Commissioner - 11.17.001.008.042

From GDPRhub
Commissioner - 11.17.001.008.042
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 4(11) GDPR
Article 5(1)(c) GDPR
Article 7(3) GDPR
Article 9(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 12.01.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 11.17.001.008.042
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Commissioner (in EN)
Initial Contributor: Agnieszka Rapcewicz

The Cyprus Data Protection Authority (Επίτροπος Δεδομένων Προσωπικού Χαρακτήρα) found that consent is not an appropriate legal basis for processing employees' personal health data.

English Summary[edit | edit source]

Facts[edit | edit source]

In this particular case, the employee had no possibility to refuse or withdraw such consent without negative consequences, because without consent a person would not have been offered employment. In addition, the DPA considered that, in principle, consent should not be used as a basis for data processing in the relationship with the employee due to the imbalance of the parties. An employer should explore the specific exceptions in Article 9(2)(b) GDPR to Article 9(2)(j) GDPR to lawfully process health-related data of employees.

An employee who worked for the company Sea Chefs Cruises Ltd (the controller) lodged a complaint in Germany against the company. The complaint was transmitted to the Commissioner for Personal Data Protection (Cyprus SA), which was acting as the lead authority in this matter.

The complainant considered a document named “Authorization for release of medical records" as violating the GDPR provisions. The above document is required by the company from its employees before beginning work on a ship to have access to their medical records to be able to assist the employees with medical care, arrange any associated travel and handle any medical claim, in the event of a medical incident taking place onboard.

The information provided by the company concerning the requirement to sign an authorization indicates that a person may refuse to give authorization, but it would then not be possible to employ that person on the ship due to the company's inability to fulfil its obligations under the collective agreement, to provide medical assistance if necessary, or to establish that the person is fit to work.

Dispute[edit | edit source]

Does the processing of employee’s health-related data by Sea chefs Cruises Ltd based on consent violate the GDPR?

Holding[edit | edit source]

The DPA ordered the controller: a) to cease the processing of health data of employees based on consent, b) to bring the processing operations into compliance with the provisions of the GDPR and in particular to take actions as to process only those health related data in the employment context which are necessary for the discharge of obligations laid down by law or by the collective agreements for the purposes of the recruitment, the performance of the contract of employment, health and safety at work, and the exercise and enjoyment of rights and benefits of employees, c) to inform the Commissioner on the actions taken to comply with this Decision at the latest within one month from the date of this decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Please see the original decision which is already in English.