SAF Logistics, a French air freight company linked to a Chinese parent company, Sinotrans Hongfeng Shanghai Ltd, has recently been fined €200,000 by the French data protection authority (the CNIL) in a stern response to the company’s breaches of the General Data Protection Regulation (GDPR) triggered by internal recruitment practices.
As is often the case, it was a tip-off that triggered the CNIL investigation. On 4 August 2020, the CNIL received two complaints from SAF Logistics employees, reporting that the company had asked staff wishing to apply for a position within the parent company to fill in a Chinese-language form. This form requested large amounts of information on employees’ private lives such as their ethnicity, political party affiliation and family situation.
Responding to these complaints, the CNIL carried out an on-site inspection to review the form used for data collection and found evidence of four breaches of the GDPR.
1. Excessive Data Collection, Article 5(1)(c)
Although information relating to an employee’s emergency contacts is generally GDPR compliant, SAF Logistics were found to be in breach of the minimisation principle, due to the excessive nature of the information collected from employees. SAF Logistics were collecting information about employees’ family members, such as their employer and marital status. The CNIL also noted that the form asked for information on several family members. The CNIL found that the collection of so much data was not necessary or proportionate to achieve the intended purpose of contacting relatives in the event of an emergency.
2. Processing Special Category Data, Article 9
The CNIL investigation revealed that the form in question required employees to provide special category data, including their ethnicity, blood type and political affiliation.
SAF Logistics tried to argue that employees had consented to filling out the information on the form as they were under no obligation to complete it (since it was only intended for those individuals looking to apply to the parent company). However, the CNIL considered that the employees’ consent could not be described as ‘freely given’ as they were not in a position to refuse to provide their personal data for fear of not being properly considered for the role if information were omitted. SAF Logistics were therefore found to be in breach of Article 9 of the GDPR.
3. Processing Personal Data Relating to Criminal Convictions
The CNIL also noted that SAF Logistics kept extracts from the criminal records of employees working in air freight, even if they had already been cleared of any wrongdoing by the French authorities.
The CNIL considered that the company did not meet the conditions for processing the criminal records of its employees, resulting in a breach of Article 10 of the GDPR. SAF Logistics argued that due to its air freight activity, and reception and handling of high value goods, the company were entitled to consult extracts of its employees’ criminal records. However, the CNIL found that while the company were authorised to consult employees’ criminal records, they were not authorised to keep them.
4. Failure to Co-operate with the CNIL
Finally, SAF Logistics showed a lack of co-operation during the investigation. When the CNIL asked the company to translate the form, which had been written in Chinese, it produced an incomplete translation, in which the contentious fields relating to ethnicity or political affiliation were missing (perhaps suggesting that they were aware of their wrongdoing!).
The CNIL had to translate the form itself in order to have all the fields available, and so the panel considered that the company had intentionally sought to prevent the CNIL from exercising its supervisory powers. SAF Logistics acknowledged that they had provided the CNIL with an incomplete translation of the form but maintained that this was not a failure to co-operate, but rather “gross negligence on the part of the translator” and “lack of due diligence” on the part of the company, which has few administrative resources and French-speaking staff (despite having a French subsidiary…).
The CNIL therefore found that the company had breached the obligation to co-operate found in Article 31 of the GDPR.
SAF Logistics as a Data Controller
During the investigation, debate emerged regarding SAF Logistics’ status as a Data Controller. Pursuant to Article 4(7) of the GDPR, a controller is defined as “the natural or legal person, public authority, agency, or body which, alone or jointly with others, determines the purposes and means of processing of personal data”. SAF Logistics tried to argue that they were not the data controller, and had acted as a mere “mailbox”, pointing to the Chinese parent company.
The CNIL rebutted these claims, stating:
(i) Although the Chinese parent company were responsible for drafting the form, SAF Logistics had asked to distribute it to its employees. The parent company had not instructed SAF Logistics to forward the form to its employees, rather SAF Logistics itself had chosen to, in its capacity as a data controller.
(ii) SAF Logistics had actively participated in the form’s distribution through the WeChat messaging system, suggesting a significant level of influence.
SAF Logistics' hefty fine from the CNIL serves as a stark warning to companies worldwide: tread carefully when handling your employees' data. The decision also reaffirms that active involvement, (even if under the auspices of a parent company), can confer data controller status, emphasising the need for companies to be vigilant in their data handling practices and to acknowledge their responsibilities in data processing where parent companies may operate in jurisdictions with less stringent data protection laws.
Ignoring these principles not only jeopardises employee privacy but can also lead to fines and reputational damage. In an era of heightened data protection awareness, businesses must prioritise compliance, respect boundaries, and maintain the trust of their employees.