Belgium: Disclosure of personal health information at HR meeting on dismissal violates GDPR

During an internal HR staff meeting, the dismissal of the employee in question was discussed, without the presence of the employee herself. During the interview, a department manager had read a document provided by an external service for prevention and protection at work. This document contained the information that the employee had been absent for several weeks and that she had then been declared indefinitely unable to work by the occupational physician. These facts were recorded in the minutes of the meeting, which were sent to all employees of the service, regardless of their presence at the meeting and, moreover, posted on the intranet of the public authority, where employees from other departments could access it.

The employee discovered the above after being questioned about the information leaked by her colleagues. She filed a complaint based on the oral statements at the meeting, but the complaint was dismissed as the oral statements fall outside the scope of the GDPR rules. However, when she based her complaint on the minutes of the meeting and its availability on the server of the public authority, her complaint was deemed admissible.

The employee objected to the disclosure of personal information concerning her health as a reason for her dismissal to all employees, as well as to the recording of this information in the minutes and to the provision of this report on the server. The complaint was directed against his supervisor, the head of department, but the DPA considered that the entity with ultimate responsibility was, in almost all cases, the employer himself and extended the complaint to the public authority .

The DPA said notifying staff of personnel changes in writing is still permitted but must remain limited to the fact that the employee is no longer employed by the company. Furthermore, the communication of an employee’s sensitive health data to employees other than those whose work requires them to know (HR personnel) and the inclusion of this data in the minutes, requires a specific basis separate to be considered as “lawful processing”, as provided for in Art. 6.1 and 9.2 GDPR. The DPA considered that the processing of health data in the manner concerned could not be based on any of the grounds of Art. 6.1 GDPR. Therefore, it was concluded that the public authority had committed a violation of the GDPR.

The DPA has sanctioned the employer with a reprimand, as it has no jurisdiction to impose a fine on the public authorities, as well as to urge the public authority to educate its staff and take the necessary measures to remedy the current situation .

Key Action Points for Human Resources and Corporate Lawyers

  • Notifying staff of personnel changes based on personal information is always permitted; however, written statements should be limited to factual data (see also: GBA 63/2021, July 1, 2021).
  • When processing special (sensitive) categories of personal data (such as health data, but also data on race, ethnic origin, political beliefs, religious beliefs, biometric data on union and sexual behavior and identity), make sure that one of the bases of art. 9.2 GDPR applies for it to be considered lawful processing.
  • Keep in mind the purpose for which the data processing takes place, as well as the fact that only qualified employees can access this data.

Source: Belgian Data Protection Authority, decision no. 115 of July 19, 2021

Comments are closed.