So far, DPAs in eight EU member states have imposed a total of 17 fines relating to processing of employee data, totalling EUR 613,179. Interestingly, the fines range from minor three-digit amounts to one fine of almost EUR 300,000. In line with the overall findings, the supervisory authority in Spain imposed most of the fines in this category.
Given the overall importance of employee data processing for companies of all sizes and in all sectors, we consider it likely that the number of enforcement cases in relation to processing of employee data will rise in the future. This anticipated rise in cases may also be triggered by the fact that evidence based on processing of personal data is frequently used in employment lawsuits and by the fact that employers' compliance with laws and regulations (including data protection law) is also monitored by unions and/or works councils.
At the same time, cases involving processing of employee data are likely to be legally complex. Processing of personal data in the employment context is closely linked to the national legal framework governing the employer–employee relationship, and established interpretation of such national laws may have a relevant impact on the permitted extent of employee data processing. In this context, even initial analysis of employee data-related fines indicates that relying on consent as the legal basis for processing of employee data is problematic and should be limited to the (rare) cases where an employee has a real choice to give or refuse/withdraw consent; relying on a statutory legal basis (such as performance of contract) may generally be the better choice. In some areas – such as employee monitoring, e.g. by video surveillance/CCTV – different cultural perceptions (as a basis for different legal frameworks) may be relevant in making a legal assessment.