EN
HR Legal Technology

GDPR did not prevent company from sharing employee data with trade union

logo
Legal news
calendar 29. August 2021
globus Sweden

Under a collective agreement, a company had to hand over copies of employment contracts to the local trade union. However, the company chose to mask the personal data in the contracts. It considered data masking necessary to comply with its data protection obligations. The trade union objected and argued that by doing so, the company had violated the collective agreement. The Swedish Labour Court agreed.

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Similar

logo
HR Legal

26 September 2021

Seven extensions did not create a permanent employment

logo
HR Legal

26 September 2021

Removing work tasks did not constitute a termination

logo
HR Legal

17 September 2021

Do standard clauses give an automatic right to set off?

logo
Technology

9 September 2021

Failure to comply with retention periods resulted in EUR 1.75 million fine

logo
Technology

1 September 2021

Can companies “snoop” in former employees’ e-mail accounts?

logo
HR Legal

29 August 2021

The team

Akina

Ørum Masaki

Legal assistant

Anders

Etgen Reitz

Partner

Caroline

Wochner

Communication assistant

Cecillie

Groth Henriksen

Associate

Julie

Meyer

Communication assistant

Kirsten

Astrup

Senior associate

Mathilde

Baudry

Communication assistant

Nora

Tägtgård Coter

Legal assistant

Sofie

Aurora Braut Bache

Associate

Søren

Hessellund Klausen

Partner