DPA holds employer accountable for forwarding data of a former employee
An employer who had sent data of a former employee to a local authority is held accountable by the Belgian Data Protection Authority (DPA). According to the DPA, this action violated several GPDR principles, in particular the principles of purpose limitation, lawfulness, data minimization and confidentiality.
Context
An employee commits an environmental offence (unauthorised disposal of waste) with her company car. As the company car is registered to the company, the competent authority sends the administrative fine for the infringement committed to the employer. The employer then forwards this fine to the employee, who pays it.
About a year later, the company receives a new (much higher) fine from the municipal authorities for the same offence. As the employee has left the company in the meantime, the former employer does not know whether the fine has actually been paid. Consequently, the company confirms the identity of the ex-employee to the municipal authorities, together with her private home address, her private and business e-mail addresses, her profession and a draft letter containing a confession of the office from the ex-employee.
The company sends the e-mail to three different addresses of the municipality and copies the message to the finance director, the HR director and the employee's former superior.
The ex-employee files a complaint with the Data Protection Authority for breaches of the GDPR.
The decision of the DPA
According to the Data Protection Authority, a part of the processing done by the employer was lawful, whereas another part was unlawful.
The processing of the ex-employee's private e-mail address and place of residence is considered lawful. The employer can invoke its legitimate interest to identify the real perpetrator and to follow up the legal dispute. The processing is also necessary, sufficient and relevant for the accomplishment of the purpose of the employer.
On the other hand, the DPA considers the processing of the professional e-mail address, her profession and the draft letter containing a confession made by the ex-employee to be unlawful.
The processing of these data was not necessary for the follow-up of the dispute: her profession is irrelevant, as the fine did not relate to the employee's new position, and the draft letter containing a confession was only sent for translation purposes to a former colleague at the time.
Finally, with regard to the recipients of the data, the DPA notes that it was not necessary to send this e-mail to the general address of the municipality, nor to the employee's former superior (the processing is not related to the former position held by the employee).
The DPA therefore concludes that the GPDR has not been respected. However, according to the DPA, a fine is not necessary, as there was no intent or structural violation of the aforementioned principles. Therefore, the company was only reprimanded.
To remember?
An employer must always ensure proper compliance with the GPDR, including in the context of an administrative procedure concerning his (ex-)employees. In this regard, the employer must ensure that there is a legal basis for any processing and that he only provides information that is strictly necessary (in terms of content and recipients) to achieve the intended purpose.
Source: Belgian Data Protection Authority, Decision No 34/2022 of 10 March 2022, available at www.gegevensbeschermingsautoriteit.be.