What happened?
In Berlin, the responsible Commissioner for Data Protection and Freedom of Information imposed fines on a company in response to GDPR violations. The fines totaled more than 200,000 euros.
The fines were imposed because the company had collected and stored information about the health of various employees during their probationary period. It also documented information such as when employees expressed an interest in establishing a works council or regularly used physiotherapy. The management had ordered that this data be collected. This data was then used as the basis for deciding whether to terminate employment contracts before the end of the probationary period. In the process, the company essentially prepared a blacklist of employees in their probationary period as candidates for dismissal. The employees were classified as “critical” or “highly critical” in the “continuing employment” section of the list.
The information was provided by the employees themselves during the course of shift planning, for example. Naturally, the employees were not informed that this data was being used to systematically assess them.
Permissible consideration – unlawful data processing
One thing is clear: Companies can and must systematically consider which employment relationships to continue after the end of the probationary period. Articles 5 and 6 of the GDPR permit the collection and processing of personal employee data for this purpose.
However, caution is essential when processing specific personal data. Article 9 of the GDPR stipulates that data regarding trade union membership, sex life, ethnic origin and health status, for example, may only be collected and processed in exceptional cases.
The Berlin Commissioner for Data Protection and Freedom of Information issued the following statement:
“The collection, storage and use of employee data must always take place within the permissible context of the employment relationship. This was not the case in this instance. Health data, in particular, is particularly sensitive information which may only be processed within narrow limits.”
Consequently, the systematic collection and analysis of sensitive health data as a basis for decisions related to the employment relationship is fundamentally unlawful. The fact that employees have communicated this information to the employer themselves as part of their work does not change this.
However, storing employee health data is not always prohibited.
For example, health data needs to be collected and stored to enable employers to assess whether they are required
- to carry out company integration management,
- to continue to pay wages,
or whether they are entitled to terminate employment relationship due to illness.
Employers must also remain able to make the decision on whether to terminate an employment relationship during the probationary period dependent on absence due to illness, among other factors.
However, the data storage exceeded this scope.
How the data protection authorities determine the fine?
The GDPR itself defines the framework for fines imposed due to data protection violations: Article 83 of the GDPR stipulates fines as high as 20 million euros or up to four per cent of the total global annual turnover achieved in the previous financial year.
In the case in Berlin, the turnover was initially taken into account in accordance with Article 83 of the GDPR. Moreover, the authorities also took into account the number of employees affected and the fact that processing health data without consent or a legal basis represents a relatively serious violation.
Conversely, they also took into account exonerating circumstances: on the one hand, the company stopped the unauthorized collection and processing of employee data on its own initiative after the public became aware of its activities through the press. The company also demonstrated its understanding and willingly cooperated with the data protection authorities during the proceedings.
As can be seen, cooperating with the authorities combined with something resembling active remorse can definitely lead to lower fines in the event of data protection violations.
Summary of the key facts:
- The management and managers need to be trained in the legal framework governing the handling of sensitive employee data.
- For example, health data may only be collected and processed if this involves a direct link to the employment relationship.
- If a company violates data protection law, demonstrating “active remorse” and cooperating with the authorities can reduce fines