During 2018 the employees’ trade union submitted a complaint with the Data Protection Authority in Cyprus against a group of companies which had implemented an automated tool that was used for scoring the sick leaves of employees, also known as “Bradford Factor”. Further to this, the Commissioner launched an investigation into the matter.
The logic behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganisation of a company rather than longer absences. Thus, the tool was implemented by the companies for the purposes of managing, monitoring and controlling the employees’ absence from work due to health reasons.
Pursuant to Article 9(1) of the GDPR, the date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, constitutes the processing of "special categories of personal data". Therefore (a) providing personal data to an automated system, (b) scoring the data using 'Bradford Factor', and (c) profiling individuals based on the results, is considered as processing of personal data; such a processing operation evidently needs to be in line with the principles defined in the GDPR.
Each one of the companies, as the employer and controller of personal data, was entitled to supervise the frequency of sick leaves and the validity of such sick leave certificates. Such a right however should not be abused and should be applied within the limits set by the relevant legislative framework. Processing of personal data is considered as being in compliance if it is restricted to the absolutely necessary information required for the organisation, control and carrying out of the company’s turnover.
During the Commissioner’s investigation, the controller carried out an impact assessment of the processing operation, which it submitted to the Commissioner for consultation purposes. The opinion of the Commissioner was that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate. During the course of the investigation, the Commissioner made use of the possibility to raise legal questions to the other Supervisory Authorities in the EEA via the so-called Mutual assistance procedure and received input from 25 authorities. The replies that were received validated the absence of legal basis for the said processing and highlighted the necessity to regulate such issues with specific rules in line with Article 88 of the GDPR.
After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.
Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to one of the companies, a fine of €10.000 was imposed to the second company and a fine of €2.000 was imposed to the third, in relation to the infringements of articles 6(1) and 9 of the GDPR.
When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.
Article provided by: Alexandra Kokkinou (tassos papadopoulos & associates, Cyprus)