Unauthorized Processing of Employee Personal Life Data – Example from German Practice

Relevant Provisions of the GDPR

Article 5 of the GDPR regulates the principles regarding the processing of personal data. Personal data must be:

• Processed lawfully, fairly, and transparently in relation to the individuals whose data is being processed (lawfulness, fairness, and transparency principle);
• Collected for specified, legitimate, and lawful purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving in the public interest, for scientific or historical research, or statistical purposes will not be considered incompatible with the original purposes, according to Article 89(1) GDPR (purpose limitation principle);
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed (data minimization principle);
• Accurate, and, when necessary, updated; reasonable steps must be taken to ensure that personal data which is inaccurate, in relation to the purposes for which it is processed, is erased or rectified without delay (accuracy principle);
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods if it is processed solely for archiving purposes in the public interest, for scientific or historical research, or statistical purposes in accordance with Article 89(1) GDPR, provided that appropriate technical and organizational measures prescribed by the GDPR are applied to safeguard the rights and freedoms of data subjects (storage limitation principle);
• Processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality principle).

The data controller is responsible for, and must be able to demonstrate compliance with, paragraph 1 of this article (accountability principle).

Article 6 of the GDPR regulates the lawfulness of processing. Personal data processing is lawful only if and to the extent that at least one of the following applies:

1. Consent of the data subject: The data subject has given consent for the processing of their personal data for one or more specific purposes;
2. Contract performance: The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
3. Compliance with a legal obligation: The processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Protection of vital interests: The processing is necessary to protect the vital interests of the data subject or another person;
5. Public interest or official authority: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Legitimate interests: The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, particularly where the data subject is a child.

When processing is carried out for purposes other than those for which personal data was originally collected, and it is not based on the data subject's consent or a legal obligation of the Union or Member State which constitutes a necessary and proportionate measure in a democratic society to achieve the goals set out in Article 23(1), the controller must, in determining whether the processing for another purpose is compatible with the original purpose for which the personal data was initially collected, take into account, inter alia:

-        Any connection between the purposes for which the personal data was collected and the purposes for which it is intended to be further processed;

-        The context in which the personal data was collected, particularly regarding the relationship between the data subject and the controller;

-        The nature of the personal data, especially whether special categories of personal data, as referred to in Article 9, or personal data relating to criminal convictions and offenses, as referred to in Article 10, are processed;

-        The possible consequences of the intended further processing for the data subject;

-        The existence of appropriate safeguards, which may include encryption or pseudonymization.

Thus, only processing that is carried out in compliance with the above principles and the GDPR's rules is lawful and correct.

Facts of the Case

Since 2014, the Company had been conducting so-called "Welcome Back Talks," which involve conversations between managers and employees upon their return from temporary incapacity to work (sickness leave) or annual leave.

The subject of these conversations was the employees' specific experiences during their leave and sickness, but also the symptoms of illnesses and diagnoses.

Moreover, during these conversations, some managers gained extensive knowledge about their employees' private lives, ranging from relatively harmless details to family issues and religious beliefs.

These talks were extensively documented and stored on the network drive. The notes were sometimes very detailed and updated over time, and sometimes they were accessible to a large number of managers in the Company.

These data, collected in this manner, along with the evaluation of individual employee performance, were used in decision-making procedures concerning the employees' employment status.

This practice became known when, due to a configuration error, the relevant notes became accessible to everyone in the Company for several hours in October 2019.

The Commissioner was notified about the data processing through press reports and ordered that the content of the network drive be completely "frozen" and then requested it be delivered to them.

The Company complied with the Commissioner's order and delivered a set of data, approximately 60 gigabytes, for analysis. Testimonies from several witnesses confirmed the documented practices after analyzing the data.

Outcome

The Commissioner’s decision established a violation of employees' personal data protection rights, as the data was not processed in accordance with the principles and provisions of Articles 5 and 6 of the GDPR.

The Company was fined EUR 35,258,708 for processing data related to the private lives of employees and allowing access to it by 50 managers, and for making decisions about employees' employment status based on this data.

The Company was required to issue an apology to the employees, pay compensation, and implement corrective measures such as appointing a new data protection coordinator, providing monthly reports on the status of data protection, and other measures.

This Decision specifically emphasizes the need for employers, as data controllers, to continuously review internal processes, as well as to ensure that personal life data of employees is processed exceptionally, meaning only when absolutely necessary and justified by a legitimate purpose. In other words, the purpose and legal basis for such processing must exist, be clear, and transparently communicated to employees. Any contrary action will constitute unlawful data processing, both in the EU and in Serbia.

Borinka Dobrnjac

Senior Associate

borinka.dobrnjac@prlegal.rs; legal@prlegal.rs;