During the COVID-19 pandemic, data privacy – and, in particular, employee data privacy – has been at the forefront of employers’ minds.  In the last six months, employers across the globe have been required to give careful thought to a whole host of potential issues, from contact tracing apps to temperature and other health checks in the workplace, as well as processing an increasing volume of health data of its staff. Whilst not COVID-19 related, a recent decision from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany (the “Commissioner”) is an important reminder of the very significant financial and reputational sanctions an employer may face if it does not appropriately collect, retain and protect employee personal data in line with GDPR.

In this case, the Commissioner issued a €35.3 million fine against an international retailer due to its failures in monitoring and processing personal data of several hundred employees at one of its sites in Nuremberg. The decision demonstrates the risks involved when organisations fail to comply with the data minimisation principle under the GDPR by collecting and retaining excessive amounts and types of personal data in light of the purposes for which it has been collected.

Continue reading.