Data Protection Academy » Data Protection News » Data protection fine for using the Bradford factor

Fines for use of the Bradford Factor

Data protection fine for using the Bradford factor

Date: 27.01.2020

Reason for the data protection fine: Use of the Bradford Factor violates GDPR

The Data Protection Officer of Cyprus imposed a fine totalling EUR 82 000.00 on LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for the lack of a legal basis for processing by means of the 'Bradford Factor' tool used for the assessment of sick leave of employees.

The investigation was initiated after a complaint was filed by the trade union of the workers concerned.

The date and frequency of an individual's sick leave, if his identity is disclosed directly or indirectly, leads to the processing of "special categories of personal data" as defined in Article 9, first paragraph of the GDPR are defined.

The provision personal data to an automated system, the evaluation of the data using the "Bradford factor" and the profiling of individuals on the basis of the results is considered to be processing of personal data; therefore, such processing must be carried out in accordance with the principles of the GDPR stand.

The data controller carried out a data protection impact assessment of the processing, which was submitted to the supervisory authority for consultation during the investigation. The latter considered that the data protection impact assessment did not allow the controller to demonstrate that his legitimate interest took precedence over the interests, rights and freedoms of his employees and that, consequently, the risk mitigation was not adequate.

In the course of the investigation, the EDPS made use of the possibility to address legal questions to the other EEA Contracting States through the so-called mutual assistance procedure and received contributions from 25 authorities. The replies received confirmed the lack of a legal basis for the processing in question and stressed the need to address such matters with specific rules in accordance with Article 88 of the GDPR.

As an employer, the data controller had the right to monitor the frequency of illness and the validity of medical certificates. However, such a requirement should not lead to improper treatment of employees.

After the supervisory authority established the breach, the data controller was instructed to stop the processing and delete all collected data. Furthermore, in connection with the violations of Article 6, first paragraph and Article 9 the GDPR imposes a fine of EUR 70,000 on LGS Handling Ltd, a fine of EUR 10,000 on Louis Travel Ltd and a fine of EUR 2,000 on Louis Aviation Ltd

In deciding the level of administrative penalties, the number of persons concerned (818 employees in total), the nature and duration of the infringements and the respective turnover of the undertakings were taken into account.

Amount of the data protection fine: 82,000 euros

Country: Cyprus

SourceEuropean Data Protection Supervisor

Back to the overview of the data breaches

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Data protection Fines

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.
Data protection Fines

Italian data protection supervisory authority imposed 27.8 million fine

The telecommunications operator was found to be involved in unlawful processing for marketing purposes. millions of people were affected.
Data protection Fines

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.