GDPR UPDATE – the processing of personal data of employees
The General Data Protection Regulation (GDPR) came into force more than a year ago. Just when the dust regarding the entry into force of the GDPR seemed to have settled, the Dutch Data Protection Authority (DPA) made public on 16 July 2019 that it imposed a fine of €460,000.- and an incremental penalty payment on the hospital HagaZiekenhuis. Reason for us to briefly consider the enforcement of the GDPR since its entry into force. In addition to this, we will focus on the cutting edge between the GDPR and employment law, by providing a brief overview of the responsibilities of the employer under the GDPR. Within that context, we will briefly touch on the difficulties that employers seem to experience with regard to the implementation of the GDPR and discuss some of the most recent updates in this respect.
Enforcement since 1 May 2018
On 27 November 2018 it was announced that a fine of €600,000,- had been imposed on Uber B.V. and Uber Technologies Inc. The Uber Group had failed to report a data breach within 72 hours. Although the fine was imposed after the entry into force of the GDPR, the breach actually took place in 2016, before the entry into force of the GDPR. Therefore, the previous regulation was still applicable. However, the DPA stated that it had already included the GDPR in its judgement.
The first 'real' GDPR-fine is the aforementioned fine imposed on the HagaZiekenhuis. The reason for the fine was a data breach reported by the HagaZiekenhuis on 4 April 2018, which consisted of the unlawful inspection of the patient file of a Dutch celebrity. Of the 197 times the file was reviewed, 100 were unlawful. In addition to the fine, an incremental penalty payment was imposed: if no improvement is evident after 2 October 2019, the HagaZiekenhuis will have to pay a penalty of €100,000,- every two weeks, with a maximum of €300,000,-.
In its 2018 annual report, the DPA announced that in 2019 it would be stepping up its enforcement efforts. This in contrast to 2018, when the DPA stated that its main focus was on information, the formulation of standards and the transfer of standards. Undoubtedly more fines are going to be imposed in the near future.
Responsibilities of the employer
The GDPR imposes a large number of obligations on the employer. These include the obligation to provide information, the obligation to account for and document data, the security of personal data, the privacy impact assessment, processing agreements, the obligation to report data leaks and the possible appointment of a data protection officer. Furthermore, the GDPR grants rights to the employee in its capacity of 'data subject', such as the right of access and copying, the right of correction or deletion, the right to object, the right to limit the processing and the right to transfer personal data.
Difficulties with regard to the GDPR-compliance process
Article 88 of the GDPR stipulates that the Member States of the European Union may lay down further rules for the processing of employees' personal data within the context of the employment process. However, the Dutch Implementation Act (DIA) does not make use of this possibility. Considering the fact that the regulations are formulated in general terms, employers encountered numerous questions during the GDPR compliance process, which has not been addressed by the GDPR, let alone the DIA.
The DPA is aware that there are still many questions among employers about the GDPR and that it is particularly difficult for smaller entrepreneurs to meet the obligations under the GDPR. For this reason more and more European Data Protection Board (EDPB) recommendations, letters from ministries and DPA news items are published. We hereby mention a few examples.
Campaign 'What does the privacy law mean to you?
With this campaign the DPA provides employers with practical help to fulfil their obligations. On the DPA’s campaign website, the DPA in the coming months will publish on numerous subjects, including the security of personal data, processing agreements, the processing of data of (sick) employees and the principles for processing personal data.
Guidelines with regard to camera surveillance
The use of camera surveillance is an invasion of privacy. In order to determine whether this infringement is justified, it is necessary to examine whether (i) the recordings serve a legitimate purpose, (ii) it is an appropriate means of achieving that purpose, (iii) the privacy breach is proportionate in relation to the employer's interest and (iv) that purpose can reasonably be achieved in a less intrusive manner. The application of these open standards depend on the particular facts and circumstances of the case and is therefore not easy to determine. In view of this, the EDPB has recently prepared guidelines on camera surveillance which will make the provisions more workable. These guidelines clarify how the GDPR applies to the processing of personal data with camera surveillance and are currently open to feedback.
The processing of personal data of sick employees
It was not clear whether the Policy Rules for the Processing of Personal Data on the Health of Ill Workers continued to apply in full under the GDPR. However, the Ministry of Social Affairs and Employment has explicitly confirmed that they are indeed still applicable under the GDPR. This means that an employer may not ask the employee who reports sick about the diagnosis or functional limitations. If the employee provides this information, the employer is not allowed to process it. The employer may, however, ask about the probable duration of the absence.
Alcohol- and drug tests
It was argued that the entry into force of the GDPR left more room to carry out alcohol- and drug tests on employees. However, on 15 March 2019, the DPA published a news item stating that testing for alcohol and drugs during working hours still requires a specific legal basis. This means that alcohol- and drug testing in the workplace is always prohibited under the GDPR, except to the extent that these tests are explicitly permitted by the Decree on Alcohol, Drugs and Medicines in Traffic. The number of professions mentioned in this Decree are limited and a legitimate interest for alcohol- and drug testing exists in many other professions than these explicitly mentioned. With this statement, the DPA clarifies that it is the responsibility of the legislators to create a legal basis that will allow such tests for professions not included in this Decree.