The case concerns an employee who filed a complaint when she discovered that, during a meeting she did not attend, the service manager shared her personal and medical information with other colleagues, reading out a document issued by the company doctor, stating that she was unfit to work and would have left the company. 

Those data were also registered in the minute of the meeting.

The employee filed the complaint against the controller with the Belgian DPA for unlawfully disclosing health-related personal data to third parties, also based on the fact that the minute was saved on the controller´s server and freely accessible to all its staff, including from other departments.

Although the DPA was not in a position to verify whether the minutes were actually made available on the server of the data controller, it considered that, if this were the case, it would constitute further processing activity. It, therefore, examined if this further data processing was compatible with the purpose of the original processing, according to Article 5(1)(b) GDPR.

The DPA stated that this further processing was incompatible with the purpose of the original processing, as the employee could not reasonably expect that those sensitive data would be communicated widely beyond the persons authorised for personnel management.

This would have required a specific separate basis to be considered ‘lawful processing’ according to the GDPR, so the DPA concluded that the public authority had committed a GDPR violation.

DPA sanctioned the employer with a reprimand, calling the public authority to take all the necessary measures to comply with the legislation and to train company staff in this regard.

It is important for employers to bear in mind the relevance of privacy legislation and to put in place all measures, including internal policies and regulations, to avoid any risk of a breach during the performance of the employment relationship, especially when processing sensitive personal data.