25/06/21

Data Protection Authority decision on communicating the circumstances for a dismissal to remaining staff - is silence golden?…

In their decision of 1 June 2021 (Decision No 63/2021), the Data Protection Authority determined that an employer who communicated the reasons and circumstances for the dismissal of two former employees, was to a limited extent in breach of the General Data Protection Regulation (GDPR). Although  employers have the right to inform their employees about the dismissals themselves, they need to limit this information to what is strictly necessary for the intended purpose, i.e. a brief communication stating that an employee is no longer part of the staff.

Facts and relevant information

Two former employees of a residential care centre filed a complaint with the Data Protection Authority against their former employer due to the internal communications following their dismissals. Their former employer had informed the remaining staff of their departure, as well as the circumstances and facts underlying the dismissals. Both former employees were of the opinion that this was in breach of the GDPR and one of them also requested additional compensation. Both complaints were merged into one file and were dealt with together by the Data Protection Authority on 1 June 2021.

The Data Protection Authority’s reasoning and decision

The final decision by the Data Protection Authority was based on several points:

Lawfulness of processing personal data

Since both complaints fall within the scope of the employment relationship between the plaintiffs on the one hand and the defendant (i.e. the residential care centre) on the other hand, the processing of personal data by the defendant must be based on GDPR article 6.1b (‘lawfulness’). The processing of the plaintiffs' personal data in the event of the termination of the employment relationship is part of the performance of the employment contract and thus has to be considered as lawful. No further comments were made by the Data Protection on this point.

The principle of data minimisation

Furthermore, when processing personal data, the employer is obliged to respect the principle of data minimisation (GDPR art. 5.1c) - personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.

As concerns plaintiff 1, the email that had been sent out by the employer only stated that the collaboration with plaintiff 1 had been terminated and that therefore they would no longer appear on the workfloor of the residential care centre. In that regard, the Data Protection Authority reasoned that the communication by email concerning the dismissal of plaintiff 1 had been limited and in line with the principle of data minimisation (strictly necessary for the intended purpose) and that the defendant had not committed an infringement of GDPR art. 5.1c.

As concerns plaintiff 2, however, the communication sent out by the employer had been more elaborate. it not only communicated the dismissal to staff, but also the information that the dismissal took place after three written warnings and performance reviews. The Data Protection Authority reasoned that the information about the number of written warnings and performance reviews was by no means necessary for the intended purpose. This could have been reasonably achieved without communicating this additional information. As such, the Data Protection Authority concluded that in regard to plaintiff 2 there was in fact an infringement of GDPR art. 5.1c by the defendant.

Claim for compensation by plaintiff 1

Plaintiff 1’s request for additional compensation was not accepted by the Data Protection Authority as this does not fall within the Data Protection Authority’s competences. Furthermore, no GDPR infringement took place in the case of plaintiff 1.

The Data Protection Authority’s Decision

In conclusion, the Data Protection Authority was of the opinion that there was no GDPR infringement in the case of plaintiff 1. However, in regard to plaintiff 2, the Data Protection Authority issued a reprimand to the defendant as a result of the infringement of GDPR article 5.1c.

Take-away

Although the Data Protection Authority took no formal action against the defendant, communication in light of the dismissal of employees must always be strictly limited to what is necessary to avoid  any issues regarding the privacy of former employees. Although communicating a dismissal in itself will not constitute a breach of GDPR principles, employers must tread carefully if they also want to communicate on the circumstances surrounding the dismissal. Therefore it’s like the old saying goes ‘speech is silver, but silence is golden!’

dotted_texture