Employment

DPAs have imposed a total of 108 fines (+32 in comparison to the ETR 2022) related to the processing of employee data. The total amount in this category has only increased minimally to slightly above EUR 48 million (+0.5 million in comparison to the ETR 2022) for the second consecutive year. The average fine amount shrank again to EUR 0.5 million (in comparison to EUR 0.6 million in the ETR 2022 and 1.2 million in the ETR 2021), in particular because none of the new fines came even close to previous record amounts. The highest fine up to March 2023 was again issued by Garante in Italy in an amount of EUR 100,000 (ETid-1537).

Despite the comparably reassuring statistics, employers are well advised to take a look behind the simple figures and not to be lulled into a false sense of security: the highest fine in the employment category still features in the list of top 10 fines. Employee data processing is and will remain a special focus for supervisory authorities across Europe. From a legal perspective, employees are considered to be particularly vulnerable. Data protection law has is now part of the instruments for specific protection of these vulnerable data subjects in addition to the common mechanisms under general employment law. In addition, a relevant number of enforcement cases is apparently based on data subjects’ complaints to supervisory authorities. The employment relationship is an environment in which such complaints – especially in termination scenarios – are more likely than elsewhere. In addition, (dismissed) employees more frequently introduce lawsuits before the employment courts to assert additional claims for damages under data protection law. Last but not least, the legal admissibility of processing activities including employee data is to a large extent shaped by employment law which– regardless of legal harmonisation in this area – still varies significantly between jurisdictions.

Against this background, employers may wish to use the Enforcement Tracker entries in the employment section to improve their risk management: Every fine indicates a "no go" – at least from a DPA perspective.

Let's take a closer look:

• The 'employee record fine' entered our lists already in 2021 and has kept its place in the overall top ten table ever since: The supervisory authority in Hamburg, Germany, issued the EUR 35 million fine against a fashion company for the excessive storage of employee data with an insufficient legal basis (ETid-405). Supervisors at one site had compiled extensive "secret dossiers" on employees over several years, including sensitive data such as health data obtained in return-to-work interviews and "Flurfunk" [hearsay] relating to family problems and religious beliefs. Supervisors used the dossiers to evaluate employees' work performance and to make employment decisions.
• Employee surveillance is still a hot topic beyond the German landmark case: the highest new fine in the amount of EUR 100,000 was issued by Italy's Garante against the Lazio region (ETid-1537) in regard to the monitoring of employee email accounts. Handling of employee email was relevant in another Italian case (ETid-1185), as well as in cases in Norway (ETid-1181) and Belgium (ETid-1121). Employee monitoring via CCTV and microphones in an employee changing room led to a EUR 20,000 fine in Spain (ETid-1387), but the 'CCTV cases" did not reach the significant number reported in the ETR 2022. Instead, the use of biometric data for attendance monitoring purposes emerged as a new topic (ETid-1542, ETid-1635).
• The remainder of the new fines was essentially based on employer mistakes in the regular course of HR administration. Special attention should be paid to the confidentiality of employee data, as fines were issued for a certain number of unjustified disclosures of such data to third parties, e.g. to new employers of former employees, to employers’ customers or to the general public, often by publication of employee personal data on websites (ETid-1147, ETid-1133, ETid-1290, ETid-1334).

Main takeaways

We still assume that the protection of employee data will remain a key field of activity for DPAs, considering the overall importance of its processing for companies of any size and in any sector. Moreover, employment courts are paying stricter attention to whether evidence presented by employers in employment court proceedings is admissible or must remain disregarded due to violations of data protection laws during its gathering.

Employees may be more likely to raise complaints with a DPA, especially in case of conflict situations. Cases ultimately brought before employment courts can additionally include claims for damages based on data protection violations.

In our experience, employers have had to justify their data protection compliance not only to DPAs but also to trade unions and/or works councils in recent years. Employees and co-determination bodies are increasingly exploiting employers' uncertainties about data protection to assert other legal positions against employers.

At the same time, cases involving the processing of employee data remain legally complex: the processing of personal data in the employment context is closely linked to the national legal framework governing the employment relationship, and the established interpretation of such national employment laws usually influences the permitted extent of employee data processing. This aspect leads to a challenge especially for international organisations, frequently trying to apply uniform HR data processing policies across global organisations and/or operating integrated HR management systems, requiring increased compliance efforts.

A first analysis of employee data-related fines indicates that employers' reliance on a statutory legal basis (such as performance of contract) for their data processing may be the best choice. Employee consent remains – due to the assumed structural imbalance between employers and employees – limited to individual, specific cases in which employees have a "real choice".