In today’s digital era, many of us have become accustomed to privacy statements and cookie banners. These are present almost everywhere when we surf the Internet. But in my experience, operational data protection is underestimated or even disregarded by many companies. While online data protection measures have now become almost routine, there is often a lack of awareness of the problem when it comes to company data protection and handling employee data. A recent example from Berlin illustrates the scope of this problem.
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed fines totaling 215,000 euros on one company. The reason: The company had improperly documented sensitive information about the health of individual employees or their interest in forming a works council. The penalty notice is not yet legally binding.
From March through July 2021, a supervisor at the Company, at the direction of management, maintained a tabulation of all employees on probation. In this list, eleven individuals were rated as “critical” or “very critical” for continued employment. The reasons given for this included personal statements, health reasons and circumstances outside the company. Particularly explosive: A possible interest in founding a works council and regular participation in psychotherapy were also listed as reasons.
The Berlin data protection commissioner learned of the incident through media reports and a personal complaint from a person affected and initiated an investigation. The result was clear: the processing of the data collected was not lawful in the cases objected to. In addition to this main violation, three other fines were imposed on the company, totaling approximately 40,000 euros.
Meike Kamp, Berlin’s Commissioner for Data Protection and Freedom of Information, emphasized: “The collection, storage and use of employee data must always take place in the permissible context of the employment relationship. That was not the case in this instance. Health data in particular is especially sensitive information that may only be processed within narrow limits.”
In principle, employers are allowed to consider the extent to which employees should continue to be employed. Personal data may also be processed in the process. However, this data must be suitable and necessary for this purpose. They may only allow conclusions to be drawn about performance or conduct that are directly related to the employment relationship.
In assessing the fines, the BlnBDI took into account the company’s turnover and the number of employees affected. It was positively emphasized that the company cooperated comprehensively with the BlnBDI and stopped the infringement on its own initiative after it had become known to the public.
Corporate data protection is a complex and sensitive issue that should not be taken lightly. It is urgently recommended that companies take precautions here and create transparent agreements. Not only does this prevent trouble with data protection authorities, but it can also increase employee confidence. Responsible handling of employee data is not only a legal requirement, but also a sign of appreciation and respect.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
Introduction In an era of globalization and digitization, many companies, whether start-ups or established, are faced with the question of...
Read moreDetails
Introduction: What is a home office and what legal framework must be observed? In the wake of the COVID-19 pandemic,...
Read moreDetails
OLG Hamm: Proof of e-mail access remains a challenge In a recent ruling (case no. 26 W 13/23 dated 10.08.2023),...
Read moreDetails
Blockchain technology and smart contracts have the potential to revolutionize numerous industries and enable new business models. These technologies offer...
Read moreDetails
Analysis of the ECJ rulings In its recent decisions C-687/21 and C-340/21, the European Court of Justice (ECJ) provided important...
Read moreDetails
APIs (Application Programming Interfaces) are the backbone of the modern digital economy. They enable the seamless integration of services and...
Read moreDetails
What does information security mean? Information security refers to the entirety of technical and organizational measures that serve to protect...
Read moreDetails
There are basically two options available to buyers when acquiring companies: the asset deal and the share deal. This distinction...
Read moreDetails
Obligation since the GDPR was applied Since last May, many have become aware that a privacy policy is needed on...
Read moreDetails
In the business world, there are a variety of business structures that can be used for different purposes and goals....
Read moreDetails
In dieser Episode erörtern wir die rechtlichen Herausforderungen, denen Spieleentwickler bei der Finanzierung durch Crowdfunding gegenüberstehen. Wir beleuchten die Verpflichtungen...
In dieser Episode wird die rechtliche Einordnung von virtuellen Mitarbeitenden und KI-Influencern im Marketing untersucht. Der Fokus liegt auf den...
In dieser aufschlussreichen Episode des ITmedialaw-Podcasts wird ein tiefgehender Blick auf die Schnittstelle von Web3, Blockchain-Technologie und Recht geworfen....
In dieser Episode beleuchten wir die rechtlichen Entwicklungen, die das Startup-Umfeld 2025 prägen werden. Von der KI-Regulierung über neue Kryptowährungsrichtlinien...
