The State Inspector’s Service Imposed Administrative Liability on Several Organizations for Unlawful Processing of Personal Data in the Course of Labor Relations
2021-07-28 18:20:35Protection of personal data in the course of labor relations is a high priority for the State Inspector’s Service as in this process institutions process large volumes of personal data of their employees, candidates wishing to get hired, as well as of former employees.
In 2020, in order to examine lawfulness of personal data processing in the course of labor relations, at the request of citizens and on its own initiative, the State Inspector’s Service inspected several organizations, including trade, insurance and microfinance organizations.
Based on the inspections, the State Inspector’s Service identified a number of violations of the provisions of the law on Personal Data Protection of Georgia. To prevent similar violations and raise the standard of personal data protection, the State Inspector’s Service shares the facts of the identified violations:
- In one of the organizations, on the portal for internal documents flow, information about employees, including former employees, conviction status was uploaded without any necessity and was stored permanently. Since the organization could not provide legitimate aims and necessity for processing special categories of data, the action was assessed as a violation;
- In one case, the organization permanently stored resumes of jobseekers aimed to consider their candidacy for another job vacancy in the future without informing them. Taking into consideration that after a certain period of time, the data provided in a resume about the person may change (and therefore, the document might become useless) or the person may not be interested in employment in the organization anymore and insofar as collection of large amounts of data increases risks of unlawful access to use of data, the mentioned fact was assessed as a violation;
- In order to maintain quality of service and protect customers’ rights in several organizations, audio surveillance of telephone conversations was being conducted between employees and third parties. The party of the conversation was informed about the surveillance if the initiator of a call was a third party. In case of dialing a call to third parties, the information about surveillance of conversation was not provided. As video call surveillance had been conducted without warning, the fact was assessed as a violation;
- In several organizations, information (date, time, identification data of the individual, the reasons for entering and leaving the building) to control entrance and exit of employees in office, was stored for more than three years, exceeding legal limits for keeping such categories of data. The mentioned fact was also assessed as a violation;
- Additionally, the fact of disclosure of information about a position held by a former employee and employment contract to third party without a legal basis by the organization was revealed;
- In most of the inspected organizations, measures implemented for data security were not appropriate and adequate. In some cases, employees of the organizations had access to employees’ data stored in electronic systems with the same username and password. Also, in most of the cases, electronic systems do not register all operations performed in relation to electronic data (who logged into the system, what data of which employee they had access to, what type of data was downloaded, etc.) while this is necessary to identify operations performed on data and responsible individuals.
In order to ensure safety of workplace and continuity of business activities during the pandemic, organizations have been obtaining employees’ health data, which they would not process in normal conditions. Although, the conducted inspections revealed violations in this direction as well:
- There was a case when the organization used to register results of thermal screening in a special journal storing the data for a long period of time without any necessity and expecting instructions from state agencies to erase the data. The organization failed to provide the purpose of storage of data that was deemed as a violation of the law;
- For effective management of work activities, one of the organizations obtained detailed information about chronic diseases of employees using a questionnaire, while it could achieve the legitimate aim by processing less amount of health data. For instance, rather than collecting information about specific diseases, the organization could collect only general information – whether the employees belonged to individuals carrying the listed diseases. Obtaining excessive amount of data was assessed as a violation of the law.
The State Inspector’s Service imposed administrative liability on the aforementioned organizations under Articles 43 (data processing without the grounds under the law), 44 (violation of principles of data processing), 46 (failure to comply with data protection requirements) and 49 (violation of rules for processing the building entry/exit data of public and private institutions) of the law on Personal Data Protection of Georgia and issued mandatory instructions for the purpose of processing data in accordance with the law in the future.