GDPR Shot: The “Permanent Record” of employees
Originally published: www.ethemis.gr (in Greek)
Date: 12/10/2020
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
The title of Edward Snowden’s book “The Permanent Record”, is reminiscent of a recent case of illegal processing of employees’ personal data. It concerns a hefty fine of around EUR 35,3 million imposed a few days ago by the Hamburg Personal Data Protection Authority on a large Swedish, multinational clothing retailer. The company illegally carried out an extensive “record keeping” of the private life of many of its employees at its Nuremberg headquarters. Among others, it recorded: the experiences from their vacations, the health problems they may have had during their leave, sometimes the respective medical diagnoses, information about “innocent” details of their private daily life, their religious beliefs and their family problems. Subsequently, these personal data were in certain cases made available to dozens of senior company executives. They were used to create an employee profile, which played a role in their professional development. The “Permanent Record” was unexpectedly uncovered due to a technical error in the relevant information system of the company, which made personal data widely accessible within it. It is worth noting that following the revelation, the company’s management decided to compensate those employees affected by the above practice due to the seriousness of the infringements. The case is also of great interest to Greece, as the fine was imposed under the General Data Protection Regulation, known as the GDPR, which has a pan-European application. It is recalled, moreover, that the first “GDPR-bomb” of EUR 150,000.00 “fell” by the Greek supervisory authority in the summer of 2019, with the imposition a fine on a company providing business and accounting services for illegal processing of personal data of its employees (decision no. No. 26/2019). Greek companies must, therefore, be extremely careful with the personal data of their employees, so that they are always in compliance with the relevant regulatory framework. Otherwise, painful consequences lie in wait.