A former employee working in a well-known company was sentenced on Monday, February 21, to one year in prison and a fine of 2,000 dirhams by the Casablanca Criminal Court.
The company accuses the young woman of breach of trust and fraud after discovering, through the technique of telesurveillance (monitoring), that she sent gift cards to fictitious customers whose total value reached 26,000 euros. A sum that she will have to return to the company, in accordance with the judgment rendered against her.
The use of remote monitoring allowed the company to identify the culprit among its employees. The question that now arises is whether the use of this technique is legal and/or subject to conditions?
Contacted by Médias24, lawyers explain that despite the absence of dedicated regulations, the use of monitoring is not therefore illegal. That said, the use of this technique is subject to certain conditionsfailing which the employer falls into illegality and incurs criminal penalties.
Monitoring as a means of proof
Present in court as a witness, the data analyst of the company in question explained to the judge that it was by monitoring, in real timethe employee’s computer screen, that the company was able to ascertain her guilt.
“She opened her session at 8:00 am before sending a gift card, two minutes later, worth 400 euros. At 8:06 a.m., she sends another 900-euro gift card to the same person,” explains the witness, adding that his former colleague “changed the names of real customers by replacing them with those of fictitious people.” All of these transactions were recorded via monitoring.
According to Me Kawtar Jalallawyer at the Casablanca Bar, “monitoring or cyber-surveillance can be defined as the system put in place by the employer to control the use that employees make of the information and communication technologies made available to them. arrangement “.
In the case of this case, the use of this technique was intended to prove the commission of an offence. According to Me Ilias Segamelawyer at the Casablanca Bar, “the activities of the employee which are traced and recorded for the purpose of characterizing serious misconduct are not likely to be used as evidence, in the context of a possible legal action, that when they were legally established and during working hours ».
“In the absence of these two cumulative conditionsserious misconduct cannot be supported by the monitoring and the employer takes the risk of exposing himself to legal proceedings for invasion of privacy Where wrongful dismissal »continues the lawyer.
Indeed, as Me Jalal points out, “cyber-surveillance must be motivated by the good functioning of the organization and not by a need to constantly spy on the employee”. That said, “there is a fine line between the security objective and the collection of data”.
This is the reason why “the employer is bound to respect the privacy of its employees in accordance with the provisions of article 24 of the Moroccan Constitution”, adds Me Kawtar Jalal. For her, the employer can use this technique for security purposes, in particular to protect the company’s network from a virus, or to protect themselves against uses of the Web that may constitute criminal offences.
Inform, proportion, rationalize
Remote monitoring of the employee’s computer screen is not subject to specific regulations. However, as Me Segame points out, this practice is “widely used, particularly in a telework situation”.
The use of telework has increased due to the health context, as Me Kawtar Jalal reminds us. According to her, it is therefore necessary to regulate the practice of monitoring “with a view to reconciling security objectives with the discretionary power of the employer on the one hand, and respect for the privacy of employees on the other. “.
” Thus, according to the directives of the CNDP (National Commission for the Control of the Protection of Personal Data), the development of a telework charter, which may be an amendment to the IT charter, seems essential to lay the foundations for a unified teleworking regime within the company, while defining the rights and obligations of the stakeholders,” she adds.
For Me Segame, “the absence of any express provision relating to monitoring does not mean that this technique is illegal. Rather, it is the use and scope made of it by the employer that makes it possible to assess its illegality”.
“However, certain rules should be observed to maintain the legal nature of the monitoring, in this case:
– inform employees the existence of such a device;
– make a proportionate use monitoring without infringing the privacy of employees;
– carry out the declarations or requests for authorizationif applicable, with the CNDP in the event of the processing of personal data”, specifies the lawyer.
In addition to compliance with the legislation in force relating to the protection of personal data, and the need to inform employees, Me Jalal also underlines the importance of “limiting cyber-surveillance to professional data”.
For the lawyer, the employer must also meet a criterion of “rationality” which implies, according to her, “that the reason for the cyber-surveillance exists before the employer decides to proceed with the surveillance of the computer station of the employee”.
Furthermore, Me Jalal underlines “thatunder no circumstances does the employer have the right to touch the employee’s personal files and messages ; especially if the latter uses personal equipment (telephone or computer)”.
According to Mr. Segame, if the monitoring is set up on the employee’s personal computer, the employer must “obligatorily obtain the employee’s consent”. In any case, “the employer may not make intrusive use of monitoring or have recourse to it outside working hours. Although the use of monitoring in the context of telework makes a lot of sense, this does not mean that permanent and extensive monitoring is justified. In this respect, the employer must take into consideration the employees’ break time during the day, as well as their “right to disconnect”, in order to ensure a balance between professional and private life”.
Means of recourse in the event of abuse
According to Me Iliass Segame, when monitoring is used in compliance with these conditions, the employee cannot bring any action against his employer. That said, in case of abusei.e. in the context of prolonged surveillance, outside working hours, or in the event of unauthorized collection of personal data or violation of privacy, etc., “the employee can file a complaint online on the CNDP website for unauthorized data processing. And if the intrusion persists, the employee can bring an action for unfair dismissal based on the gross negligence of the employerpursuant to Article 40 of the Labor Code”.
For his part, Me Kawtar Jalal returns to the need for the employer to respect the provisions of law 09-08relating to the protection of personal data, “under penalty of incurring the criminal penalties provided for in Chapter 7” of the said law.
“Also, if the employer accesses the personal computer tools and personal data of the employee without his knowledge and without his consent, it is possible that he may be subject to prosecution, in accordance with the provisions of the law 07-03 supplementing the Penal Code with regard to offenses relating to automated data processing systems. This law makes it possible to penalize all unauthorized intrusions into an automated data processing system”, indicates Me Jalal, referring to section 607-3 of criminal law.
The latter provides that “the fact of accessing, fraudulently, in all or part of an automated data processing system, is punishable by one month to three months’ imprisonment and a fine of 2,000 to 10,000 dirhams or one of these two sentences only. Any person who remains in all or part of an automated data processing system to which he has accessed by mistake and when he is not entitled to do so is liable to the same penalty.