Persónuvernd - nr. 2019/0490

From GDPRhub
- 2019/0490
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 9 GDPR
Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20. 12. 2019
Published: 18. 02. 2020
Fine: n/a n/a
Parties: Íslandshótels
Employee A
Employee B
National Case Number/Name: 2019/0490
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: personuvernd.is (in IS)
Initial Contributor: n/a

Persónuvernd decided on a case concerning a list of employee’s sick leave put up in a hotel kitchen. A list of absences was hung up in a space accessible to all of the hotel’s employees. While the registration of sick leave was covered by sectorial labor law, and thus had a legal basis under Article 9 GDPR, the security of processing was not ensured following Article 5 (1)(f).

English Summary

Facts

The operation manager of the hotel hung up a list of employees who were absent due to sickness. It was not contested that the hotel had a lawful legal ground to process the information. However, the information was shared by hanging the list up in a space open for the workers. This processing was not covered by the legal ground.

Dispute

The question for Persónuvernd was if hanging up the list of employees constituted a security breach.

Holding

Personurvernnemdi found that the processing of the personal data by Islandshotels by hanging up the lists of sick and absent employees was a breach of Article 5(1)(f) of the GDPR.

Comment

Feel free to add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the ***LANGUAGE*** original. Please refer to the ***LANGUAGE*** original for more details.

ruling

At a meeting of the Board of Privacy on December 20, 2019, a clear ruling was made in case no. 2019/0490:
I.
procedures
1.
Case recommendations

On February 27, 2019, Privacy Protection received a complaint from Eflinga - union, on behalf of its unspecified members, regarding the treatment and handling of Íslandshotela hf. on information about the absence of hotel employees in the company-owned hotel, [X], due to illness.

By letter, date. On June 6, 2019, the Privacy Protection Association announced its position that the company did not fulfill the conditions for representing its members without being authorized to do so, cf. Paragraph 2 Article 39 Act no. 90/2018 on Privacy and Processing of Personal Information and Paragraph 1 of Art. Article 80 Regulation (EU) 2016/679. On July 5, 2019, the lawyer of Eflingar - union published the mandate of two employees [X], [A] and [B] (hereinafter referred to as the complainants), dated. July 2, when an ASI lawyer was authorized to complain to the Data Protection Authority on their behalf for the aforementioned processing.

By letter, date. On August 29, 2019, Íslandshotels hf. invited to provide explanations for the complaint. Answered by letter, dated. September 6th By letter, date. On October 1, 2019, the complainants were invited to comment on the views of Íslandshotels hf. and received comments from the complainants along with the supporting documents by letter, dated. October 21st

All the above data have been taken into account in resolving the case.
2.
Quarterly views

The complaint relates to the treatment of Íslandshotels hf. information on absenteeism due to illness did not comply with Act no. 90/2018. Build complaints that the Operations Manager [X] has hung up a list of the number of sick leave employees in the kitchen for a specific period of time in a space that is accessible to all hotel employees. This action involved the processing of the personal data in question without the consent of the persons concerned, but the complainants are among them. This is sensitive personal information within the meaning of Act no. 90/2018 provided that information about absenteeism from work due to illness can hardly be considered other than personal information relating to physical or mental health. Complainants have rejected claims made by Íslandshoteli hf. to the effect that the said list was taken out of the office of the officer without permission and hung up without his or her knowledge of the company and has stated that certain officers have hung the list.
3.
The point of view of Íslandshotels hf.

Íslandshotel hf. based on the need to keep a record of employees' sick and vacation days in order to ensure the proper implementation of employment and wage agreements. The processing is therefore supported by point 2. Paragraph 1 Article 11 Act no. 90/2018, cf. also paragraphs 2 and 3. Article 9 same law. Furthermore, the registration of absence due to illness and vacation is a natural, legitimate and necessary part of the obligations of Íslandshotels hf. as an employer to enable the company to execute the employment contracts of the parties and assess the performance of the counterparties. Thus, the processing complied with the principles of Article 8. Act no. 90/2018. This processing was therefore legitimate in the opinion of Íslandshoteli hf. However, the list of absenteeism due to illness has not been hung up in a common space with the awareness or will of the company, but the list has been taken freely by the boss's office and subsequently suspended. Thus, there was a security breach and the Data Protection Authority was notified of it on February 27, 2019.
II.
Assumptions and conclusion
1.
Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and processing by methods other than automatic processing of personal data that is or should be part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

This case concerns the processing of information about the absence of employees from work due to illness. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.

The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. As is the case here, Íslandshotel hf. be the guarantor of the processing in question.
2.
Legality of processing

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018. It may be mentioned that personal information may be processed if it is necessary to fulfill a contract to which the registered party is a party, cf. Item 2 that article, or to fulfill the legal obligation of the guarantor, cf. Point 3 same articles. In addition, the processing of sensitive personal data must be compatible with any of the additional requirements of the first paragraph. Article 11 Act. According to point 3 (b). Article 3 the law is health information, ie. personal information relating to the physical or mental health of a person, sensitive, but from the complaint it will be assumed that information on the absence of complainants from work due to illness has been processed. As is the case here, in particular, the second paragraph is examined. Paragraph 1 Article 11, the fact that the processing of sensitive personal data is permissible if it is necessary for the guarantor or the registered person to fulfill his obligations and exercise certain rights under labor law.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Provisions include, inter alia, that personal information should be processed in a legitimate, fair and transparent manner towards the data subject (point 1); that they should be derived for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes (para. 2); and that they should be processed in such a way as to ensure the proper security of personal data (point 6).

This case relates to the publication of a list containing information on the absence of the named employees in the kitchen [X] from work due to illness during a specific period. The absence of absenteeism due to illness can be considered a normal factor in the employer's activities. In the 4th to 6th. Article. Act no. 19/1979 on the right of workers to notice of termination from work and for wages due to sickness and accident losses, the right to wages in sickness is discussed. Under those provisions, it is clear that certain processing of health information by the employer is indispensable for the employee to be able to exercise that right. Such processing of personal data may therefore be based on paragraph 3. Article 9, cf. Item 2 Paragraph 1 Article 11 Act no. 90/2018 to the extent necessary to ensure that the parties comply with their obligations under labor legislation, including with respect to the statutory sickness rights of employees, cf. the aforementioned provisions of Act no. 19/1979. However, as previously stated, processing must always comply with the essential requirements of Article 8. Act no. 90/2018 and the guarantor must be able to demonstrate that. In this case, the party determines whether officers have hung up the list in question, or whether they have been taken out of the officer's office voluntarily and suspended without the knowledge of the guarantor. There remains what is undisputed; that the list hung for a while in the communal space of the hotel staff. Therefore, in particular, it is examined whether the appropriate security of personal information about employees has been ensured, cf. Item 6 Paragraph 1 Article 8 Act no. 90/2018.

From the evidence of the case it is clear that information about the absence of employees in the kitchen [X] was not only found in a special computer system, but also in a printed list. Furthermore, it seems clear that the list was originally preserved in the office of the kitchen manager. In light of this and the requirements laid down in Act no. 90/2018 to safeguard the processing of sensitive personal data, it is the opinion of the Data Protection Authority that the guarantor has not sufficiently ensured that information on the absence of employees due to illness would not be visible to unauthorized parties. Therefore, the appropriate security of the information was not ensured as required by item 6. Paragraph 1 Article 8 Act no. 90/2018.

For this reason, the conclusion of the Data Protection Authority is that the processing of Íslandshotels hf. on personal information about complainants did not comply with Act no. 90/2018, on privacy and processing of personal information.

In accordance with this conclusion, and with reference to point 4. Article 42 Act no. 90/2018, is hereby submitted to Íslandshotel hf. to establish procedures for the processing of personal information about company employees. Íslandshotel hf. shall ensure that the rules are accessible to all employees and, at the same time, introduce them to all managers within the company. Confirmation of compliance with these instructions shall be received no later than January 27, 2020.

Findings:

Processing of Íslandshotels hf. information on sickness absence [A] and [B] did not comply with Act no. 90/2018, on privacy and processing of personal information.

With reference to point 4. Article 42 Act no. 90/2018 is submitted to Íslandshotel hf. to establish procedures for the processing of personal information about company employees.

Íslandshotel hf. shall ensure that the procedures are accessible to all employees and at the same time introduce them to all managers within the company.

Confirmation of compliance with these instructions shall be received no later than January 27, 2020.

In Privacy, December 20, 2019