In this case, the Commissioner issued a €35.3 million fine against an international retailer due to its failures in monitoring and processing personal data of several hundred employees at one of its sites in Nuremberg. The decision demonstrates the risks involved when organisations fail to comply with the data minimisation principle under the GDPR by collecting and retaining excessive amounts and types of personal data in light of the purposes for which it has been collected.
The investigation and its outcome
From 2014, parts of the retailer’s workforce in Nuremburg were subject to extensive recording of details about their private lives which were stored on a network drive. This included information about employees’ health obtained from return to work meetings such as their symptoms and diagnoses. In addition, supervisors recorded and digitally stored information they acquired about employees’ private lives, including details about employees’ family issues and religious beliefs. All the information processed was then made available to up to 50 other managers within the company.
The processing of such data came to light after a local IT error resulted in the data being accessible country-wide for several hours in October 2019. On being alerted to this security breach, the Commissioner opened an investigation, during which the retailer was required to provide the Commissioner with a copy of all of the data that was processed.
The Commissioner concluded that the business had not taken appropriate steps to protect the personal data of its staff. As well as being fined, the other notable outcomes from the investigation include:
- Various pronouncements from the Commissioner about the organisation, including that it had demonstrated a “serious disregard for employee data protection”.
- The business taking additional steps to protect its reputation, rebuild trust with the workforce and prevent a re-occurrence, including:
- confirming that it will give financial compensation to any individual who has been employed at the impacted site for at least one month since May 2018 when GDPR came into force. However, no further information has been issued as to the level of such compensation;
- making personnel changes at management level at the relevant site;
- providing additional training for leaders on data protection; and
- implementing enhanced data cleansing processes and improved IT solutions to ensure GDPR compliant storage of personal data.
What are the implications of this decision?
The decision by the Commissioner is a stark reminder of the sanctions that can be implemented against a company for breach of its obligations under GDPR. As well as financial implications, there are obvious reputational and employee relations issues which the company now has to grapple with.
Whilst this is a decision made in Germany, other European data protection supervisory authorities (including the UK’s Information Commissioner’s Office) are likely to take a similar view based on the facts of the case regarding the collection, retention and protection of employee data.
In light of COVID-19 and the additional personal data that companies may be processing about employees as a result, it is more important than ever to ensure that companies take appropriate steps to only collect and retain those types of personal data which are necessary for the purposes for which it is used and to take appropriate steps to maintain protection of an individual’s personal data, and especially health personal data. Companies should ensure that they have appropriate measures in place for processing personal data in line with the GDPR and the latest guidance issued by the relevant regulator in their jurisdiction. In the UK for example, employers should consider the six steps that the Information Commissioner’s Office has outlined businesses in the UK will need to consider when using personal data as a part of their COVID-19 recovery plans