- Operational data protection is often underestimated or disregarded by many companies.
- The Berlin Commissioner for Data Protection imposed fines of 215,000 euros on a company.
- The company documented inadmissible health-related information about employees and works council interests.
- The processing of employee data was not lawful in the cases in question.
- Special care must be taken with health data; it may only be processed within narrow limits.
- Companies should create transparent agreements to promote trust among employees.
- Responsible handling of employee data shows appreciation and respect.
In today’s digital era, many of us have become accustomed to privacy statements and cookie banners. These are present almost everywhere when we surf the Internet. But in my experience, operational data protection is underestimated or even disregarded by many companies. While online data protection measures have now become almost routine, there is often a lack of awareness of the problem when it comes to company data protection and handling employee data. A recent example from Berlin illustrates the scope of this problem.
What happened?
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed fines totaling 215,000 euros on one company. The reason: The company had improperly documented sensitive information about the health of individual employees or their interest in forming a works council. The penalty notice is not yet legally binding.
From March through July 2021, a supervisor at the Company, at the direction of management, maintained a tabulation of all employees on probation. In this list, eleven individuals were rated as “critical” or “very critical” for continued employment. The reasons given for this included personal statements, health reasons and circumstances outside the company. Particularly explosive: A possible interest in founding a works council and regular participation in psychotherapy were also listed as reasons.
The Berlin data protection commissioner learned of the incident through media reports and a personal complaint from a person affected and initiated an investigation. The result was clear: the processing of the data collected was not lawful in the cases objected to. In addition to this main violation, three other fines were imposed on the company, totaling approximately 40,000 euros.
Meike Kamp, Berlin’s Commissioner for Data Protection and Freedom of Information, emphasized: “The collection, storage and use of employee data must always take place in the permissible context of the employment relationship. That was not the case in this instance. Health data in particular is especially sensitive information that may only be processed within narrow limits.”
In principle, employers are allowed to consider the extent to which employees should continue to be employed. Personal data may also be processed in the process. However, this data must be suitable and necessary for this purpose. They may only allow conclusions to be drawn about performance or conduct that are directly related to the employment relationship.
In assessing the fines, the BlnBDI took into account the company’s turnover and the number of employees affected. It was positively emphasized that the company cooperated comprehensively with the BlnBDI and stopped the infringement on its own initiative after it had become known to the public.
Conclusion
Corporate data protection is a complex and sensitive issue that should not be taken lightly. It is urgently recommended that companies take precautions here and create transparent agreements. Not only does this prevent trouble with data protection authorities, but it can also increase employee confidence. Responsible handling of employee data is not only a legal requirement, but also a sign of appreciation and respect.
