DPAs have imposed a total of 135 fines (+27 fines in comparison to the ETR 2023) related to the processing of employee data. The total amount in this category has increased remarkably to above EUR 59 million (+10.8 million in comparison to the ETR 2023). The average fine amount remained almost identical at EUR 0.5 million compared to last year (in comparison to EUR 0.6 million in the ETR 2022 and EUR 1.2 million in the ETR 2021). The highest fine up to March 2024 was issued by the Dutch Supervisory Authority for Data Protection in an amount of EUR 10 million (ETid-2199).
Employers are well advised to take data protection of employee data seriously. Employee data processing is and will remain a focus for supervisory authorities across Europe. From a legal perspective, employees are considered to be particularly vulnerable. Data protection law is now an established part of the instruments for specific protection of these vulnerable data subjects in addition to the common mechanisms under general employment law. A considerable number of enforcement cases remain based on data subjects’ complaints to supervisory authorities. The employment relationship is an environment in which such complaints – especially in termination scenarios – are now a standard procedure. In addition, (dismissed) employees regularly introduce lawsuits before the employment courts to assert additional claims for damages under data protection law. The legal admissibility of processing activities including employee data is to a large extent shaped by employment law which- regardless of legal harmonisation in this area – still varies significantly between jurisdictions.
Against this background, employers may wish to use the Enforcement Tracker entries in the employment section to improve their risk management: Every fine indicates a "no go" – at least from a DPA perspective.
Let's take a closer look:
- The 'employee record fine' entered our lists in 2020: The supervisory authority in Hamburg, Germany issued its EUR 35 million fine against a fashion company for the excessive storage of employee data with an insufficient legal basis (ETid-405). Supervisors at one site had compiled extensive "secret dossiers" on employees over several years, also including sensitive data such as health data obtained in return-to-work interviews and "Flurfunk" [hearsay] relating to family problems and religious beliefs. Supervisors used the dossiers to evaluate employees' work performance and to make employment decisions. Three years later, supervisory authorities still have to intervene because of similar inadmissible data collections: The supervisory authority in Berlin, Germany issued a fine of EUR 215,000 against a company that had documented sensitive information about individual employees without sufficient legal basis, inter alia a possible interest in forming a works council and treatment in psychotherapy (ETid-1995). The French DPA issued a similar fine for the collection of data on the private lives of employees and their family members, including blood type, ethnicity, and political affiliation (ETid-2044).
- Insufficient fulfilment of information obligations and data subject rights plays a key role among the new entries: The highest new fine in the amount of EUR 10 million was issued by the Dutch DPA against a mobility service provider for failing to provide sufficient information about the storage period and for failing to grant access to the employees' data sufficiently easily. The criteria for the fine were the severity of the infringement and the size of the company, but also the large number of (potentially) affected employees (ETid-2199). Four new fines issued by Italy's Garante concerned incomplete, late or missing answers to data requests from employees (ETid-1770, ETid-2033, ETid-2071, ETid-2073).
- The remainder of the new fines were essentially based on employer missteps in the regular course of HR administration. Special attention should be paid to the fulfilment of notification obligations also in the employment context: The Norwegian DPA issued a fine of EUR 220,000 for failure to notify the DPA of a data breach within 72 hours (ETid-1697).
Main takeaways
We still assume that the protection of employee data will remain a key field of activity for DPAs, considering the overall importance of its processing for companies of any size and in any sector. Moreover, employers increasingly rely on evidence based on the processing of personal data in employment court proceedings.
On the other hand, employees may be more likely to request information on their stored data and – in case of conflict situations (including but not limited to cases ultimately brought to employment courts) – may resort to complaints with a DPA. Employees are increasingly exploiting employers' uncertainties about data protection to assert other legal positions against employers.
In our experience, employers have had to justify their data protection compliance not only to DPAs but also to trade unions and/or works councils in recent years.
At the same time, cases involving the processing of employee data remain legally complex: The processing of personal data in the employment context is closely linked to the national legal framework governing the employment relationship. The established interpretation of such national employment laws usually influences the permitted extent of employee data processing.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.