During the COVID-19 pandemic, data privacy - and, in particular, employee data privacy - has been at the forefront of employers' minds.  In the last six months, employers across the globe have been required to give careful thought to a whole host of potential issues, from contact tracing apps to temperature and other health checks in the workplace, as well as processing an increasing volume of health data of its staff. Whilst not COVID-19 related, a recent decision from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany (the "Commissioner") is an important reminder of the very significant financial and reputational sanctions an employer may face if it does not take appropriately collect, retain and protect employee personal data in line with GDPR.

In this case, the Commissioner issued a ?35.3 million fine against an international retailer due to its failures in monitoring and processing personal data of several hundred employees at one of its sites in Nuremberg. The decision demonstrates the risks involved when organisations fail to comply with the data minimisation principle under the GDPR by collecting and retaining excessive amounts and types of personal data in light of the purposes for which it has been collected.

The investigation and its outcome

From 2014, parts of the retailer's workforce in Nuremburg were subject to extensive recording of details about their private lives which were stored on a network drive.  This included information about employees' health obtained from return to work meetings such as their symptoms and diagnoses. In addition, supervisors recorded and digitally stored information they acquired about employees' private lives, including details about employees' family issues and religious beliefs. All the information processed was then made available to up to 50 other managers within the company.

The processing of such data came to light after a local IT error resulted in the data being accessible country-wide for several hours in October 2019. On being alerted to this security breach, the Commissioner opened an investigation, during which the retailer was required to provide the Commissioner with a copy of all of the data that was processed. 

The Commissioner concluded that the business had not taken appropriate steps to protect the personal data of its staff. As well as being fined, the other notable outcomes from the investigation include:

  • Various pronouncements from the Commissioner about the organisation, including that it had demonstrated a "serious disregard for employee data protection".
  • The business taking additional steps to protect its reputation, rebuild trust with the workforce and prevent a re-occurrence, including:
    • confirming that it will give financial compensation to any individual who has been employed at the impacted site for at least one month since May 2018 when GDPR came into force. However, no further information has been issued as to the level of such compensation;
    • making personnel changes at management level at the relevant site;
    • providing additional training for leaders on data protection; and
    • implementing enhanced data cleansing processes and improved IT solutions to ensure GDPR compliant storage of personal data.

What are the implications of this decision?

The decision by the Commissioner is a stark reminder of the sanctions that can be implemented against a company for breach of its obligations under GDPR.  As well as financial implications, there are obvious reputational and employee relations issues which the company now has to grapple with. 

Whilst this is a decision made in Germany, other European data protection supervisory authorities (including the UK's Information Commissioner's Office) are likely to take a similar view based on the facts of the case regarding the collection, retention and protection of employee data.  

In light of COVID-19 and the additional personal data that companies may be processing about employees as a result, it is more important than ever to ensure that companies take appropriate steps to only collect and retain those types of personal data which are necessary for the purposes for which it is used and to take appropriate steps to maintain protection of an individual's personal data, and especially health personal data. Companies should ensure that they have appropriate measures in place for processing personal data in line with the GDPR and the latest guidance issued by the relevant regulator in their jurisdiction. In the UK for example, employers should consider the six steps that the Information Commissioner's Office has outlined businesses in the UK will need to consider when using personal data as a part of their COVID-19 recovery plans.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.