It’s been a busy few months in the workplace privacy space. European supervisory authorities have been fining their way through employers who have been failing to comply with their privacy obligations to staff. We summarise two of the key cases here:

Denmark – ensuring ex-employees no longer have access to data 

The Danish DPA has reprimanded a local authority for failing to ensure that ex-employees no longer had access to personal data on local authority systems.

The DPA found that the local authority, despite having a good information security handbook regulating access rights management, had not followed its own rules on reviewing whether former employees’ access to systems had been revoked. This led to the DPA concluding that former employees retained access to personal data after their employment ended.

Data controllers must identify risks in their data processing and implement appropriate security measures to mitigate these – including ensuring that access to systems which hold personal data is limited to those who require it for work purposes. The DPA also noted that, as well as having a procedure for disabling access for terminated employees, there should also be a system to follow up and check whether access has effectively been removed.

Due to these shortcomings, it was held that the local authority failed to take appropriate technical and organisational measures to effectively mitigate against the risks to data subjects under Article 32(1) GDPR.

Hungary – the appropriate use of CCTV in the workplace

A car repair shop has been handed an approximately €1,300 fine by the Hungarian DPA for failing to inform employees about CCTV surveillance and using CCTV in areas designated for work breaks.

This followed a complaint from a corporate co-owner of the property, who objected to the fact that the shop had installed cameras, but was unwilling to remove them or give any information about them. The shop stated that the cameras were required to protect the shop’s tools and valuable objects, and that they were not used for surveillance of public areas. The shop also stated that all employees had consented to the surveillance and a sign had been installed notifying them of the CCTV.

It became apparent that one of the CCTV cameras was situated in the shop’s kitchen, which was not used for work, as well as one in the “office/customer waiting room”. The reason given for these cameras was to protect a safe deposit box in the kitchen, and the shop’s cash register and card reader in the waiting room, where administrative work was carried out.

As the shop’s data policy did not give consent as the legal basis for the surveillance, the DPA held that a legitimate interest assessment should have been carried out, and the lack of such an assessment breached Article 6(1)(f) GDPR. The DPA ordered the controller to update their privacy policy to state that the surveillance is in their legitimate interest (provided its assessment justifies its use), as well as updating the policy generally as it contains outdated and irrelevant statutory references.

The area covered by the cameras was also an issue for the DPA, and in order to comply with the data limitation and minimisation principles, the controller was ordered to change the angles of the cameras in the kitchen and waiting room in order to prevent unjustified employee surveillance – a particular problem with the kitchen camera was that it did not point at the safety deposit box, but was rather aimed at a dining table!

Further, the shop’s CCTV notice also had to be updated to give adequate information on the surveillance, as the simple pictographic sign was insufficient.

The factors taken into account by the DPA in handing down the fine included the fact that the failings were still in place during the investigation, and these included fundamental privacy rights violations (Articles 5(1)(b) and 5(1)(c) GDPR). In mitigation, only two of the cameras were problematic, the number of impacted data subjects was low, no specific harm or damage occurred, the infringements did not seem to be intentional, and it was the controller’s first GDPR offence.

Conclusion

It is important to keep workplace policies and processes up-to-date and compliant with the GDPR. As these cases illustrate, failure to do so can result in a monetary fine and in some cases unwelcome publicity for employers. Further, in the current environment where competition for candidates is fierce and employees can act like consumers, prospective recruits are increasingly alive to their data rights and ensuring effective compliance could mean the difference between securing a candidate and not!