Employers

GDPR Enforcement Tracker Report - Employers

 

So far, DPAs in eight EU member states have imposed a total of 17 fines relating to processing of employee data, totalling EUR 613,179. Interestingly, the fines range from minor three-digit amounts to one fine of almost EUR 300,000. In line with the overall findings, the supervisory authority in Spain imposed most of the fines in this category.

Let's take a closer look

  • A German supervisory authority issued a fine of EUR 294,000 for "unnecessarily long" storage and retention of employee files and for "excessive" data collection in the recruitment process, during which health data was also requested.
  • The Greek DPA (HDPA) issued a fine of EUR 150,000 to a company for processing personal data of their employees based on consent which the HDPA deemed inappropriate. Additionally, the company violated their information obligations as they did not inform their employees correctly about the legal basis for data processing.
  • The supervisory authority in Cyprus found that the use of a formula ("Bradford factor") to measure employees' sick leave absences constituted unlawful processing of special categories of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement.
  • A variety of fines were imposed in relation to monitoring of employees by means of video surveillance/CCTV, ranging from EUR 9,000 to EUR 20,000. In some cases, the employee monitoring as such was considered unlawful, in other cases, the extent of the monitoring was not proportionate; usually there was also a lack of transparent information for employees.

Main takeaway

Given the overall importance of employee data processing for companies of all sizes and in all sectors, we consider it likely that the number of enforcement cases in relation to processing of employee data will rise in the future. This anticipated rise in cases may also be triggered by the fact that evidence based on processing of personal data is frequently used in employment lawsuits and by the fact that employers' compliance with laws and regulations (including data protection law) is also monitored by unions and/or works councils.

At the same time, cases involving processing of employee data are likely to be legally complex. Processing of personal data in the employment context is closely linked to the national legal framework governing the employer–employee relationship, and established interpretation of such national laws may have a relevant impact on the permitted extent of employee data processing. In this context, even initial analysis of employee data-related fines indicates that relying on consent as the legal basis for processing of employee data is problematic and should be limited to the (rare) cases where an employee has a real choice to give or refuse/withdraw consent; relying on a statutory legal basis (such as performance of contract) may generally be the better choice. In some areas – such as employee monitoring, e.g. by video surveillance/CCTV – different cultural perceptions (as a basis for different legal frameworks) may be relevant in making a legal assessment.