Cyprus Commissioner fines companies for tool scoring employees’ sick leaves

21 Feb 2020
The Cyprus Commissioner for personal data protection has fined three affiliated companies for the operation of an automated tool used to assess the employees’ sick leaves by scoring the data and profiling the employees based on the results.
 
After having received a complaint submitted by the Cyprus employees’ trade union, the Commissioner investigated the use of the “Bradford Factor” tool by the Companies.  This automated tool aimed to score employees' sick leave. According to this system, short, frequent, and unplanned absences lead to a higher disorganizing of the companies rather than longer absences.

For further consultation of the Commissioner’s investigation, the Companies have conducted an impact assessment of this processing operation to demonstrate that their legitimate interest prevailed over the interests, rights and freedoms of their employees and thus the mitigation of the risks was adequate. However, the input received by 25 EU Supervisory Authorities via the mutual assistance procedure validated the absence of legal basis.

After having taken into consideration the results of the investigation, the Commissioner ruled that the use of this tool lacked legal basis since the companies failed to establish that their legitimate interests override their employees’  interests, rights and freedoms (art. 6.1 of the GDPR) and that they were allowed to process their employees’ health data (special categories of personal data) under art. 9 of GDPR.

The decision also noted that the Companies were allowed to monitor the frequency of sick leaves and the validity of sick leaves certificates but only within the context of the relevant legislative framework.
For all these GDPR infringements the Commissioner imposed the fine of €82.000 and ordered the Companies to stop the processing and delete the relevant data.
MORE RELATED NEWS

EADPP at the EDPB Stakeholder Event on processing of personal data for scientific purposes
Our Director, Maria Raphael, was a speaker at the 3rd Digital & Payments Conference
Privacy Minders’ co-founder was elected the President of the EADPP
Personal Data Protection Fines in Cyprus from July to September 2019
Larnaca, Cyprus

57 Spyrou Kyprianou Avenue,
Bybloserve Business Center, Larnaca 6051, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 24812581/82
Fax: +357 24812583
Email: info@privacyminders.com

Click here to Subscribe