Marking a year since the entry into force of the GDPR on 25 May 2018. Contributor Ius Laboris
In Austria, first breaches of the GDPR can basically only be sanctioned by a warning; the Austrian DPA imposes fines from the second breach onwards.
So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.
The Austrian Data Protection Act (Datenschutzgesetz 2000, ‘DSG’) has made use of the scope for making separate rules in Article 88 of the GDPR. Section 11 DSG (based on which the penalty provisions of Article 83 (2) to (6) GDPR are applied) was amended in such a way to ensure proportionality is maintained. Hence, particularly in the case of first-time infringements, the DPA will make use of its remedial powers in accordance with Article 58 of the GDPR, that is, by issuing a warning.
During the past year Austria has imposed very few fines. The DPA judgments issued since the new GDPR legislation came into effect have mainly concerned first findings of infringements and associated warnings. As far as can be anticipated, the DPA seems to stick to the approach described above, issuing a warning for first-time infringements. So far, the DPA seems not to have judged a breach of data protection to be severe enough to oblige it to impose fines right away.
One of the most recent DPA decisions from December 2018 shows an interesting trend regarding the definition of ‘the data subject’s right to deletion of data’ and whether anonymising by removing individual personal references to a person already satisfies the data subject’s righto deletion of data.
The Austrian DPA ruled that the data controllers (and not data subjects) have the right to choose the appropriate technical and/or organisational security measures for the retention of data and that the removal of individual references is, in principle, a legitimate way to comply with a request for deletion, since the GDPR does not apply to data without personal references (i.e. to anonymised information).
The French Data Protection Authority (‘CNIL’) imposed a huge GDPR fine on Google LLC (EUR 50 million) on 21 January 2019, based on a lack of information and transparency for users. It took into account the large volume of data and number of individuals involved in this violation of privacy.
In general, the CNIL has not yet imposed fines as vigorously and as widely as many people feared: it started first and foremost by providing information, guidelines, e-learning training and various tools about the GDPR on its website. Also, smaller companies are being treated with greater leniency.
Nevertheless, the CNIL has already imposed fines on Bouygues Telecom (EUR 250,000), Uber (EUR 400.000), Dailymotion (EUR 50.000) and Optical Center (EUR 250.000), all relating to a lack of technical measures securing client data.
Complaints to the CNIL have increased by 32.5% compared with 2017 and relate to requests to erase data on the Internet, but also complaints regarding inadequate security for personal data in the marketing and business, human resources, banking and health and social services sectors.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. France decided to implement the GDPR by staying as close as possible to the text of the GDPR and by updating its current data protection legislation, which dates back as far as 1978. A law dated 20 June 2018 and an order (‘ordonnance’) dated 12. December 2018 integrated some European provisions on criminal data into French legislation.
The GDPR is slowly gaining attention in labour law but it is too early to cite case law relating to privacy issues covered by the GDPR in the context of employment.
Nevertheless, issues around data protection arise more and more frequently in organisations, for example, data subject access requests. Some employees ask for a copy of their personal data, as a possible preliminary to litigation, notably in cases of termination of employment. Unions and staff representatives are more aware of the issues and question employers regarding the implementation of the GDPR.
Some IT and HR departments have already been confronted with breaches in the security system for personal data, which have forced them to communicate swiftly with the CNIL and with potentially affected employees.
Multinational companies with French subsidiaries have also had to re-think the volume and the level of detail of (local) personal data that they ask to be transferred to their headquarters, especially outside the European Union.
According to a recently published article, German DPAs have issued 75 fines since the GDPR was implemented, based on the authorities’ answers to this research. The total amount of all fines imposed, based on these answers, was only EUR 449,000, the largest single fine being EUR 80,000. By way of background, in Germany, the DPAs are organised on a state level. Not all 16 Authorities had responded to the questions during this research.
The German legislator has passed a set of national implementation rules that was implemented as the same time as the GDPR. This German statute (‘Bundesdatenschutzgesetz’) includes a specific rule on the processing of employee data, which is for the most part based on previous German data protection legislation.
The GDPR received a huge amount of attention in Germany, especially around the time of implementation in May 2018. This included interest in the impact of the GDPR in employment relationships. Now that ‘GDPR preparation’ has been completed by most employers, an increasing number of new practical issues are emerging, such as how to handle data subject access requests (DSARs) or how to manage a very detailed list of data retention or deletion periods.
Regarding DSARs, a recent lower court verdict against German car manufacturer Daimler has received a lot of attention in the employment law community. The action is now pending before the highest German Labour Court, Bundesarbeitsgericht. In proceedings relating to a termination, the plaintiff, a lawyer himself, demanded to be provided with information about all data collated about his performance and behaviour and about the origin of this data. While DSARs are generally granted by the GDPR, the parties are now debating to what extent DSARs are limited by third party rights such as the privacy of other employees included in correspondence, and to what extent DSARs are limited by practical considerations, to avoid an obligation to provide bottomless amounts of information.
So far, the Greek Data Protection Authority (HDPA) has mainly opted to raise awareness, providing information, guidelines and consultations and taking on an important role as an interpreter of data protection law provisions. It has, however, also taken some significant enforcement measures. It has imposed EUR 150,000 fines on mobile phone operators for making unsolicited calls, a EUR 30,000 fine on a group of companies in the petroleum industry for unlawful processing and failure to comply with the required organisational and technical measures, among others.
Some other notable decisions include its ruling that Uber is an information society service, falling within the scope of GDPR and its decision regarding the right to erasure, forcing Google to comply with data subjects’ requests, which the company had initially rejected, as well as imposing fines for breaching surveillance provisions.
In total, the HDPA has handled 66 data breach notifications in the first six months following implementation of the GDPR.
National legislation to implement the GDPR is still pending. The relevant bill was open to consultation and is expected to be finalised in the coming months.
GDPR is gaining attention in several areas including labour law. Meanwhile HDPA activity has increased. The organisation chart has been updated to align with the post-GDPR era and controllers are currently being recruited, leading potentially to an increase of monitoring and enforcement measures. Recently, the HDPA published a list of the kind of processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR.
Greek courts have already dealt with a number of GDPR-related issues, such as notification requirements for the transfer of personal data to be used within the framework of employment litigation, compensation for unlawful transfer of personal data, valid consent issues and surveillance of employees.
The Dutch Data Protection Authority has not yet imposed GDPR fines as vigorously as many people feared: it started first and foremost by providing information, guidelines and tools about the GDPR on the website.
Only one fine has been imposed: Uber was fined EUR 600,000 for breaching the reporting obligation for data breaches. This data breach took place at the Uber Group in 2016 (an obligation to report data breaches applied since 2016 in the Netherlands, but with much lower penalties): unauthorised individuals were given access to customers’ and drivers’ personal data (names, email addresses and phone numbers). The Uber group was fined because it did not inform the DPA and the data subjects involved within 72 hours following the discovery of the data breach.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows each EU member state to set its own, or further, rules on a number of subjects. The Netherlands decided to implement the GDPR in a ‘policy-neutral’ manner, meaning the Dutch implementation act (‘Uitvoeringswet AVG’) stays as close as possible to the text of the GDPR. More specifically, the Dutch implementation act has not made use of the possibility to introduce separate rules for processing of employees’ personal data. The implementation act applied from 25 May 2018.
The GDPR is slowly gaining attention in labour law. Dutch case law has seen examples in the past year of issues relating, for example, to data subject access requests or privacy claims after negative references from a former employer. The question of admissibility of evidence obtained in breach of an employee’s privacy has also been examined: based on Dutch case law, even if it is established that evidence used, for example, in a dismissal case was obtained unlawfully by the party relying on it, the court is not generally required to disregard it. The general social interest in the truth coming to light plus the parties’ interest in being able to support their case outweigh the arguments for excluding such evidence unless additional circumstances indicate otherwise.
During the first year of GDPR enforcement, the Portuguese DPA imposed four fines as a consequence of data privacy breaches.
In 2018, a fine of EUR 400,000 was issued as result of indiscriminate access from hospital staff to patients’ data and the data processor’s inability to ensure the confidentiality, integrity and resilience of the system and processing services. The DPA considered that the hospital was severely at fault in its actions.
Minor fines have been imposed during 2019. A fine of EUR 20,000 was imposed on a call centre’s client (the data controller). The call centre did not provide a customer with records of phone calls after being requested by the latter to do so. The other fines of EUR 2.000,00 each were imposed as result of the lack of warning in cases of video surveillance.
Up to February 2019, more than 200 complaints were notified to the Portuguese DPA. Considering the number of complaints and the four fines already publicised, there is clear a lack of means and responsiveness from the Portuguese DPA (a fact that is also recognised by the Authority).
The Portuguese Government has not approved any national legislation aiming at adapting the GDPR. This delay is related to the negative opinion issued by the Portuguese DPA regarding the draft law that was published last year and subject to public consultation. We anticipate a national law will be approved in the coming months.
Data privacy concerns are common in employment relations and courts are slowly being asked to decide cases involving privacy issues. The GDPR focussed the attention of companies on privacy matters and after the initial stress of its entry into force the litigation environment is currently calm.
There is significant interest and anticipation regarding the proposed Portuguese national law on data protection and how the DPA will conduct its future inspection mission.
Birgit Vogt-Majarek, Partner and Karoline Saak, Associate at Austrian law firm, Schima Mayer Starlinger
Anne-Laure Périès, Partner at French law firm, Capstan Avocats
Jessica Jacobi, Partner at German law firm, KLIEMT.Arbeitsrecht
Dimitrios Kremalis, Partner at Greek law firm, Kremalis
Philip Nabben, Partner at The Netherlands law firm, Bronsgeest Deur
Bruno Barbosa, Partner, at Portuguese law firm, pbbr
THIS UPDATE PROVIDES SUMMARY INFORMATION AND COMMENT ON THE SUBJECT AREAS COVERED. EMPLOYMENT LAW IS SUBJECT TO CONSTANT CHANGE EITHER BY STATUTE OR BY INTERPRETATION BY THE COURTS. WHILE EVERY CARE HAS BEEN TAKEN IN COMPILING THIS INFORMATION, WE CANNOT BE HELD RESPONSIBLE FOR ANY ERRORS OR OMISSIONS. SPECIALIST LEGAL ADVICE MUST BE TAKEN ON ANY LEGAL ISSUES THAT MAY ARISE BEFORE EMBARKING UPON ANY FORMAL COURSE OF ACTION.