CJEU - C-342/12 - Worten

From GDPRhub
Revision as of 13:32, 2 December 2021 by FA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-342/12 Worten
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 2 Directive 95/46/EC
Article 6 Directive 95/46/EC
Article 7 Directive 95/46/EC
Article 17 Directive 95/46/EC
Decided: 30.05.2013
Parties: Worten - Equipamentos para o Lar SA
Autoridade para as Condiçoes de Trabalho (ACT)
Case Number/Name: C-342/12 Worten
European Case Law Identifier: ECLI:EU:C:2013:355
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

In the Worten case, the ECJ held that data contained in the working time register constitute personal data and concludes the controller is responsible for ensuring that necessary security measures in line with the risks and its legal obligations.

English Summary

Facts

On 9 March 2010, the ACT carried out an inspection at a Worten establishment. As a result of the inspection, an official report was drawn up, the main message being that the working time register, as required by national law, was not available for immediate consultation by the ACT.

The report was followed by an order to provide the legally required information from the labour register.

Two years later, by decision of 14 March 2020, the ACT found that Worten had committed a serious breach of labour law for breaching the rules on the working time register set out in Article 202(1) of the Labour Code, as Worten had failed to allow the ACT to immediately consult the working time register of the workers employed in the establishment concerned. The infringement was considered to be grave because the purpose of the working time register is to check immediately and rapidly whether the undertaking's activity is organised in accordance with the rules on working time. A fine of EUR 2 000 was imposed. Worten then brought an action for the annulment of the decision before the Tribunal do Trabalho de Viseu.

The Tribunal decided to stay the proceedings and requested the Court of Justice to give a preliminary ruling on the following questions:

  1. Is Article 2 of Directive 95/46 … to be interpreted as meaning that the record of working time, that is, the indication, in relation to each worker, of the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of “personal data”?
  2. If so, is the Portuguese State obliged, under Article 17(1) of Directive 95/46 … to provide for appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network?
  3. Likewise, if Question 2 is answered in the affirmative, when the Member State does not adopt any measure pursuant to Article 17(1) of Directive 95/46 … and when an employer, as a controller of such data, adopts a system of restricted access to those data which does not allow automatic access by the national authority responsible for monitoring working conditions, is the principle of the primacy of European law to be interpreted as meaning that the Member State cannot penalise that employer for such behaviour?’

Holding

The Court gives the following answers to the questions referred for a preliminary ruling. Regarding the first question, "Must Article 2 of Directive 95/46/EC be interpreted as meaning that the recording of working time - that is, the recording, for each worker, of the beginning and end of the working period and of breaks or rest periods not included in that period - is to be regarded as personal data?

The Court considers that the data contained in the working time register, relating to daily working periods and rest periods for each employee, constitute personal data within the meaning of Article 2(a) of Directive 95/46/EC, as they are 'information relating to an identified or identifiable natural person'. The Court refers in its answer, inter alia, to the judgments of 20 May 2003 in Joined Cases C-465/00, C-138/01 and C-139/01 Österreicherischer Rundfunk and Others [2003] ECR I 4989, paragraph 64; 16 December 2008 in Case C 524/06 Huber [2008] ECR I 9705, paragraph 43 and 7 May 2009 in Case C 553/07 Rijkeboer [2009] ECR I 3889, paragraph 42).

Consequently, the collection, recording, organisation, storage, access and use of such data by an employer and their transmission to the national authorities responsible for monitoring employment conditions constitute 'the processing of personal data' within the meaning of Article 2(b) of Directive 95/46 (see, to that effect, inter alia, Österreichischer Rundfunk and Others, cited above, paragraph 64, and Huber, cited above, paragraph 43).

The Court deals with the second and third questions together. The national court wishes to know whether Article 17(1) of Directive 95/46 must be interpreted as requiring each Member State to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and, if so, whether a Member State which has not implemented such measures may penalise an employer who, as the data controller, has established a system of restricted access to those data which is not immediately accessible to the national authority responsible for monitoring employment conditions.

However, that article does not oblige the Member States - unless they are responsible for the processing - to adopt those technical and organisational measures, since the obligation to adopt such measures rests solely with the controller, in this case the employer. That provision, on the other hand, obliges the Member States to include in their national law a provision laying down that obligation. Worten takes the view that the obligation to make the register available for immediate consultation is, in practice, incompatible with the obligation to establish a system providing adequate protection for the data contained in that register. Such an obligation would result in any employee of the undertaking concerned having access to those data, in breach of the obligation in Article 17(1) of Directive 95/46 to ensure the security of those data. Such generalised access would therefore deprive that provision of any useful effect.

The court considers that the argument cannot succeed. Since the employer is under an obligation to give immediate access to the working time register to the national authority responsible for monitoring working conditions. This in no way implies that the personal data in that register must necessarily be made accessible on that sole ground to persons who are not authorised to do so. The controller is responsible for ensuring that security measures are taken in line with the risks and that the accesses deemed necessary by the legislator are also guaranteed.

The Court considers that the answer to the second and third questions is that Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 96/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make a register of working time available to the national authority responsible for monitoring working conditions, on request, in so far as that requirement is necessary to enable that authority to carry out the task of monitoring the application of legislation on working conditions, in particular as regards working time.

Comment

These articles relate to the art. 4 (1), 5, 6 and 32 GDPR.

Further Resources

Share blogs or news articles here!