Data protection fine for using the Bradford factor
Reason for the data protection fine: Use of the Bradford Factor violates GDPR
The Data Protection Officer of Cyprus imposed a fine totalling EUR 82 000.00 on LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for the lack of a legal basis for processing by means of the 'Bradford Factor' tool used for the assessment of sick leave of employees.
The investigation was initiated after a complaint was filed by the trade union of the workers concerned.
The date and frequency of an individual's sick leave, if his identity is disclosed directly or indirectly, leads to the processing of "special categories of personal data" as defined in Article 9, first paragraph of the GDPR are defined.
The provision personal data to an automated system, the evaluation of the data using the "Bradford factor" and the profiling of individuals on the basis of the results is considered to be processing of personal data; therefore, such processing must be carried out in accordance with the principles of the GDPR stand.
The data controller carried out a data protection impact assessment of the processing, which was submitted to the supervisory authority for consultation during the investigation. The latter considered that the data protection impact assessment did not allow the controller to demonstrate that his legitimate interest took precedence over the interests, rights and freedoms of his employees and that, consequently, the risk mitigation was not adequate.
In the course of the investigation, the EDPS made use of the possibility to address legal questions to the other EEA Contracting States through the so-called mutual assistance procedure and received contributions from 25 authorities. The replies received confirmed the lack of a legal basis for the processing in question and stressed the need to address such matters with specific rules in accordance with Article 88 of the GDPR.
As an employer, the data controller had the right to monitor the frequency of illness and the validity of medical certificates. However, such a requirement should not lead to improper treatment of employees.
After the supervisory authority established the breach, the data controller was instructed to stop the processing and delete all collected data. Furthermore, in connection with the violations of Article 6, first paragraph and Article 9 the GDPR imposes a fine of EUR 70,000 on LGS Handling Ltd, a fine of EUR 10,000 on Louis Travel Ltd and a fine of EUR 2,000 on Louis Aviation Ltd
In deciding the level of administrative penalties, the number of persons concerned (818 employees in total), the nature and duration of the infringements and the respective turnover of the undertakings were taken into account.
Amount of the data protection fine: 82,000 euros