BlnBDI (Berlin) - 02.08.2023
| BlnBDI - Eine Liste mit Informationen über Beschäftigte in der Probezeit | |
|---|---|
 | |
| Authority: | BlnBDI (Berlin) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(1)(b) GDPR Article 9(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 02.08.2023 |
| Fine: | 215,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Eine Liste mit Informationen über Beschäftigte in der Probezeit |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | BlnBDI - press release (in DE) |
| Initial Contributor: | mg |
A German DPA fined a company €215,000 for having unlawfully processed health data of its employees in the context of potential terminations of their contracts.
English Summary
Facts
The controller – a company – kept a database with special categories of personal data of its employees. The database was kept for the purpose of choosing the employees to fire at the end of a probationary period. Such database included information about the psychological status of some employees, requests for psychotherapy, and their likeliness to join a workers’ union. A data subject lodged a complaint and a German DPA (Berlin) started an investigation against the controller.
Holding
The DPA found that the controller unlawfully processed special categories of data in violation of Article 9(2) GDPR, including health data.
The DPA also ruled out that the contract between the employer and employees could be a valid legal basis for the processing at issue. It is true that under specific circumstances an employer can request its employees to provide certain data, including sensitive ones. Nevertheless, the processing activities at issue in the present case, even when based on data provided directly by workers, were not necessary in the context of the contract and violated the principle of purpose limitation under Article 5(1)(b) GDPR.
In light of the above, the DPA fined the controller €215,000.
Comment
This decision has been made public by the DPA by means of a press release. As no reference to specific GDPR articles could be found in the text, the provisions mentioned in this summary were inferred by the author.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed fines totaling 215,000 euros on a company. The company had i.a. illegally documents sensitive information about the state of health of individual employees or their interest in establishing a works council. The fine notice is not yet final. In order to prepare for possible terminations at the end of the probationary period, a supervisor, on instructions from the company's management, kept a tabular overview of all employees in the probationary period from March to July 2021. The Berlin data protection officer found out about the incident through media reports and a personal complaint from one of those affected and initiated an investigation. In the overview, the supervisor listed all employees in the probationary period and rated the further employment of eleven people as "critical" or "very critical". . This classification was explained in more detail in a table column headed “Rationale”. Information on personal statements as well as health and non-operational reasons that would prevent flexible shift allocation was found here. A possible interest in the establishment of a works council and regular participation in psychotherapy were also mentioned here. In many cases, the employees themselves provided the information listed for duty scheduling. They were not aware of the further processing in the list. The Berlin data protection officer came to the conclusion during their examination that the processing of the data collected in the cases complained of was not lawful. In addition to punishing this structural violation, the BlnBDI imposed three further fines on the company totaling around 40,000 euros due to the company data protection officers not being involved in the creation of the list, late reporting of a data breach and failure to mention the list in the processing directory.Meike Kamp, Berliner Commissioner for data protection and freedom of information: “The collection, storage and use of employee data must always take place in the permissible context of the employment relationship. That was not the case in this case. Health data in particular is particularly sensitive information that may only be processed within narrow limits.” In principle, employers are allowed to consider to what extent employees should continue to be employed and to this extent also process personal data. However, the data processed must be suitable and necessary for this purpose. You may only allow conclusions about performance or behavior that are directly related to the employment relationship. Employers are also not allowed to simply process information provided by employees themselves, but must check whether the processing is necessary and appropriate. When calculating the fines, the BlnBDI took into account the company's turnover and the number of employees affected. In addition, it was taken into account that the processing of health data in particular without a legal basis constitutes a particularly serious infringement. Among other things, takes into account that the company has cooperated extensively with the BlnBDI and has already stopped the violation of its own accord after it became public knowledge without being asked.
