News from data protection

Contact

Team

Lars Galow (Management, Information Security Officer)

Christoph Wilken (Consultant)

Thorsten Kamp (Officer, Deputy Information Security Officer)

Visitor address

Ecological Centre ÖCO, 3rd floor Uhlhornsweg 99a 26129 Oldenburg

Postal address

Carl von Ossietzky Universität Oldenburg 
Stabsstelle Datenschutz- und Informationssicherheitsmanagement
Ammerländer Heerstr. 114-118
26129 Oldenburg

News from data protection

  • Gruppe im Büro, schemenhaft

    Image: Gerd Altmann, Pixabay

Heavy penalty: €215,000 fine imposed

The HR department of a Berlin-based company stores and uses sensitive personalrelated data. This is costing the company dearly.

In a Berlin company, a tabular overview of all employees in their probationary period was drawn up on the instructions of the management. The continued employment of several people was openly categorised as "critical" or "very critical"; sensitive personal data, such as the use of psychotherapy or interest in setting up a works council, were listed as reasons. Personal statements as well as health and non-work-related reasons were also mentioned here. In some cases, the employees had provided the listed information themselves for duty planning purposes. However, they were not aware of the further processing in the list.

The data protection officer explained that data used to consider the continued employment of employees may only allow conclusions to be drawn about behaviour or performance that are directly related to the employment relationship. The use of personal data mentioned here, on the other hand, is not lawful.

Meike Kamp, Berlin Commissioner for Data Protection and Freedom of Information, explains: "The collection, storage and use of employee data must always take place in a permissible context with the employment relationship. This was not the case in this instance. Health data in particular is especially sensitive information that may only be processed within narrow limits."

Three further fines totalling EUR 40,000 were imposed due to the lack of involvement of the company data protection officer when the list was drawn up, the failure to mention this in the processing directory and the late notification of a data breach.

When assessing the fines, the BlnBDI took into account the company's turnover and the number of employees affected. It was also taken into account that the processing of health data without a legal basis constitutes a particularly serious offence. The fact that the company cooperated fully with the BlnBDI and stopped the infringement on its own initiative without being requested to do so after it became publicly known was one of the factors taken into account to reduce the fine.

Right infringed
Art. 9 para. 1 GDPR
Art. 6 GDPR

Source
Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) - www.datenschutz-berlin.de

back

(Changed: 12 Feb 2026)  Kurz-URL:Shortlink: https://uol.de/p104765n8435en
Zum Seitananfang scrollen Scroll to the top of the page

This page contains automatically translated content.