Data protection (GDPR) and breach of employees’ personal data

• Compliance/Data Protection/ESG
• IP-IT
• SME

As a rule, companies, while hiring personnel, do all their best to comply with employment regulations. However, sometimes they forget to take care of proper protection of personal data of their staff (including current, former and potential employees) according to applicable data protection regulations, inter alia, the EU General Data Protection Regulation (GDPR) which has extraterritorial force.

Breaches of the GDPR

As the law-enforcement practice shows, quite huge fines for the breach of employees’ personal data may be imposed on companies, and in certain cases – even on private individuals working in such companies.

Video surveillance of employees

For instance, a fine for the total of EUR 10,4 million was imposed on a company, which conducted retail trade in electronics, for video-monitoring its employees during at least 2 years without having any legal basis for doing so. This company installed video cameras which covered the employees’ workplaces, recreation areas, sales areas and warehouses. Moreover, customers of the company were also affected by such video surveillance, as some cameras were pointed at seating areas in the sales area. The aim of such video surveillance was to track the movement of goods in the warehouses as well as prevent and investigate criminal acts. However, the German data protection authority took the view that a company must first consider milder means to prevent theft. Moreover, video surveillance to detect criminal offences was only permissible if there were reasonable suspicion against certain persons (in such a case, it could be permissible to monitor only these certain persons with cameras for a limited period of time).However, the video surveillance, which was conducted by the retailer, was neither limited to specific employees nor to a specific period of time. Moreover, in many cases the video recordings were stored by the company for 60 days, which was significantly longer than required in this particular case.

Excessive data collection

Another fine for the total of EUR 294,000 was imposed on a company for its non-compliance with general data processing principles stipulated by the GDPR, while processing employees’ personal data. In particular, a company was accused by the German data protection authority in “excessive” data collection within the personnel selection process, during which, inter alia,  health data was requested, as well as “unnecessarily long” storage and retention of personnel files.

Disclosure of health-related data of employees to customers

A car trading group was fined for the GDPR violation, in particular, for transferring personal health data of its employee to customers, without any valid legal basis for such transfer. In fact, the company had informed its customer base, which included approximately 3,000 clients, that the reason for the restructuring was the absence of an employee due to illness. Inter alia, the company informed the exact date since which the employee was not able to work as well as that this situation would continue for an indefinite period of time.

Publication of personal data

A university was fined, upon a complaint filed by its former employee, for having published a document which contained his personal data. In fact, that document revealed information related to a legal dispute between the university and its former employee. The Italian data protection authority made a conclusion that the university did not have any valid legal basis to publish it.

Disclosure of personal data

Another company was fined by the Spanish data protection authority, upon a complaint filed by it former employee, for the company’s unlawful disclosure of the employee’s personal data to a credit reporting agency.

Failure to report a data breach

A company, which suffered a data breach during which a certificate of employment containing employee’s personal data was lost, did not report this data breach to the data protection authority. As a result, the company was fined for non-fulfilment of data breach notification obligations.

Questionable consent in the employee/worker relationship

By the way, the police authority was also fined for the total of EUR 12,000 in Italy for having sent personal data of its employees to various administrative units via e-mail. In fact, the list, which was sent, included names, addresses, contact details, tax numbers of employees and their appointments for Covid-19 tests. The police authority referred to the consent given by the employees as the legal basis for such data processing. However, the data protection authority made a conclusion that the police office could not rely on such consent, as far as voluntary consent is questionable in the employee-employer relationship.

Infringement due to careless or improper handling of personal data

A fashion company was fined for the total of over EUR 35 million by the German data protection authority, which found out that for over 5 years this company had been comprehensively recording information on private life circumstances of some of its employees and storing such information on a network drive. For example, when its employees came back to work after their vacation or illness, the company conducted so called “welcome back talk”. The information which became known during such talk (including data on the symptoms of illness and diagnoses of the employees) was recorded and stored. Moreover, some supervisors of the company also used gossips to get a broad knowledge of individual employees, for instance, about their family problems and religious beliefs. The whole information stored on the network drive was accessible to up to 50 managers of the company and was used, inter alia, to evaluate the work performance of the employees and to make employment decisions. However, such data collection became widely known due to a technical configuration error, which resulted in open access to such data within the whole company for several hours.

The German data protection authority has also imposed fines on a number of employees of companies for breach of personal data of other employees. For instance, one employee sent an Excel spreadsheet with data of 56 employees to her private e-mail address from her official computer, though this was not necessary for her official activities at the company. By the way, that spreadsheet included, except for the full names of the employees, information on their wage, an overview of vacation days already taken and remaining, sick days accrued, overtime worked and social security contributions. The data protection authority made a conclusion that this employee had unlawfully transferred the other employees’ data to her private e-mail address.

An employee of another company was also fined for forwarding application documents received by his employer from his work e-mail address to his private e-mail address without authorization. The aim of such transfer was to get suggestions for the design of his own applications. However, that employee had not previously anonymized the CVs, so they still contained personal and professional data of other applicants. The data protection authority made a conclusion that the forwarding of those application documents to his private e-mail address was unlawful, as far as it was not part of his work duties.

Our recommendations

In order to mitigate the risks of being fined for the breach of employees’ personal data, we would recommend, inter alia:

• developing internal documents of the company which would regulate processing of personal data of its current, former and potential employees in compliance with applicable data protection regulations (including GDPR), taking into account relevant law-enforcement practice,

• conducting trainings for employees in order to bring to their attention requirements and restrictions in the area of personal data protection,

• implement other necessary organizational and technical measures in the area of data protection,

• before processing any personal data – assessing it on case-by-case basis and making sure that there is indeed a valid legal basis for such particular data processing.