Employer reprimanded for discussing sensitive personal data about an employee during internal HR meeting Summary Our remarks The HR team of a medium-sized public organization • This case offers significant insights about the scope held a meeting to discuss the dismissal of a senior of the GDPR and the admissibility of complaints. consultant, during which she was not present. The The employee had initially filed a complaint to the meeting referenced and cited paragraphs from a Belgian DPA based on the verbal statements made report conducted by an external service for prevention during the meeting. This complaint was rejected on and protection at work, documenting the employee’s the grounds that oral statements are not covered extended absence and indefinite incapacity to work as by the GDPR. However, when the employee based determined by the company doctor. her complaint on the minutes of the meeting and their availability on the public authority’s server, her The details discussed in the meeting were documented complaint was deemed admissible. in the minutes of the meeting, which were shared with all employees in the department, irrespective • When informing staff about personnel changes, of their attendance at the meeting. Furthermore, the written statements should be limited to factual minutes were posted on the organization’s Intranet, data while avoiding the disclosure of sensitive accessible to employees from all departments within personal data regarding the individual involved. the organization. If processing special categories of personal data, such as health data, data controllers must ensure Decision of the Belgian Data Protection that one of the legal bases provided in GDPR, Article Authority 9(2), applies to justify the processing as lawful. The Belgian Data Protection Authority issued a reprimand to the employer since it lacked the authority to impose fines on public organizations. Published: 09-02-2021 Journal number: DOS-2018-06125 Tags: 01 Legal basis and principles of processing 98