Dutch Data Protection Authority [Autoriteit Persoonsgegevens] (‘Dutch DPA’) imposes fine of EUR 48,000
Earlier this month, it was announced that the Dutch DPA had collected a fine of EUR 48,000 from Theodoor Gilissen Bankiers (‘TGB’). The reason for the fine was that TGB had not granted a customer’s request to gain access to his personal data. The customer turned to the Dutch DPA, asking it to enforce the request, and the Dutch DPA ordered TGB to comply with the request, subject to a fine for non‑compliance. Because TGB did not fulfil the request within the stated period, the Dutch DPA collected the fine.
TGB’s customer made his request before the General Data Protection Regulation (‘GDPR’) took effect. He based his request on Section 35 of the then‑applicable Dutch Personal Data Protection Act [Wet bescherming persoonsgegevens]. Since the GDPR came into force on 25 May 2018, Article 15 of the GDPR (which is comparable to Section 35 of the old Dutch Act) has applied to such requests. Article 15 of the GDPR states that the person (‘the data subject’) whose personal data is processed (meaning, among other things, collected, recorded, stored and consulted) may require the party processing the personal data (‘the controller’) to give him/her access to the personal data concerning him/her.
That the Dutch DPA collected a fine in this instance makes clear that a controller (in this case, TGB) must take a request by a data subject (in this case, the customer) under Article 15, GDPR, seriously. Leaving aside exceptions, such a request should be granted. Yet the GDPR gives data subjects even more rights, which, like the above-mentioned request, cannot simply be ignored. What does this mean for employees in the context of an employment relationship?
Privacy rights within the framework of an employment relationship
Within the context of an employment relationship, an employee can be considered a data subject within the meaning of the GDPR. The privacy rights which a data subject has under the GDPR therefore apply to the employee as well, and are enumerated at various places in the GDPR. A summary of the privacy rights which a data subject / employee may invoke against a controller/employer follows below.
- Right to withdraw consent (Article 7(3), GDPR)
One of the bases for being permitted to process personal data is consent freely given by the data subject. An employer, however, will often invoke (or have to invoke) one of the other bases under the GDPR, because consent by an employee will generally – given the relationship of dependence on his/her employer – not have been given freely. In some situations (say, for the use of a photograph in a ‘face book’), consent by the employee may, though, provide a basis for processing. If the employee has given consent in such a case, he/she may also withdraw this consent at any time.
- Right to transparent information (Article 12, GDPR)
The GDPR states that, consistent with the principle of transparency, information intended for the employee must be concise, easily accessible and easy to understand, and clear and plain language must be used. This pertains, for example, to the communications occurring if the employee invokes one of his/her rights under the GDPR.
- Right to information and access (Articles 13 and 14, GDPR)
The employee is entitled to know what will be done with his/her personal data, and why. He/She needs to be made aware of the risks associated with the data processing, the applicable rules, the safeguards and the way in which he/she can exercise his/her rights regarding data processing. The employer must inform the employee about the data processing operations.
- Right to gain access and copy (Article 15, GDPR)
The employee is entitled to view the personal data collected from him/her. He/She may ask the employer at reasonable intervals whether, and, if so, which, personal data of his/hers is being processed.
- Right to rectification (Article 16, GDPR)
The employer must ensure that, if personal data is processed, this data is and remains accurate. If the data is not (or is no longer) accurate, the employee may require the employer to rectify this inaccurate personal data immediately.
- Right to erasure (‘right to be forgotten’) (Article 17, GDPR)
Under certain circumstances, the employee may have the employer erase his/her personal data, for instance, if the processing is unlawful. In addition, the employee has the right ‘to be forgotten’. For example, if the employer has made the employee’s personal data public (on a website, say), the employee may ask the employer to delete this data.
- Right to restriction of processing (Article 18, GDPR)
The right to restrict the processing of personal data means that, in certain situations (for example, if the accuracy of the personal data is contested or the processing of the data is unlawful), the employee may cause the processing of his/her personal data to be halted temporarily. The employee may, for instance, assert this right if he/she feels that too much personal data of his/hers is being processed, without a clear, legitimate purpose.
- Right to data portability (Article 20, GDPR)
The employee is entitled to obtain, in a structured, commonly used and machine-readable format, a copy of the personal data which he/she has disclosed to the employer.
- Right to object (Article 21, GDPR)
For reasons relating to his/her specific situation, an employee may exercise this right to object to the processing of personal data concerning him/her, provided the requirements mentioned in the GDPR are met. If an employee objects, the employer must stop processing the data, unless compelling legitimate grounds dictate otherwise.
- Right not to be subject to automated decision-making (Article 22, GDPR)
There is ‘automated individual decision‑making’ if personal data is used to reach a certain decision and this decision is based on automated processing of personal data. An employee is entitled to not be subject to a decision based solely on automated processing if this will have legal consequences for him/her or will otherwise significantly affect him/her. This may, for example, be the case if an employment contract is terminated solely because a computer indicates that the employee will pose a risk to the organisation. In such instances, the employee may invoke the right to have a human being be part of the decision-making.
- Right to lodge a complaint with a supervisory authority (Article 77, GDPR)
The employee may lodge a complaint with the Dutch DPA if he/she suspects that his/her personal data was processed in a manner which violated the GDPR. The Dutch DPA will decide the issue. If the employee disagrees with this decision, he/she can appeal it to the courts.
- Right to an effective judicial remedy (Articles 78 and 79, GDPR)
An employee may seek a judicial remedy against the Dutch DPA, the employer or a processor if he/she believes that his/her personal data was processed in a manner which was inconsistent with the applicable laws and regulations. This remedy is to be obtained in civil‑law proceedings.
- Class action right / Right to representation (Article 80, GDPR)
An employee may authorise a not-for-profit organisation, body or association to file a complaint on his/her behalf or exercise the rights given to him/her under the GDPR.
- Right to compensation (Article 82, GDPR)
If an employee has suffered material or non-material damage as a result of an infringement of the GDPR, he/she will be entitled to receive compensation for the damage suffered.