GDPR Enforcement Tracker Report - Employers

Continuing a general trend, DPAs in now 15 EU Member States have imposed a total of 42 fines (+25 in comparison to the ETR 2020) related to the processing of employee data with a total amount of over EUR 47 million (+46.38 million in comparison to the ETR 2020). The reported fines range from minor 3-digit amounts to 2 fines of more than EUR 10 million (both in Germany). In line with the overall findings, the supervisory authority in Spain continues to impose most of the fines in this category.

Let's take a closer look:

  • A German supervisory authority issued a fine of EUR 35 million for the excessive storage of employee data with an insufficient legal basis. Supervisors of the fashion company (ETid-405) concerned had compiled extensive "secret dossiers" on employees over several years. These dossiers included health data obtained in return-to-work interviews and "Flurfunk" [hearsay] relating to family problems and religious beliefs. Supervisors used the dossiers to evaluate employees' work performance and to make employment decisions. After the violation became known due to a technical configuration error, the management apologised to the employees and offered monetary compensation. The company did not appeal against the fine.
  • Several DPAs issued fines of up to EUR 38,600 (ETid-524) for the incorrect use of employees' email accounts, e.g. accessing the employees' correspondence after they had left the company or during their long-time sick leave without the data subjects' knowledge.
  • Like in the previous year, DPAs issued a number of fines in relation to the unlawful monitoring of employees by means of video surveillance/CCTV. In general, DPAs considered either the employee monitoring as such unlawful or the extent of the monitoring improportional, or criticised a lack of transparent information for employees. Notable was a fine of EUR 10.4 million imposed on a German electronics retailer (ETid-519). The company had been video-monitoring its employees for at least two years in workplaces and recreation areas. The DPA rejected the retailer's argument that the purpose of the installed video cameras was theft prevention and investigation. The DPA required the retailer to use less intrusive measures (i.e. limit the surveillance to certain time slots) and to have reasonable suspicion against specific persons as a prerequisite for surveillance.

Main takeaway:

We expect the protection of employee data to become an established and key field of activity for DPAs, considering the overall importance of its processing for companies of any size and in any sector. Moreover, employers increasingly rely on evidence based on the processing of personal data in employment court proceedings.

In our experience, employers have had to justify their data protection compliance not only to DPAs but also to trade unions and/or works councils in recent years. Employees are increasingly exploiting employers' uncertainties about data protection to assert other legal positions against employers.

At the same time, cases involving the processing of employee data remain legally complex: The processing of personal data in the employment context is closely linked to the national legal framework governing the employment relationship. The established interpretation of such national employment laws usually influences the permitted extent of employee data processing.

A first analysis of employee data-related fines indicates that employers relying on a statutory legal basis (such as performance of contract) for their data processing may be the best choice. Because of the assumed structural imbalance between employers and employees, employee consent remains limited to individual, specific cases in which employees have a "real choice".