Tietosuojavaltuutetun toimisto (Finland) - TSV/206/2022

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/206/2022
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 6(1) GDPR
Article 6(1)(b) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
§ 3 Act on the Protection of Privacy in Working Life
Type: Investigation
Outcome: Violation Found
Started: 21.02.2023
Decided: 20.06.2024
Published: 01.07.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/206/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA reprimanded a bus operator for publishing the personal phone numbers of its employees on the company intranet for other employees to access.

English Summary

Facts

The Finnish DPA was notified that a bus operator (the controller) had published the personal phone numbers of its bus drivers on the company intranet, although the drivers also had a personal business phone provided by the controller. The DPA then asked the controller to explain the purpose for which it processed the personal phone numbers of its drivers.

In response to the request, the controller clarified that it published the personal phone numbers of its drivers in the company's intranet telephone directory because it was necessary for the drivers to be able to communicate with each other by phone while on duty. The controller emphasised that each employee had a personal password for the intranet in order to ensure the technical protection of personal data. In the controller's view, the processing was based on Article 6(1)(b) GDPR, as it was necessary for the performance of the employment contract.

Regarding the separate business phones, the controller stated that they were primarily intended for mobile data use only, as the use of the phone was restricted so that it could only be used to make calls to specifically authorised numbers, such as supervisors and emergency numbers. It was therefore impossible to communicate with other drivers during the working day using only the business phone.

Holding

First, the DPA noted that when processing the personal data of its employees, the employer must take into account the necessity requirement of Section 3 of the Finnish Act on the Protection of Privacy in Working Life, according to which the employer may only process personal data that is directly necessary for the employee's employment relationship, that is related to the exercise of the rights and obligations of the parties to the employment relationship or benefits provided by the employer to the employee, or that arises from the specific nature of the work concerned.

On the basis of the information provided by the controller, the DPA considered that it was not necessary to disclose the bus drivers' personal phone numbers to other bus drivers. The DPA stated that it would have been possible for the controller to organise communication between the drivers in a less intrusive way, such as by using the business phone provided by the controller.

The DPA also noted that some employees may have had their personal phone number removed from the directory by their telecommunications provider. Thus, by disclosing an employee's ex-directory phone number to other drivers, the processing may have had an impact on the employee's private life and thus caused harm to the employee.

With regard to the legal basis established by the controller, the DPA found that the parties to the employment contract are the employer and the employee. Therefore, the disclosure of an employee's personal data, such as a phone number, to other employees of the organisation cannot be based on Article 6(1)(b) GDPR.

On the basis of the information gathered, the DPA held that the controller violated Article 6(1) GDPR and Section 3 of the Finnish Act on the Protection of Privacy in Working Life. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. On the basis of Article 58(2)(d) GDPR, the DPA also ordered the controller to ensure that it no longer processes its employees' personal phone numbers in the company's intranet telephone directory in such a way that they are visible to other bus drivers.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Publishing employees' personal phone numbers on the company's intranet
Registrar

Bus operator
The initiator's requirements with reasons

The initiator has said that the registrar has published the personal phone numbers of 300 employees working as bus drivers in the company's intranet in the phone book. The initiator notes that access to the phone book has been blocked from people other than bus drivers by giving the bus drivers personal passwords to the phone book.

The initiator has stated that the data controller has given his employees work telephones and each employee thus has a personal work telephone number. According to the dispatcher, work shifts are viewed on the work phone, error reports are prepared and situations that occur during the shift are communicated with superiors. The initiator has pointed out that the data controller could publish the employees' work phone numbers on the organization's intranet instead of the employees' personal phone numbers.

According to the initiator, some employees are worried that their secret phone number is visible to other employees.
Statement received from the registrar

An explanation has been requested from the controller on February 21, 2023, as well as an additional explanation on April 12, 2023 and May 30, 2023. The registrar has given his statement on 8 March 2023 and his additional statements on 17 April 2023 and 30 May 2023.

The registrar has stated in its reports that the registrar has published the bus drivers' personal phone numbers in the company's intranet phone book, because in order to ensure the company's service and quality level, it is necessary for the drivers to be able to communicate with each other by phone while performing work tasks. According to the registrar, the work of a bus driver is mobile work and there are several points in the driver's working day where it may be necessary to contact a colleague by phone and inquire about his location and schedule for a planned meeting, for example for changing drivers. The registrar has pointed out that each employee has his own personal password for the intranet, which ensures the technical protection of personal data.

The registrar has stated in its report that it has assigned each employee their own personal work phone and the employees also have a work phone number. According to the registrar, the employees' subscriptions are primarily intended only for the use of mobile data, as the use of the subscriptions is limited so that calls can only be made to separately permitted numbers, such as supervisors and the emergency number. Sending text messages is also blocked. The registrar states that it is impossible to communicate with other drivers during the working day if you only use the work phone provided by the employer due to subscription restrictions. The registrar also states that a large number of drivers do not use the phone provided by the employer at all, but have downloaded the applications needed for their work on their personal phone, in which case they cannot be reached from the work phone number, because it is not in use during the working day. According to the registrar, the required level of service and quality will not be achieved if drivers only have a list of work phone numbers on the company's intranet.

The registrar notes that during office hours, employees also have the option to call the traffic office to the supervisor and to the 24-hour emergency number, from which it is possible to find out the location and schedule of the other driver when the supervisor calls the driver in question. According to the registrar, however, in practice, the primary use of the time of the traffic office and/or the emergency department is focused on the control of the actual operational activities, such as the management of absences, the investigation of equipment breakdowns and accidents, and customer service.

The controller says that it processes employees' personal phone numbers in the company's intranet phone book on the basis of Article 6(1)(b) of the General Data Protection Regulation. (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) according to Article 6, paragraph 1, subparagraph b) processing is necessary for the implementation of such an agreement , in which the data subject is a party, or at the request of the data subject to carry out measures prior to the conclusion of the contract.) The controller states in his report that based on the employer's directive right, the employer has the opportunity to process various employee personal data, such as telephone numbers, when offering the employee work in accordance with the employment contract and to carry out tasks that are necessary for the business.
A legal question

The Deputy Data Protection Commissioner must decide on the matter

1. Has the data controller had a processing basis in accordance with Article 6 of the General Data Protection Regulation for the processing of employees' personal telephone numbers on the company's intranet so that they have been visible to other bus drivers, and has the data controller's procedure in this regard been in accordance with the necessity requirement of Section 3 of the Working Life Data Protection Act;

2. Should the data controller be given an order to bring the processing activities into compliance with the provisions of the General Data Protection Regulation pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation. The Deputy Data Protection Commissioner must also assess whether other remedial powers stipulated in Article 58 of the General Data Protection Regulation should be used in the case.
Decision and reasons of the Deputy Data Protection Commissioner
Decision

In processing the personal data of its employees, the controller has not complied with Article 6(1) of the General Data Protection Regulation and Section 3 of the Working Life Data Protection Act when it has made the personal telephone numbers of its employees working as bus drivers available in the company's intranet phone book so that the information is visible to all bus drivers in the company for employees.

The Deputy Data Protection Commissioner issues a notice to the data controller pursuant to Article 58, Section 2, Subsection b of the General Data Protection Regulation. The controller has not had a legal basis according to the General Data Protection Regulation to process the employees' personal phone numbers in the company's intranet phone book in such a way that they are available to all bus drivers. The above-mentioned processing has also not been in accordance with the necessity requirement of Section 3 of the Data Protection Act.

On the basis of Article 58, paragraph 2, subsection d of the General Data Protection Regulation, the Deputy Data Protection Commissioner gives the controller an order to bring the processing activities into compliance with the provisions of the General Data Protection Regulation. The registrar should reevaluate making employees' personal phone numbers available in the company's intranet phone book. The controller must ensure that it no longer processes the personal telephone numbers of its employees in the company's intranet telephone directory based on Article 6, Section 1, Subsection b of the General Data Protection Regulation, so that they are visible to all employees working as bus drivers.
Reasoning
Basis for processing personal data

According to Article 6, Paragraph 1 of the General Data Protection Regulation, there must be a legal basis for processing personal data. According to the registrar's report, the registrar processes employees' personal phone numbers in the company's intranet phone book based on Article 6, Paragraph 1, Subsection b of the General Data Protection Regulation in order to implement the employment contract.

The deputy data protection commissioner states that making the personal phone numbers of bus drivers visible in the company's intranet phone book to other bus drivers effectively means the electronic transfer of personal data to third parties.

The Deputy Data Protection Commissioner states that there are situations where the employer may need to contact the employee on his personal phone number in matters related to the implementation of the employment contract, such as in matters related to the payment of wages and the management of the work obligation. The deputy data protection commissioner also considers that the employer may have the right to process, among other things, the employee's personal telephone number based on Article 6, paragraph 1, subsection b of the General Data Protection Regulation. An employment contract is an agreement between an employer and an employee, the parties of which are the employer and the employee. The other employees of the organization are not parties to the employment contract, and the handing over of the employee's personal information, such as the phone number, to other employees of the organization cannot therefore in the case in question be based on Article 6, Paragraph 1, Subsection b of the General Data Protection Regulation.

The Deputy Data Protection Commissioner considers that the processing of employees' personal telephone numbers by the data controller is not lawful based on Article 6, Paragraph 1, subsection b of the General Data Protection Regulation, when it has made the employees' personal telephone numbers available to other employees working as bus drivers in the company's intranet phone book without the legal basis provided for in the law.

The deputy data protection commissioner states that the fact that the data controller has properly limited the group of employees who have access to phone numbers is not relevant in the legal assessment of this case, because the data controller has not had a legal basis to hand over the bus drivers' personal phone numbers to other bus drivers.
Necessity of processing employees' personal data

The employer must process the personal data of its employees taking into account the necessity requirement of Section 3 of the Working Life Data Protection Act, according to which the employer may only process personal data that is immediately necessary for the employee's employment relationship, which is related to the management of the rights and obligations of the parties to the employment relationship or the benefits offered by the employer to the employees, or due to the special nature of the work tasks.

The deputy data protection commissioner draws attention to the fact that the employer must assess the requirement of necessity, especially in connection with the processing of employees' personal personal data, such as the processing of personal telephone numbers and e-mail addresses. The Deputy Data Protection Commissioner considers that the processing of employees' personal personal data should only be limited to situations where the processing of other personal data provided to the employee by the employer in connection with work, such as work e-mail or work phone number, is not possible. In addition, the employer must take into account when processing employees' personal telephone numbers that they may only be processed by persons whose job duties include processing them, such as persons working in front-line or personnel administration positions.

In the case in question, the data controller has assigned a personal work phone to each employee, and the employees use the work phone number provided by the data controller. In his report, the registrar has pointed out that the employees' work phone connections have been limited so that they can only call predefined phone numbers, such as the supervisor and the emergency number. Bus drivers' work telephone connections could thus possibly be limited so that it is also possible to use them to call the work telephone numbers of other bus drivers. In addition, the registrar has presented an alternative method of communication between bus drivers, where the bus driver can call a supervisor at the traffic office or the 24/7 emergency number to get in touch with another bus driver. The Deputy Data Protection Commissioner draws attention to the fact that by using alternative methods of operation, it would not be necessary to publish the personal telephone numbers of bus drivers to other bus drivers.

The deputy data protection commissioner also draws attention to the fact that the employer has not taken into account the fact that the employees have been able to set the personal phone number secret through their subscription operator when making the phone numbers visible to the employees. The deputy data protection commissioner considers that by publishing the employee's secret personal phone number to other bus drivers, the data controller's processing may have had an impact on the employees' private life and thus may have caused harm to the employee.

The Deputy Data Protection Commissioner states that publishing the bus drivers' personal phone numbers to other bus drivers has not been necessary, nor is it proportionate to the business purposes presented by the data controller. The Deputy Data Protection Commissioner considers that the processing of bus drivers' personal telephone numbers cannot be considered processing of personal data that is immediately necessary for the employee's employment relationship for the business purpose presented by the data controller in his report.

The deputy data protection commissioner states that it has not been necessary to publish the personal telephone numbers of bus drivers to other bus drivers. It is also possible for the employer to arrange communication between bus drivers in a way that does not interfere with the employee's privacy, such as with a work phone provided by the employer.

Taking into account the above, the deputy data protection commissioner considers that the data controller has not complied with the requirement of necessity according to Section 3 of the Data Protection Act on Working Life when publishing the personal telephone numbers of employees working as bus drivers on the company's intranet.
Applicable legal provisions

According to Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council, issued on April 27, 2016, on the protection of natural persons in the processing of personal data and on the free movement of this data and the repeal of Directive 95/46/EC (General Data Protection Regulation), the processing is lawful only if and only to the extent that at least one of the conditions in subsections 1 is met.

According to Article 6, paragraph 1, subparagraph b of the General Data Protection Regulation, the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of pre-contractual measures at the request of the data subject.

According to Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation, the data protection commissioner's office can issue a notice to the controller or personal data processor if the processing activities have been in violation of the provisions of this regulation.

According to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation, the data protection commissioner's office can order the data controller to bring the processing operations into compliance with the provisions of the General Data Protection Regulation, if necessary in a certain way and within a certain deadline.

According to Section 3 of the Act on the Protection of Privacy in Working Life (759/2004, the Employment Data Protection Act), the employer may only process personal data that is immediately necessary for the employee's employment relationship, which is related to the management of the rights and obligations of the parties to the employment relationship or the benefits offered to employees by the employer, or due to the special nature of the work tasks. The necessity requirement cannot be deviated from with the employee's consent.

Section 22 of the Working Life Data Protection Act stipulates that compliance with the Working Life Data Protection Act is monitored by occupational safety authorities in accordance with their competence together with the Data Protection Commissioner. The duties and powers of the Data Protection Commissioner are regulated in Articles 55–59 of the General Data Protection Regulation and Section 14 of the Data Protection Act (1050/2018).