behavioural economics, neuroscience, and the unfair commercial practises directive. Journal of Consumer Policy, 34(3), 377–392. https://doi.org/10.1007/s10603-011-9169-2

Trzaskowski, J. (2022). Data-driven value extraction and human well-being under EU law. Electronic Markets, 32(2), 447–458. https://doi.org/10.1007/s12525-022-00528-0

Viljoen, S. (2021). A relational theory for data governance. The Yale Law Journal, 131(2), 573–654. https://www.yalelawjournal.org/pdf/131.2_Viljoen_1n12myx5.pdf

Wood, A. J. (2021). Algorithmic management: Consequences for work and organisation and working conditions (JRC Publications Repository No. JRC124874). European Commission. https://publications.jrc.ec.europa.eu/repository/handle/JRC124874