A recent decision in Germany has resulted in a hefty fine being imposed on an employer for violations of the European Union's General Data Protection Regulations ("GDPR"). The decision is a strong warning to South African employers to not overprocess their employees' information.
The employer, H&M Germany had, for a number of years, through one-on-one conversations between the employees and their supervisors, been collecting and digitally storing employees' personal information pertaining to holiday experiences, symptoms of illnesses, diagnoses, family issues and religious beliefs, in addition to meticulous evaluations of individual work performance. This information was partially recorded, digitally stored, detailed, updated over time, and could be accessed by up to 50 executives throughout the company.
In October 2019, all of this information became accessible, companywide, for a few hours as a result of a configuration error, bringing to light H&M's collection of information concerning its employees. It transpired that:
- H&M collected, recorded, stored and updated personal information of employees which could be accessed by a number of individuals;
- the employees were unaware that their personal information (of a very private nature, which they shared with their supervisors on a casual basis), was being processed in the manner set out above;
- the employees were unaware of the purpose for which their personal information, processed in this manner, was used by H&M; and
- appropriate security measures were not implemented to ensure the integrity and confidentiality of the employees' personal information, resulting in companywide access to the employees' personal information.
H&M immediately reported the breach to the Data Protection Authority of Hamburg ("HmbBfDI"). The HmbBfDi imposed a fine of EUR35.2-million for the employer's illegal surveillance of its employees' activities and stated that this fine was "adequate and effective to deter companies from violating the privacy of their employees". Furthermore, H&M undertook to implement various remedial steps on implementing data protection going forward, apologised to all of the affected employees, and undertook to compensate the employees.
It is likely that an employer in South Africa, conducting itself in a similar way to H&M, would breach several provisions of the Protection of Personal Information Act, 2013 ("POPIA"), including:
- section 10, which prescribes that personal information should only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive;
- section 13, which provides that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;
- section 18, which prescribes that, if personal information is collected, the responsible party (the employer) must take reasonably practicable steps to ensure that the data subject (the employee) is aware of the information being collected and, where the information is not collected from the data subject, the source from which it is collected. The data subject should further be notified of: the purpose of the collection of the information; whether supplying the information is voluntary or mandatory; the recipient or category of recipients of the information; the nature or category of the information and the right to access, rectify or object to the processing of their personal information; and
- section 19, which prescribes that the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction as well as unlawful accessing of processing of personal information. These measures must be maintained, regularly verified for effective implementation, and continually updated in response to new risks or deficiencies.
Due to the mandatory security compromise reporting obligations prescribed by POPIA, instances such as the compromise described in the H&M decision must be reported to the Information Regulator. This will bring the conduct of a responsible party under the scrutiny of the Information Regulator and could result in administrative fines of up to ZAR10-million being imposed on the responsible party and/or the imprisonment of the Information Officer. Data subjects also have the right to institute civil actions for damages resulting from contraventions of POPIA in circumstances where POPIA imposes strict liability on responsible parties, irrespective of intent or negligence on the part of the responsible party.
With the end of the grace period under POPIA fast approaching, it is imperative that employers train and educate their employees, at the very least, on the following:
- what constitutes personal information (including special personal information);
- the circumstances under which personal and special personal information may be processed;
- the data subject's rights in respect of the personal information collected by the employer;
- the security safeguards to be implemented when processing personal information;
- how to manage and mitigate data breaches; and
- the mandatory breach reporting obligations under POPIA.
ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, consent clauses, data protection clauses to be inserted in employment contracts, information officer appointment letters, training services, advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches and security compromise events.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.