Fine imposed on pharma company
The National Data Protection and Freedom of Information Authority (DPA) has recently published on its website a decision imposing a fine on a pharma company. The date of the decision is 23 May 2018 and a summary of the decision follows below.
The DPA imposed a fine on EGIS Gyógyszergyár Zrt because in the authority's view, the company had processed personal data in the absence of a proper legal basis in connection with camera surveillance and had failed to provide prior information concerning such data processing to its employees. Due to this, the authority imposed a data protection fine of HUF 800,000 (approx. EUR 2,500) on the company (the fine was imposed prior to the applicability of the GDPR).
The procedure concerned two cameras surveilling work processes, which had been installed with a view to making processes more effective. The data controller had verbally informed its employees about the use of cameras. The controller named the consent of the employees as the legal basis of the data processing.
The cameras were capable of making records which were kept for three business days. The cameras were operating continuously but only made records if they detected motion.
The purpose of data processing (principle of purpose limitation)
The authority established that cameras may as such be used for the purposes of making work processes more effective, however, certain requirements must be met. Electronic surveillance applied for the purposes of making work processes more effective may only be used for a short period of time (as long as really necessary), the records may not be used for the individual evaluation of employees and no adverse labour law sanction may be applied on the basis of the records. In addition, when making and evaluating the records, the controller must carry out such evaluation in a way that it does not result in the identification of the employees, as much as possible.
In the authority's view, the use of cameras was in line with the principle of purpose limitation, thus, established no violation in this regard.
The legal basis of data processing
In case of camera surveillance, the legitimate interest of the employer may be the proper legal basis. The employees' consent may not be used as a legal basis for such data processing. The employees' consent may in any case only be used in limited cases, in line with the practice of the EU's former data protection working party and the DPA.
If the controller wishes to use its legitimate interest as a legal basis, it must prepare a so-called balancing test prior to the commencement of data processing. In such a test, the controller is required to show why data processing may take place (why its legitimate interest takes priority over the interests of the employees).
The authority established that data processing had taken place without a proper legal basis.
The DPA established that the data controller had failed to provide proper information in connection with data processing. Namely, the DPA established that there was no proper information given on the legal basis, on how many cameras the controller was using, where the cameras were located, what areas they were targeted at, what main security measures were being applied, and what rights the data subjects had. The authority also established that the information had not been granted prior to the data processing taking place.
Based on the above, the authority established that a violation had taken place also in respect of the obligation to give prior information.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.