In today’s digital era, many of us have become accustomed to privacy statements and cookie banners. These are present almost everywhere when we surf the Internet. But in my experience, operational data protection is underestimated or even disregarded by many companies. While online data protection measures have now become almost routine, there is often a lack of awareness of the problem when it comes to company data protection and handling employee data. A recent example from Berlin illustrates the scope of this problem.
The Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has imposed fines totaling 215,000 euros on one company. The reason: The company had improperly documented sensitive information about the health of individual employees or their interest in forming a works council. The penalty notice is not yet legally binding.
From March through July 2021, a supervisor at the Company, at the direction of management, maintained a tabulation of all employees on probation. In this list, eleven individuals were rated as “critical” or “very critical” for continued employment. The reasons given for this included personal statements, health reasons and circumstances outside the company. Particularly explosive: A possible interest in founding a works council and regular participation in psychotherapy were also listed as reasons.
The Berlin data protection commissioner learned of the incident through media reports and a personal complaint from a person affected and initiated an investigation. The result was clear: the processing of the data collected was not lawful in the cases objected to. In addition to this main violation, three other fines were imposed on the company, totaling approximately 40,000 euros.
Meike Kamp, Berlin’s Commissioner for Data Protection and Freedom of Information, emphasized: “The collection, storage and use of employee data must always take place in the permissible context of the employment relationship. That was not the case in this instance. Health data in particular is especially sensitive information that may only be processed within narrow limits.”
In principle, employers are allowed to consider the extent to which employees should continue to be employed. Personal data may also be processed in the process. However, this data must be suitable and necessary for this purpose. They may only allow conclusions to be drawn about performance or conduct that are directly related to the employment relationship.
In assessing the fines, the BlnBDI took into account the company’s turnover and the number of employees affected. It was positively emphasized that the company cooperated comprehensively with the BlnBDI and stopped the infringement on its own initiative after it had become known to the public.
Corporate data protection is a complex and sensitive issue that should not be taken lightly. It is urgently recommended that companies take precautions here and create transparent agreements. Not only does this prevent trouble with data protection authorities, but it can also increase employee confidence. Responsible handling of employee data is not only a legal requirement, but also a sign of appreciation and respect.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
In a recently published LinkedIn post, it was announced that the interface between smart contracts, decentralized financial systems (DeFi) and...
Read moreDetails
The Federation of German Consumer Organizations successfully sued the online dating portal "SexyDate" at Leipzig Regional Court. The court prohibited...
Read moreDetails
In proceedings against two defendants - a 53-year-old lawyer based in Berlin and his 41-year-old client, the alleged representative of...
Read moreDetails
Introduction: why T&Cs, regulation & compliance are important in the blockchain and computer gaming space. Entering new technologies and industries...
Read moreDetails
Introduction: What is a home office and what legal framework must be observed? In the wake of the COVID-19 pandemic,...
Read moreDetails
What is it all about? The decision "Right to be Forgotten II" published today, which is supplemented by the decision...
Read moreDetails
The actual performance of micro jobs ("microjobs") by users of an online platform ("crowdworkers") on the basis of a framework...
Read moreDetails
The Whistleblower Protection Act, which has been in force since July 2, 2023, has reached a new phase. With the...
Read moreDetails
I recently reported in this article that a data leak can be quite expensive if the injured party decides to...
Read moreDetailsEs ist spätabends, der Kaffee neben dem Laptop ist längst kalt, doch ich lächle zufrieden: In wenigen Stunden habe ich...
Read moreDetails
In dieser faszinierenden Episode tauchen wir tief in die rechtlichen Aspekte des Metaverse ein. Als Rechtsanwalt und Technik-Enthusiast beleuchte ich...
Read moreDetails
In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...
Read moreDetails
