The Federal Data Protection Act (Bundesdatenschutzgesetz; “BDSG”) contains a range of guidelines for establishing an organization in Germany ensuring compliance with data protection requirements within a company. Particular importance is attached to the company’s obligation to implement appropriate technical and organizational measures to guarantee data security and data protection.
Confidential data within the company
In this context, the Berlin public transport services (Berliner Verkehrsbetriebe; “BVG”) were recently dragged into the spotlight of negative publicity. Apparently, BVG executives had unauthorized access to sensitive employee data over a period of two weeks. However, it follows from the principle of confidentiality in personnel file management that any data relating to personnel files have to be treated confidentially not only in relations with external third parties but also within the company. Therefore, the group of people entrusted with handling personnel files must always be kept as small as possible.
Basically, only the employer himself and the people treating personnel matters on his behalf should be granted the right to inspect personnel files. This includes the members of the HR department, within the scope of their respective competences, and – within certain limits only – the respective superiors.
Supervisory authority investigated
The German trade union Ver.di brought the accusations against BVG to light. During an ensuing external audit conducted by the Berlin data protection commissioner, it turned out that the executive concerned had not only accessed the data but had even opened and printed at least one document. Due to lacking access protocols, it was impossible to trace whether and, if so, which other employees had also had access to the sensitive data.
During her audit, the data protection commissioner found that this was “not a mere mistake by one employee”. In fact, she revealed serious irregularities in the company’s data protection organization:
– Important data were not stored on different drives;
– access to personal data was not verifiable, due to insufficient access protocols; and
– the processes implemented to grant access rights to directories were outdated, inappropriate and could not be verified.
The commissioner even found defects regarding the handling of the violation once it had been discovered. No information was provided to the company’s bodies, the employees’ representatives and the company’s data protection officer or information was provided several months after the incident had become known only. The Berlin data protection commissioner was not informed either.
Data protection management system prevents violations
This incident shows that companies still have some catching up to do in terms of establishing data protection management systems. The reasons are as varied as the violations as such:
– lacking interest in data protection,
– companies grown too quickly, with an internal organization unable to keep pace, or
– deficient structures not critically evaluated, true to the motto: “We always did it that way!”.
Fines imposed on companies
Violations are severely punished. Apart from claims for damages under civil law and criminal prosecution, fines of up to 300,000 euros may be imposed. And as of May 2018, when the General Data Protection Regulation comes into force at EU level, things will even get worse: The fines will rise sharply and may, in serious cases, amount to 20 million euros or 4 percent of the overall worldwide annual turnover, depending on which amount is higher. Our specialized attorneys advise companies in developing internal data protection concepts. We will be pleased to answer your questions.