Belgium: Disclosing Personal Health Information during HR-meeting on Dismissal Violates GDPR
Author: Chris Van Olmen
During an internal meeting of HR staff, the dismissal of the employee in question was discussed, without the employee herself present. During the meeting, a service manager had read out a document provided by an external service for prevention and protection at work. This document contained the information that the employee had been absent for several weeks and that she later had been declared indefinitely incapacitated for work by the company doctor. These facts were included in the minutes of the meeting, which were sent to all the employees of the department, regardless of their presence at the meeting and moreover, posted online on the public authority’s Intranet, where employees of other departments could access them.
The employee discovered the above after she was asked questions about the disclosed information by her colleagues. She filed a complaint based on the verbal statements during the meeting, but this was rejected, as oral statements do not fall within the scope of GDPR-rules. However, when she based her complaint on the minutes of the meeting and their availability on the public authority’s server, her complaint was deemed admissible.
The employee objected to personal information concerning her health being disclosed as a reason for her dismissal to all employees, as well as the inclusion of this information in the minutes and the availability of these minutes on the server. The complaint was directed at her supervisor, the service manager, but the DPA reasoned that the entity with the final responsibility was, in almost all cases, the employer itself and extended the complaint to include the public authority.
The DPA stated that informing staff of personnel changes in writing is still allowed but must remain limited to the fact that the employee is no longer employed by the company. Furthermore, communicating an employee’s sensitive health data to employees other than those whose job requires that they know (the HR staff) and including this data in the minutes, requires a specific separate basis to be considered ‘lawful processing’, as provided in art. 6.1 and 9.2 GDPR. The DPA found that the processing of health data in the manner concerned, could not be based on any of the grounds of art. 6.1 GDPR. Therefore, it was concluded that the public authority had committed a GDPR-violation.
The DPA sanctioned the employer with a reprimand, as it does not have the competence to impose a fine to public authorities, as well as urging the public authority to educate their staff and take the necessary measures to rectify the current situation.
Key Action Points for Human Resources and In-house Counsel
- Informing staff of personnel changes based on personal information is still allowed; written statements should, however, be limited to factual data (see also: GBA 63/2021, 1 July 2021).
- When processing special (sensitive) categories of personal data (like data on health, but also data on race, ethnic origins, political beliefs, religious beliefs, trade union membership biometric data and sexual behaviour and identity), make sure one of the bases of art. 9.2 GDPR applies for it to be considered lawful processing.
- Keep in mind the objective for which the data processing takes place, as well as that only qualified employees can access this data.
Source: Belgian Data Protection Authority, decision no. 115 of 19 July 2021