Data protection fine for using the Bradford factor

Date: 27.01.2020

Reason for the data protection fine: Use of the Bradford Factor violates GDPR

Der Datenschutzbeauftragte Zyperns verhängte eine Geldstrafe in Höhe von insgesamt 82.000,00 Euro gegen LGS Handling Ltd, Louis Travel Ltd und Louis Aviation Ltd (Louis Group of Companies) wegen der fehlenden Rechtsgrundlage für die Verarbeitung mittels des “Bradford Factor”-Tools, welches für die Bewertung von Krankenständen von Mitarbeitern verwendet wird.

The investigation was initiated after a complaint was filed by the trade union of the workers concerned.

Das Datum und die Häufigkeit einer durch Krankheit bedingten Ausfallzeit einer Person, führen, sofern ihre Identität direkt oder indirekt bekannt gegeben wird, zur Verarbeitung “besonderer Kategorien personenbezogener Daten”, wie sie in Article 9, first paragraph of the GDPR are defined.

The provision personal data an ein automatisiertes System, die Bewertung der Daten mit Hilfe des “Bradford-Faktors” und die Erstellung von Profilen von Personen auf der Grundlage der Ergebnisse wird als Verarbeitung personenbezogener Daten betrachtet; daher muss eine solche Verarbeitung im Einklang mit den Grundsätzen der GDPR stand.

The data controller carried out a data protection impact assessment of the processing, which was submitted to the supervisory authority for consultation during the investigation. The latter considered that the data protection impact assessment did not allow the controller to demonstrate that his legitimate interest took precedence over the interests, rights and freedoms of his employees and that, consequently, the risk mitigation was not adequate.

In the course of the investigation, the EDPS made use of the possibility to address legal questions to the other EEA Contracting States through the so-called mutual assistance procedure and received contributions from 25 authorities. The replies received confirmed the lack of a legal basis for the processing in question and stressed the need to address such matters with specific rules in accordance with Article 88 of the GDPR.

As an employer, the data controller had the right to monitor the frequency of illness and the validity of medical certificates. However, such a requirement should not lead to improper treatment of employees.

After the supervisory authority established the breach, the data controller was instructed to stop the processing and delete all collected data. Furthermore, in connection with the violations of Article 6, first paragraph and the Article 9 the GDPR imposes a fine of EUR 70,000 on LGS Handling Ltd, a fine of EUR 10,000 on Louis Travel Ltd and a fine of EUR 2,000 on Louis Aviation Ltd

In deciding the level of administrative penalties, the number of persons concerned (818 employees in total), the nature and duration of the infringements and the respective turnover of the undertakings were taken into account.

Amount of the data protection fine: 82,000 euros

Country: Cyprus

Source: European Data Protection Supervisor

Back to the overview of the data breaches