Persónuvernd (Iceland) - 2022050940
From GDPRhub
| Persónuvernd - 2022050940 | |
|---|---|
 | |
| Authority: | Persónuvernd (Iceland) |
| Jurisdiction: | Iceland |
| Relevant Law: | Article 5(1) GDPR Article 6 GDPR Article 15 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 18.05.2022 |
| Decided: | 28.03.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Icelandair |
| National Case Number/Name: | 2022050940 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Icelandic |
| Original Source: | Persónuvernd (in IS) |
| Initial Contributor: | ls |
The Icelandic DPA held that by encouraging its staff to evaluate each other's performance in an app after each flight, Icelandair violated the principles of data minimisation, lawfulness, fairness and transparency and should have conducted a prior data protection impact assessment.
English Summary
Facts
A news report revealed that the flight attendants working for Icelandair were required to evaluate each other at work. This led the Icelandic DPA to open an investigation on the compliance of that mechanism with GDPR. On 19 May 2022, the DPA informed Icelandair of the investigation and invited it to provide explanation.
Icelandair explained that it ran an app called Crew App containing a possibility to evaluate the performance of colleagues. It works in the following way: 45 minutes after landing, the app announces that the performance evaluation is open. Flight attendants can then submit evaluation for 48 hours. This evaluation includes a grade from 1 to 5 with a written justification and text boxes where it is possible to enter text. The employees can consult their own average evaluation in the program only if they participated in performance evaluation of others.
The company explained that the purpose of the evaluation was to make employees aware of their performance. It also argued that the collective agreement between Icelandair and the Flight Attendants Association of Iceland stated among other things that performance must be taken into account when offering promotions and management positions. Therefore, regarding the legal basis, Icelandair stated (1) to have a legitimate interest in the performance evaluation and (2) that it is necessary to perform a contractual obligation arising from the collective agreement with the Flight Attendants Association. Finally, the company stated that the processing met the transparency requirements: the staff received a detailed introduction to use the app and could request access to their data under Article 15 GDPR.
The company also believed that it was not obliged to carry out a data protection impact assessment under Article 35 GDPR due to the nature of the processing: assessment and grading. It considered that this processing could not be seen as systematic or on a large scale of special categories of personal data since the data were provided only on a voluntary basis, whenever the employees decided to enter it.
Holding
Concerning the legal basis, the DPA held that under national law, the collective agreement between the company and the Flight Attendant Association could not be considered as a contract but was closer to a legal obligation. The contractual obligation was therefore not a valid legal basis. The DPA therefore assessed if the processing was necessary to fulfill a legal obligation and considered that the necessity condition was missing. Indeed, other mechanisms could have been set in place to collect staff evaluation.
The DPA also examined the compliance of the processing with the principles set out in Article 5(1) GDPR. Regarding the accuracy principle, the DPA considered that the fact that the staff evaluates each other’s performance, knowing that this evaluation plays a role in their promotions, could incentivise to provide negative or false reviews.
Concerning the minimization, the DPA considered the processing as “quite extensive”. Since the staff could provide evaluation for each flight, the amount of personal data collected could be considerable depending on how active the employees were. Regarding the necessity, the DPA held that there could be less intrusive ways to collect the evaluation than after every flight.
Finally, the DPA assessed the need for a data protection impact assessment under Article 35 GDPR. Taking into account the considerable amount of data and the fact that the flight attendants could evaluate each other after each flight, the DPA considered that it constituted systematic and extensive evaluation. Therefore, Icelandair should have conducted an impact assessment prior to the processing.
The DPA concluded that Icelandair did not demonstrate its respect of Article 5(1)(a) and (c) GDPR and should have conducted an impact assessment under Article 35 GDPR and ordered it to comply with the requirements and to send a description of the measures taken for such.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing Icelandair ehf. on personal information Case no. 2022050940 28.3.2023 When personal data is processed, the principles of privacy legislation must always be followed, including proportionality and fairness. The principle of proportionality implies that no more personal data should be processed than is necessary, and the principle of fairness primarily relates to the rights of individuals, e.g. information rights and access rights. In this case, the processing was quite extensive, but the employees of Icelandair ehf. could evaluate each other's work and sign up for apps. Therefore, the Personal Protection Authority believed that proportionality and fairness were not observed when processing the personal information. ---- Personal protection has completed its initiative review of the processing of Icelandair ehf. on the personal information of the company's flight attendants and flight attendants. More specifically, the Personal Protection Agency started an initiative investigation following a news report and suggestions that the flight attendants and flight attendants of Icelandair ehf. have been asked to evaluate each other at work and record that evaluation in a specific applet. The conclusion of the Privacy Protection was that the processing of Icelandair ehf. on the personal information of flight attendants and flight attendants with the applet did not comply with the principles of the Personal Protection Act on proportionality and fairness. Furthermore, it was the conclusion of the Personal Protection Authority that Icelandair ehf. has violated its obligation to carry out an assessment of the impact of said processing on personal protection before it began. Personal data protection proposed for Icelandair to bring the processing of personal information in connection with the performance evaluation of the company's flight attendants and flight attendants into compliance with the provisions of the privacy legislation. Confirmation of this must have been received by Personal Protection no later than April 28, 2023 together with a description of the measures that have been taken. Decision due to an initiative check on the processing of personal information of flight attendants and flight attendants by Icelandair ehf. in case no. 2022050940: i Procedure 1. Outline of a case On the occasion of a news report and following a suggestion that the Personal Protection Agency received that the flight attendants and flight attendants of Icelandair ehf. (hereafter Icelandair) are required to evaluate each other at work and record that evaluation in a specific application, the organization decided to start an examination of whether the processing of personal information was compatible with Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. By letter, dated On May 19, 2022, Icelandair's Data Protection Agency notified the agency of the organization's initiative investigation and invited the company to provide explanations. The Norwegian Data Protection Agency also requested information about which applet it was in question and a description of how it is used, as well as certain data. Icelandair's answers and the requested data were received by today's letter. 16 June s.á. By letter, dated On July 7th, the Data Protection Authority requested more detailed explanations of several points in Icelandair's reply letter, as well as additional data. Icelandair's answers and the requested data were received by letter dated 11 August s.á. When resolving the case, all of the above-mentioned data have been taken into account, although not all of them are separately explained in the following decision. 2. Icelandair's point of view Icelandair has stated that it is a small program called Crew App that contains the possibility of evaluating the performance of colleagues through a sub-link called MyMotivation. The program works in such a way that 45 minutes after landing, an announcement is made that the flight is open for performance evaluation. Flight attendants and flight attendants can submit performance evaluations for 48 hours after landing. When the evaluation is opened, a grade of 3 is automatically given, but it is possible to give a higher or lower score, especially on a scale of 1 to 5, which must then be justified in writing. An employee can see the average performance evaluation for himself in the applet. The assessment is then divided into more elements, and the employees themselves can enter text into an open text box. It is assumed that the information provided in these text boxes can be deleted if it is unreliable or incomplete. This includes sensitive personal information and other information of a sensitive nature. The company considers that in all such cases the relevant information should be deleted without delay. The data is updated once a month, but only if the employee has participated in providing performance evaluations to others. It is therefore not possible to trace feedback to the individuals who provide it, and this is ensured by the fact that a certain number of flies have to live behind them. Previously, the performance of flight attendants and flight attendants was evaluated in a different way, as a general rule, where special line trainers were on board individual flights and gave employees a rating for performance. Performance was then reviewed with the relevant employee at the end of each flight. The experience of that arrangement has revealed that the promotions of flight attendants and flight attendants have generally only taken into account seniority and not performance, which should also be evaluated according to the collective agreement. The company therefore considered that the arrangement in question did not produce the desired results, as it was generally not possible to evaluate the performance of the employees based on it. This arrangement has now been abolished and it is hoped that the current evaluation will be shorter, more concise and make employees more aware of their own performance. The collective agreement between Icelandair and the Flight Attendants Association of Iceland (hereafter FFÍ) states that seniority and performance must be taken into account when promotions on board Icelandair aircraft and when selecting management positions. In a protocol that was made with the collective agreement on January 4, 2010, it says that the performance evaluation and employee evaluation must be done by Icelandair, but that the structure and implementation must be consulted with FFÍ. In light of this, Icelandair has a legitimate interest in evaluating the performance of the company's flight attendants and flight attendants, and is it actually necessary to fulfill the provisions of the wage agreement between Icelandair and FFÍ. Although Icelandair believes that the processing is based on legitimate interests and is necessary in order to enforce the provisions of the collective agreement, the company has decided to take a cautious step in the beginning. In this way, flight attendants and flight attendants are not obliged to participate in performance evaluation through the app, but anyone can decide that the person's performance will not be evaluated with the program. In this respect, the company does less than it considers permissible and the processing of personal information in the program is in full accordance with what happens with other European airlines. Furthermore, Icelandair believes that the processing of personal information in the applet is compatible with the principles of personal protection. This is information that is processed in a legal, fair and transparent manner towards the data subject. The use of the small program was introduced to the staff in detail, both at meetings and courses, which all flight attendants and flight attendants attended. In addition, FFÍ was consulted before the use of the program began, and trial access to the program was granted to a limited group of individuals in order to ensure the functionality of the program. The information that will be created in the applet is obtained for a clear purpose, i.e. in order to evaluate the performance of employees in accordance with the provisions of Icelandair's collective agreement with FFÍ. It is the company's assessment that the collection of information does not exceed what is necessary based on the purpose of the processing. In addition, it is assumed that the information that appears in the comment column of the applet can be deleted if it is unreliable or incomplete information that is not relevant. The performance evaluation will then be looked at as a whole, and therefore individual evaluations below the criteria should have little effect. Personally identifiable information is only accessible to a very narrow group of parties who only need it for their work. It is assumed that information will be made non-personally identifiable after 12 months and that Icelandair has implemented technical measures to ensure the security of the information and that all data is hosted on Icelandair's web servers in Iceland. Icelandair also believes that the company was not obliged according to Article 29. Act no. 90/2018 and Article 35 of Regulation (EU) 2016/679 to carry out an assessment of the impact on personal protection due to the processing of personal data in the applet. In Article 2 advertisement no. 828/2019, on a register of processing operations that always require an assessment of the impact on personal protection, is discussed in which cases the responsible party must always carry out an assessment of the security impact of the planned processing operations on the protection of personal information. The company believes that the processing of personal information that takes place in the applet only falls under item 1. Article 2 of the advertisement and therefore the company was not obliged to carry out an assessment of the impact on privacy. II. Assumptions and conclusion 1. Scope – Responsible party Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic. Personal information is information about an identified or identifiable person, and a person is considered identifiable if it is possible to identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. Number 2. Article 3 of the Act and number 1 Article 4 of the regulation. Icelandair has also disclosed sensitive personal information, cf. Number 3. Article 3 of the Act, will be deleted and staff will be asked not to share such information through the applet. With that in mind, it will not be considered that this is the processing of sensitive personal information. Processing refers to an operation or series of operations where personal data is processed, whether the processing is automatic or not, cf. Number 4. Article 3 of the Act and number 2 Article 4 of the regulation. This case concerns Icelandair's collection, retention and use of the company's flight attendants' and flight attendants' personal information obtained through the use of a small program. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency. The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. As stated here, Icelandair is considered to be the responsible party for said processing. 2. Legal environment All processing of personal data must fall under one of the processing authorizations of Article 9. Act no. 90/2018 and paragraph 1 Article 6 of regulation (EU) 2016/679. Among the things specified there is that the processing of personal information is permitted if it is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the provision of the law and point c of the provision of the regulation. In this regard, it is to be considered that the said processing of personal information takes place in connection with the wage agreement that Icelandair has concluded with FFÍ, but it is stipulated in the agreement that decisions about promotions of flight attendants and flight attendants and selection for management positions must take into account seniority and performance, cf. also a protocol to the collective agreement of January 4, 2010 regarding performance and employee evaluation to be done at Icelandair. In Article 1 Act no. 55/1980, on working conditions for employees and mandatory insurance of pension rights, stipulates that a collective agreement includes a minimum wage in the contract area and that agreements on lower terms shall be invalid. With reference to the general validity of collective agreements resulting from the aforementioned provision, as well as the fact that collective agreements always contain detailed provisions on the rights and obligations of employees and the employer, it has been considered that collective agreements enjoy a special status as secondary legal authority. In general, number 3 is considered Article 9 Act no. 90/2018 and point c, paragraph 1. Article 6 of regulation (EU) 2016/679 do not include contractual obligations, as determined by the comments to item 3. Article 9 of the bill that became the law, and have item 2. of the provision of the law and point b of the provision of the regulation to store a special authorization for the processing of personal information carried out for the benefit of contracts. However, it is assumed that the registered person is himself a party to the contract, but this is not the case with collective agreements. In light of the previously mentioned status of collective agreements as secondary legal authority, legal obligations according to section 3. of the provisions of the law and section c of the provisions of the regulation, on the other hand, are considered included in them. Then the authorization for said processing will in particular be considered to be based on such a legal obligation. In addition to authorization according to the above, all principles of paragraph 1 must always be followed. Article 8 of the Act and Article 5 of the regulation when working with personal data. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject (paragraph 1 of the legal provision and paragraph a of the provision of the regulation); that they must be sufficient, relevant and not beyond what is necessary based on the purpose of the processing (item 3 of the legal provision and point c of the provision of the regulation) and that they must be reliable and updated as necessary (item 4 of the legal provision and d- section of the provision of the regulation). The responsible party is responsible for ensuring that the processing of personal information is always compatible with the principles and must be able to demonstrate this, cf. Paragraph 2 Article 8 of the Act and paragraph 2 Article 5 of the regulation. For that, it is also considered that according to paragraph 1. Article 29 Act no. 90/2018 and paragraph 1 Article 35 of Regulation (EU) 2016/679, the responsible party shall have an assessment of the impact of the planned processing operations on the protection of personal data before the processing takes place, if it is likely that the processing may entail a high risk for the rights and freedoms of individuals, taking into account the nature, scope, context and purpose of the processing. On the basis of paragraph 2 Article 29 of the Act, Personal Protection has published advertisement no. 828/2019 on a register of processing operations that always require an assessment of the impact on personal protection. According to Article 2 of the advertisement, an assessment of the impact on personal protection should normally be carried out if the processing of personal data is related to two or more categories specified in the clause. In this regard, the Personal Protection Agency tries to determine in particular whether the said processing of personal data includes assessment or grading/scoring (paragraph 1 of the provision), systematic monitoring (paragraph 3 of the provision) and extensive data processing (paragraph 5 of the provision). 3. Conclusion 3.1. Authorization to process personal data - Principles Personal data protection considers it clear that Icelandair may find it necessary to work with personal data for the benefit of performance and employee evaluation, so that the processing is considered authorized on the basis of point 3. Article 9 Act no. 90/2018 and point c of paragraph 1. Article 6 of regulation (EU) 2016/679. In view of the way the assessment is carried out, however, Personal Protection also believes that the principles of paragraph 1 should be especially tested. Article 8 of the Act and paragraph 1 Article 5 of the regulation. In this regard, it is examined whether the said personal information is reliable and up-to-date, cf. Number 4. of the provision of the law and point d of the provision of the regulation. When assessing that, it must be taken into account that flight attendants and flight attendants are in direct competition with each other for promotions. Therefore, this arrangement, where staff evaluate each other's performance, can create an incentive to provide colleagues with negative and even false reviews on aspects that are mostly subjective to some extent. However, in Icelandair's answers, it has been stated that it is assumed that unreliable or incomplete information can be deleted, and therefore it is unlikely that individual reviews will have a significant impact on the overall result of the performance evaluation of individual employees. Personal protection believes that these arguments of Icelandair can be accepted. It will therefore be taken as a basis that the company has demonstrated that during said processing, the reliability rule, item 4, is observed. Paragraph 1 Article 8 of the Act and point d of the 1st paragraph Article 5 of the regulation, cf. Paragraph 2 of both clauses, to ensure that the company maintains this arrangement in practice. It will also be examined whether compliance with the requirement for transparency, cf. Number 1. Paragraph 1 Article 8 of the Act and point a of the 1st paragraph Article 5 of the regulation. As far as that requirement is concerned, it must be considered what has been said about the detailed introduction to the use of the applet that the staff received at meetings and courses before its use began. Get statements to that effect based on the case file. In addition, they reveal that employees are guaranteed the right to access data according to paragraph 2. Article 17 of the law, cf. further provisions in Article 15. of the regulation, regardless of its use of the program. With this in mind, the Personal Data Protection Authority believes that the processing of personal information discussed here is compatible with the requirements for transparency. In addition, the requirements of the privacy legislation regarding fairness and proportionality should be taken into account, cf. Numbers 1 and 3. Paragraph 1 Article 8 of the Act and points a and c of paragraph 1. Article 5 of the regulation. In this regard, it should be considered that the processing in question is quite extensive and can prove burdensome for Icelandair staff, but flight attendants and flight attendants can give each other performance evaluations at the end of each flight, and it is therefore clear that a considerable amount of personal information can be at stake, depending on how active Icelandair employees are in using the program. It is clear that the processing of personal information is much more extensive than was the case with the older arrangement. When assessing proportionality and fairness, the responsible party must assess whether the same objective can be achieved in a more extensive manner. Among other things, it could be considered that Icelandair employees only gave ratings or testimonials to colleagues every now and then instead of doing it after every flight. It is Icelandair's duty to choose the least extensive processing of personal data that achieves the intended goal. In the opinion of the Personal Protection Agency, the company has not demonstrated that it has fulfilled that obligation. In light of the above, Icelandair has not demonstrated that the privacy legislation's principle of proportionality has been respected, cf. Number 3. Paragraph 1 Article 8 of the Act and point c of paragraph 1 Article 5 the regulation, nor the legislative principle of fairness, cf. Number 1. Paragraph 1 Article 8 of the Act and point a of the 1st paragraph Article 5 of the regulation, cf. also paragraph 2 of both clauses. 3.2. Privacy impact assessment On behalf of Icelandair, it has been stated that the company does not consider itself to have been obliged according to paragraph 1. Article 29 Act no. 90/2018 and paragraph 1 Article 35 of Regulation (EU) 2016/679 to carry out an assessment of the impact on personal protection due to the processing of personal data in the applet with reference to the fact that the processing falls under only one category according to Article 2. advertisement no. 828/2019, i.e. assessment or grading/scoring, cf. Number 1. of the provision. As mentioned earlier, however, the Data Protection Authority also considers whether the said processing of personal information is considered systematic monitoring or extensive data processing within the meaning of the provision, cf. Numbers 3 and 5. its Care must be taken here that flight attendants and flight attendants evaluate each other's performance after each flight and in certain cases have to justify their evaluation in writing. Accordingly, it must be assumed that there will be a fairly extensive amount of information about the employees who participate in the performance evaluation in question. It is also expected that flight attendants and flight attendants submit evaluations after each flight. Accordingly, it must be considered that it is a systematic control. With reference to the above, Personal Data Protection Icelandair believes that it has been obliged according to paragraph 1. Article 29 Act no. 90/2018 and paragraph 1 Article 35 regulation (EU) 2016/679 to carry out an assessment of the impact on personal protection before the processing of personal information discussed here began, as it falls under the three categories of Article 2. advertisement no. 828/2019, cf. 1., 3. and 5.. numbers. Article 2 and paragraph 1 Article 1 of the advertisement. 3.3. Summary conclusion and instructions With reference to all of the above, it is the conclusion of the Data Protection Authority that Icelandair's processing of personal information about the company's flight attendants and flight attendants with the CrewApp applet is not compatible with the principles of Act no. 90/2018 and Regulation (EU) 2016/679 on proportionality and fairness. Furthermore, it is the conclusion of the Personal Protection Authority that Icelandair has violated its obligation to carry out an assessment of the impact of the said processing on personal protection before it began. With reference to the above, and with authorization in item 4. Article 42 Act no. 90/2018, it is proposed for Icelandair to move the processing of personal information in the CrewApp applet, in connection with the performance evaluation of the company's flight attendants and flight attendants, in accordance with the provisions of the privacy legislation that the company has violated, cf. discussion above. No later than April 28, 2023, Icelandair shall send the Data Protection Authority confirmation that these instructions have been complied with, together with a description of the measures taken to that end. Decisions: Processing Icelandair ehf. on the personal information of the company's flight attendants and flight attendants in connection with the implementation of their performance evaluation through the CrewApp applet is not compatible with the principles of proportionality and fairness according to law no. 90/2018 and Regulation (EU) 2016/679. Icelandair ehf. violated his duty according to law no. 90/2018 and Regulation (EU) 2016/679 to carry out an impact assessment on personal protection due to the processing of personal data of flight attendants and flight attendants through the CrewApp applet before the processing began. It is proposed for Icelandair ehf. to bring the processing of personal information in the CrewApp applet, in connection with the performance evaluation of the company's flight attendants and flight attendants, in accordance with the provisions of the privacy legislation that the company has violated. No later than April 28, 2023, Icelandair ehf. send Personal Protection confirmation that these instructions have been complied with, together with a description of the measures taken for that purpose. Privacy, March 28, 2023 Ólafur Garðarsson chairman Björn Geirsson Sindri M. Stephensen Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson
