Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Montenegro
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Back to main
Publication

GDPR Enforcement in Employment

Deep dive into relevant data protection enforcement cases and insights for employment

21 May 2026 Montenegro 3 min read

On this page

    DPAs have imposed a total of 191 fines (+40 fines in comparison to the ETR 2025) related to the processing of employee data. The total amount in this category has increased to above EUR 360 million. The average fine amount has slightly decreased to EUR 1.9 million (-EUR 0.5 million in comparison to the ETR 2025). The highest fine since publication of the ETR 2025 was issued by the Polish National Personal Data Protection Office (UODO) in an amount of EUR 4.0 million (ETid-2757) in July 2025.

    Key numbers

    191
    Total number of fines
    360,807,141
    Total amount
    1,889,043
    Avg./median
    290,000,000
    Biggest fine

    Let's take a closer look

    • The current 'employment record fine' was recorded in July 2024 when the Dutch supervisory authority issued its EUR 290 million fine against a mobility service provider for transferring personal data of European drivers to the USA without sufficient privacy safeguards (ETid-2447). The DPA’s investigation was launched after a complaint by 170 French drivers. It revealed that the provider had stored sensitive personal data – such as location information, payment details, identity documents and health data – on US servers for over two years without adequate safeguards, as required by the standard contractual clauses.
       
    • Special attention should be paid to the implementation of technical and organisational measures in the employment context: The Polish DPA imposed a fine of EUR 4.0 million on McDonald’s Polska Sp. z o.o. (ETid-2757). The controller used a third-party processor (see ETid-2758) for the purpose of managing work schedules. The controller failed to ensure that the processor had implemented sufficient technical and organisational measures, resulting in a data breach.
       
    • Several other new fines were based on employer missteps related to internal investigations and employee surveillance (ETid-2569; ETid-3043).  

    Main takeaways

    We assume that the protection of employee data will remain a key field of activity for DPAs, considering the overall importance of their processing for companies of any size and in any sector. Moreover, employers increasingly rely on evidence based on the processing of personal data in employment court proceedings. In this context, employers are well advised to pay special attention when advanced technology is used for HR administration purposes.
    In addition, employees are more likely to request information on their stored data and – in case of conflict situations – may resort to complaints to a DPA. Employees are increasingly exploiting employers' uncertainties about data protection to assert other legal positions against employers. It is worth noting that DPA inquiries frequently lead to additional findings beyond the scope of the original employee complaint.
    In our experience, employers have had to justify their data protection compliance not only to DPAs but also to trade unions and works councils in recent years.
    At the same time, cases involving the processing of employee data remain legally complex: The processing of personal data in the employment context is closely linked to the national legal framework governing the employment relationship. The established interpretation of such national employment laws usually influences the permitted extent of employee data processing.

    Compliance hotspots

    • Insufficient legal basis for data processing
    • Transparency and employee information rights

    Outlook

    It is safe to assume that the compliance hotspots outlined above, in particular, will continue to be relevant for employers across Europe.  

    The selection of transparency obligations as the topic for the EDPB’s coordinated enforcement action in 2026 shows that companies should be particularly vigilant when it comes to transparency obligations towards employees. The correct and extensive information of applicants and employees could, particularly in case of tensions between the employment parties, potentially be examined more frequently by supervisory authorities in the future.

    previous page

    6. GDPR Enforcement in Accommodation & Hospitality

    next page

    8. GDPR Enforcement in Finance, Insurance and Consulting

    More insights
    GDPR

    Explore more

    Expert Guide International

    CMS Expert Guide to Foreign Investment Screening Laws in Montenegro

    1 min read
    Publication Montenegro

    The Changing Face of Cyber Claims

    14 Jul 2020 3 min read
    Event Montenegro

    IP Insights webinar series 2026

    03 Jun 2026
    Back to top Back to top
    Warning: Fraudulent emails and messages
    Find out more
    If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.