HmbBfDI (Hamburg) - Beschäftigtendatenschutz: Information von Arbeitgeber:innen über krankheitsbedingte Abwesenheiten
| HmbBfDI - Beschäftigtendatenschutz: Information von Arbeitgeber:innen über krankheitsbedingte Abwesenheiten | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 9(1) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 01.04.2024 |
| Fine: | 75000 EUR |
| Parties: | Complainant Company |
| National Case Number/Name: | Beschäftigtendatenschutz: Information von Arbeitgeber:innen über krankheitsbedingte Abwesenheiten |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | German |
| Original Source: | Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (in DE) |
| Initial Contributor: | CBMPN |
A Hamburg-based company was fined €75,000 for requiring employees to disclose their sickness-related absences to a large email distribution list, violating GDPR rules on sensitive data processing (article 9 (1) GDPR).
English Summary
Facts
The authority was alerted to the violation through a complaint from an employee. The complainant was required to notify a large group of colleagues and supervisors via email about their sickness-related absences, even though some recipients had no direct work-related connection to them. Furthermore, the complainant's supervisor used the same email distribution list to circulate an email listing all of the employee's absence days in a reproachful manner.
Upon investigation, the HmbBfDI found that the company had internal rules requiring employees to report their illness-related absences to their department heads. However, a particular department deviated from this policy for at least a year, requiring employees to notify absences through a pre-set email distribution list, which included 25 recipients. Among them were individuals with no direct work-related connection to the absent employees.
Holding
The authority determined that the health-related absence notifications constituted special category personal data under Article 9(1) GDPR. The company’s approach of broadly sharing this information solely for practical reasons—"better too many than too few"—was deemed unnecessary and excessive. The proper handling of such data should have been limited to direct supervisors and the HR department. Additionally, the supervisor’s dissemination of the complainant’s full absence record served no legitimate purpose within the employment relationship and was viewed as an attempt to shame the employee in front of their peers.
Comment
When determining the amount of fine, the following mitigating factors were taken into account: a) the extensive cooperation with the supervisory authority, and b) the payment of a compensation to the complainant for pain and suffering. The fact that the data processed was health data was taken into account as an aggravating factor.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
1. Employee data protection: informing employers about absences due to illness Employees must not be required to disclose their absence due to illness to a large number of colleagues if this is not necessary for the purposes of task planning and redistribution. If this happens anyway, there is a risk of severe fines. During the reporting period, the HmbBfDI conducted a fine procedure against a company based in Hamburg for violations of Art. 32 GDPR and Art. 9 GDPR. The HmbBfDI became aware of this company following a complaint. The complainant complained that he had to inform a large number of colleagues and superiors of his absences due to illness by email, even though he did not work directly with some of the people. Furthermore, his supervisor used the email distribution list to send an email in which all of his days of absence due to illness were listed in a denunciatory manner. According to the findings of the HmbBfDI, the company had internal regulations on the reporting and proof obligations of employees in the event of illness. These stipulated that sick leave must generally be reported to the manager of the respective department. One department of the company had deviated from this established procedure for at least a period of one year. The employees of this department had been instructed by the department head to report their absences due to illness by email using an email distribution list that had been set up. This distribution list contained 25 recipients. The recipients were not only the superiors 130 Annual Report on Data Protection 2023 - HmbBfDI of the employees and their representatives. Rather, the mailing list also contained people who had no direct work connection with the respective employee and whose work processes and performance of tasks were not affected by the employee's absence. The sick notes sent via the mailing list were health data that are considered "special categories of personal data" according to Art. 9 Para. 1 GDPR. The regulatory authority gives this data a special status. Since they are particularly sensitive by nature, increased requirements are placed on their effective protection. The effective protection offered was not guaranteed by using the large email mailing list when reporting illnesses. The department head's requirement to use the email mailing list set up to report absences due to illness established a procedure through which employees' health data had to be shared with a large group of colleagues and superiors. This procedure was carried out solely for reasons of practicality, according to the motto "it is better to inform too many people about the absence of individual employees than too few", without there being any actual need to do so. Sending sick notes to the direct supervisor and the department responsible for personnel matters, or to a much smaller group of recipients, would have been sufficient to safeguard the employer's rights and obligations. According to the findings of the HmbBfDI, the disclosure of the complainant's compiled absences to a large number of colleagues by email by the department head was also unnecessary and therefore unlawful. The processing of the complainant's health data associated with sending the email served neither to exercise rights nor to fulfill legal obligations arising from the employment relationship. It was clearly carried out with the purpose of reprimanding and exposing the affected employee in front of his colleagues. However, this does not fall within the scope of an employer's rights and obligations. In any case, in order to prepare for a bilateral discussion with the complainant - which would in fact constitute the exercise of a right under labor law - it was not necessary to disclose the complainant's compiled health data to a large number of other employees. The HmbBfDI imposed a fine of EUR 75,000 for these violations. When determining the fine, the fact that extensive cooperation with the supervisory authority had taken place to remedy the violations and that the complainant had been paid compensation for pain and suffering as a means of redress was taken into account as a mitigating factor. The fact that the data processed was health data was taken into account as a matter of urgency. This means that special types of personal data were processed that are sensitive by nature and subject to special protection under the provisions of the GDPR. The company accepted the fine and waived its right to appeal.
