Commissioner (Cyprus) - 11.17.001.008.042: Difference between revisions
ARapcewicz (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case...") |
m (Ar moved page Commissioner - 11.17.001.008.042 to Commissioner (Cyprus) - 11.17.001.008.042) |
||
| (6 intermediate revisions by 4 users not shown) | |||
| Line 54: | Line 54: | ||
}} | }} | ||
The Cyprus Data Protection Authority found that consent is not an appropriate legal basis for processing employees' personal health data. | The Cyprus Data Protection Authority (Επίτροπος Δεδομένων Προσωπικού Χαρακτήρα) found that consent is not an appropriate legal basis for processing employees' personal health data. | ||
==English Summary== | |||
===Facts=== | |||
In this particular case, the employee had no possibility to refuse or withdraw such consent without negative consequences, because without consent a person would not have been offered employment. In addition, the DPA considered that, in principle, consent should not be used as a basis for data processing in the relationship with the employee due to the imbalance of the parties. An employer should explore the specific exceptions in [[Article 9 GDPR|Article 9(2)(b) GDPR]] to [[Article 9 GDPR|Article 9(2)(j) GDPR]] to lawfully process health-related data of employees. | |||
An employee who worked for the company Sea Chefs Cruises Ltd (the controller) lodged a complaint in Germany against the company. The complaint was transmitted to the Commissioner for Personal Data Protection (Cyprus SA), which was acting as the lead authority in this matter. | |||
The complainant considered a document named “Authorization for release of medical records" as violating the GDPR provisions. The above document is required by the company from its employees before beginning work on a ship to have access to their medical records to be able to assist the employees with medical care, arrange any associated travel and handle any medical claim, in the event of a medical incident taking place onboard. | |||
The information provided by the company concerning the requirement to sign an authorization indicates that a person may refuse to give authorization, but it would then not be possible to employ that person on the ship due to the company's inability to fulfil its obligations under the collective agreement, to provide medical assistance if necessary, or to establish that the person is fit to work. | |||
===Dispute=== | |||
=== Dispute === | |||
Does the processing of employee’s health-related data by Sea chefs Cruises Ltd based on consent violate the GDPR? | Does the processing of employee’s health-related data by Sea chefs Cruises Ltd based on consent violate the GDPR? | ||
=== Holding === | ===Holding=== | ||
The DPA ordered the controller: | The DPA ordered the controller: a) to cease the processing of health data of employees based on consent, b) to bring the processing operations into compliance with the provisions of the GDPR and in particular to take actions as to process only those health related data in the employment context which are necessary for the discharge of obligations laid down by law or by the collective agreements for the purposes of the recruitment, the performance of the contract of employment, health and safety at work, and the exercise and enjoyment of rights and benefits of employees, c) to inform the Commissioner on the actions taken to comply with this Decision at the latest within one month from the date of this decision. | ||
a) to cease the processing of health data of employees based on consent, | ==Comment== | ||
b) to bring the processing operations into compliance with the provisions of the | |||
GDPR and in particular to take actions as to process only those health related data | |||
in the employment context which are necessary for the discharge of obligations laid | |||
down by law or by the collective agreements for the purposes of the recruitment, the | |||
performance of the contract of employment, health and safety at work, and the | |||
exercise and enjoyment of rights and benefits of employees, | |||
c) to inform the Commissioner on the actions taken to comply with this Decision at | |||
the latest within one month from the date of this decision. | |||
== Comment == | |||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the English original. Please refer to the English original for more details. | The decision below is a machine translation of the English original. Please refer to the English original for more details. | ||
Latest revision as of 16:52, 6 December 2023
| Commissioner - 11.17.001.008.042 | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 4(11) GDPR Article 5(1)(c) GDPR Article 7(3) GDPR Article 9(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 12.01.2021 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 11.17.001.008.042 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Commissioner (in EN) |
| Initial Contributor: | Agnieszka Rapcewicz |
The Cyprus Data Protection Authority (Επίτροπος Δεδομένων Προσωπικού Χαρακτήρα) found that consent is not an appropriate legal basis for processing employees' personal health data.
English Summary
Facts
In this particular case, the employee had no possibility to refuse or withdraw such consent without negative consequences, because without consent a person would not have been offered employment. In addition, the DPA considered that, in principle, consent should not be used as a basis for data processing in the relationship with the employee due to the imbalance of the parties. An employer should explore the specific exceptions in Article 9(2)(b) GDPR to Article 9(2)(j) GDPR to lawfully process health-related data of employees.
An employee who worked for the company Sea Chefs Cruises Ltd (the controller) lodged a complaint in Germany against the company. The complaint was transmitted to the Commissioner for Personal Data Protection (Cyprus SA), which was acting as the lead authority in this matter.
The complainant considered a document named “Authorization for release of medical records" as violating the GDPR provisions. The above document is required by the company from its employees before beginning work on a ship to have access to their medical records to be able to assist the employees with medical care, arrange any associated travel and handle any medical claim, in the event of a medical incident taking place onboard.
The information provided by the company concerning the requirement to sign an authorization indicates that a person may refuse to give authorization, but it would then not be possible to employ that person on the ship due to the company's inability to fulfil its obligations under the collective agreement, to provide medical assistance if necessary, or to establish that the person is fit to work.
Dispute
Does the processing of employee’s health-related data by Sea chefs Cruises Ltd based on consent violate the GDPR?
Holding
The DPA ordered the controller: a) to cease the processing of health data of employees based on consent, b) to bring the processing operations into compliance with the provisions of the GDPR and in particular to take actions as to process only those health related data in the employment context which are necessary for the discharge of obligations laid down by law or by the collective agreements for the purposes of the recruitment, the performance of the contract of employment, health and safety at work, and the exercise and enjoyment of rights and benefits of employees, c) to inform the Commissioner on the actions taken to comply with this Decision at the latest within one month from the date of this decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Please see the original decision which is already in English.
