EN
HR Legal Technology

GDPR did not prevent company from sharing employee data with trade union

logo
Legal news
calendar 29. August 2021
globus Sweden

Under a collective agreement, a company had to hand over copies of employment contracts to the local trade union. However, the company chose to mask the personal data in the contracts. It considered data masking necessary to comply with its data protection obligations. The trade union objected and argued that by doing so, the company had violated the collective agreement. The Swedish Labour Court agreed.

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Similar

logo
HR Legal

11 August 2022

New employment law reform has entered into force

logo
HR Legal

19 June 2022

Termination was unjustified because LIFO list was set aside

logo
HR Legal

19 June 2022

Preferential rights went out the window

logo
HR Legal

19 June 2022

New rules will introduce new leave forms and more flexibility

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
HR Legal

12 June 2022

Single parent could remain employed despite summary dismissal

The team

Akina

Ørum Masaki

Legal assistant

Amalie

Starup Poulsen

Legal Advisor

Anders

Etgen Reitz

Partner

Cecillie

Groth Henriksen

Associate

Emma

Sandner

Junior legal assistant

Johan

Gustav Dein

Associate

Julie

Meyer

Communication assistant

Katrine

Matilde Ahlberg Purhus

Associate

Kirsten

Astrup

Senior associate

Mathilde

Baudry

Communication assistant

Sofie

Aurora Braut Bache

Senior associate

Søren

Hessellund Klausen

Partner