Excessive Processing Of Employee Personal Information: A Warning To South African Employers

• Published date: 15 October 2020
• Subject Matter: Employment and HR, Privacy, Contract of Employment, Data Protection, Privacy Protection
• Law Firm: ENSafrica
• Author: Ms Suemeya Hanif, Nicole Gabryk and Kerry-Anne do Couto

A recent decision in Germany has resulted in a hefty fine being imposed on an employer for violations of the European Union's General Data Protection Regulations ("GDPR"). The decision is a strong warning to South African employers to not overprocess their employees' information.

The employer, H&M Germany had, for a number of years through one-on-one conversations between the employees and their supervisors, been collecting and digitally storing employees' personal information pertaining to holiday experiences, symptoms of illnesses, diagnoses, family issues and religious beliefs, in addition to meticulous evaluations of individual work performance This information was partially recorded, digitally stored detailed, updated over time, and could be accessed by up to 50 executives throughout the company.

In October 2019, all of this information became accessible companywide, for a few hours as a result of a configuration error bringing to light H&M's collection of information concerning its employees. It transpired that:

• H&M collected, recorded, stored and updated personal information of employees which could be accessed by a number of individuals;

• the employees were unaware that their personal information (of a very private nature, which they shared with their supervisors on a casual basis), was being processed in the manner set out above;

• the employees were unaware of the purpose for which their personal information, processed in this manner, was used by H&M; and

• appropriate security measures were not implemented to ensure the integrity and confidentiality of the employees' personal information, resulting in companywide access to the employees' personal information.

H&M immediately reported the breach to the Data Protection Authority of Hamburg ("HmbBfDI"). The HmbBfDi imposed a fine of EUR35.2-million for the employer's illegal surveillance of its employees' activities and stated that this fine was "adequate and effective to deter companies from violating the privacy of their employees". Furthermore H&M undertook to implement various remedial steps on implementing data protection going forward, apologised to all of the affected employees, and undertook to compensate the employees.

It is likely that an employer in South Africa, conducting itself in a similar way to H&M, would breach several provisions of the Protection of Personal Information Act, 2013 ("POPIA"), including:

• section 10, which prescribes that personal information should only...