Fine for data protection violation.

 Berlin’s data protection authority imposes fine due to “blacklist” for employee terminations.

Tobias Grambow, Rechtsanwalt der Kanzlei Buse Heberer Fromm
Tobias Grambow
Rechtsanwalt, Fachanwalt für Arbeitsrecht

Fine for data protection violation.

Blog: Labor Law - Article from 22.11.2023
Companies must handle employee data in compliance with the GDPR. This applies to health data, in particular. Failure to ensure this compliance can result in severe fines, as a case from Berlin demonstrates.

What happened?

In Berlin, the responsible Commissioner for Data Protection and Freedom of Information imposed fines on a company in response to GDPR violations. The fines totaled more than 200,000 euros.

The fines were imposed because the company had collected and stored information about the health of various employees during their probationary period. It also documented information such as when employees expressed an interest in establishing a works council or regularly used physiotherapy. The management had ordered that this data be collected. This data was then used as the basis for deciding whether to terminate employment contracts before the end of the probationary period. In the process, the company essentially prepared a blacklist of employees in their probationary period as candidates for dismissal. The employees were classified as “critical” or “highly critical” in the “continuing employment” section of the list.

The information was provided by the employees themselves during the course of shift planning, for example. Naturally, the employees were not informed that this data was being used to systematically assess them.

Permissible consideration – unlawful data processing

One thing is clear: Companies can and must systematically consider which employment relationships to continue after the end of the probationary period. Articles 5 and 6 of the GDPR permit the collection and processing of personal employee data for this purpose.

However, caution is essential when processing specific personal data. Article 9 of the GDPR stipulates that data regarding trade union membership, sex life, ethnic origin and health status, for example, may only be collected and processed in exceptional cases.

The Berlin Commissioner for Data Protection and Freedom of Information issued the following statement:

“The collection, storage and use of employee data must always take place within the permissible context of the employment relationship. This was not the case in this instance. Health data, in particular, is particularly sensitive information which may only be processed within narrow limits.”

Consequently, the systematic collection and analysis of sensitive health data as a basis for decisions related to the employment relationship is fundamentally unlawful. The fact that employees have communicated this information to the employer themselves as part of their work does not change this.

However, storing employee health data is not always prohibited.

For example, health data needs to be collected and stored to enable employers to assess whether they are required

  • to carry out company integration management,
  • to continue to pay wages,

or whether they are entitled to terminate employment relationship due to illness.

Employers must also remain able to make the decision on whether to terminate an employment relationship during the probationary period dependent on absence due to illness, among other factors.

However, the data storage exceeded this scope.

How the data protection authorities determine the fine?

The GDPR itself defines the framework for fines imposed due to data protection violations: Article 83 of the GDPR stipulates fines as high as 20 million euros or up to four per cent of the total global annual turnover achieved in the previous financial year.

In the case in Berlin, the turnover was initially taken into account in accordance with Article 83 of the GDPR. Moreover, the authorities also took into account the number of employees affected and the fact that processing health data without consent or a legal basis represents a relatively serious violation.

Conversely, they also took into account exonerating circumstances: on the one hand, the company stopped the unauthorized collection and processing of employee data on its own initiative after the public became aware of its activities through the press. The company also demonstrated its understanding and willingly cooperated with the data protection authorities during the proceedings.

As can be seen, cooperating with the authorities combined with something resembling active remorse can definitely lead to lower fines in the event of data protection violations.

Summary of the key facts:

  • The management and managers need to be trained in the legal framework governing the handling of sensitive employee data.
  • For example, health data may only be collected and processed if this involves a direct link to the employment relationship.
  • If a company violates data protection law, demonstrating “active remorse” and cooperating with the authorities can reduce fines

Newsletter

Stay up-to-date with the latest news!
Would you like to be informed whenever a new post is published in our labor law blog #LaborLaw by Buse? You wish to know which topic we are going to report on next? Then sign up for our newsletter here:

Works Council Issued Warning for Violation of Works Constitution Act Obligations.

Blog: Labor Law
Works Council Issued Warning for Violation of Works Constitution Act Obligations. Higher Labor Court Baden-Wuerttemberg Confirms possibility of warnings under Works Constitution Act (Ref.: 8 TaBV 3/19).
02.02.2021
Tobias Grambow

Works Council has no Right of Co-Determination in Union Actions.

Blog: Labor Law
Works Council has no Right of Co-Determination in Union Actions. Both employers and works councils are excluded from trade union actions. This is according to a recent decision of the Federal Labor Court (Case No.: 1 ABR 41/18).
29.12.2020
Jan Tibor Lelley

Blog: Labor Law
Works council elections 2022: Determining the elected candidates. Every candidate has to have equal access opportunities.
24.05.2022
Tobias Grambow

Betriebsratswahlen 2022 - Ende der Amtszeit.

Blog: Labor Law
Works council elections 2022 – End of term.
A works council’s term of office generally comes to an end after four years – What exceptions are there?
01.02.2022
Tobias Grambow

Works council elections 2022 – digital, hybrid or analog?

Blog: Labor Law
Works council elections 2022 – digital, hybrid or analog? Is it permitted to hold a works council election using voting software?
01.03.2022
Tobias Grambow

Works council elections 2022 – Appointing the election committee.

Blog: Labor Law
Works council elections 2022 – Appointing the election committee. The works council is generally responsible – Are there exceptions?
25.01.2022
Tobias Grambow
Let’s connect

Do you wish to receive information on recent developments of law, invitations to events or seminars from us? We hereby request your explicit consent.

…Declaration of Consent

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

 

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB