EN
HR Legal Technology

GDPR did not prevent company from sharing employee data with trade union

logo
Legal news
calendar 29. August 2021
globus Sweden

Under a collective agreement, a company had to hand over copies of employment contracts to the local trade union. However, the company chose to mask the personal data in the contracts. It considered data masking necessary to comply with its data protection obligations. The trade union objected and argued that by doing so, the company had violated the collective agreement. The Swedish Labour Court agreed.

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Similar

logo
HR Legal

1 July 2025

New convention on violence and harassment in the workplace

logo
HR Legal

20 June 2025

New rules provide better conditions for parents with sick children and for those who have lost children

logo
HR Legal

16 June 2025

Part-time employee was entitled to increased hours

logo
HR Legal

6 June 2025

Company could enforce no-hire clause

logo
HR Legal

27 May 2025

Preparing for pay transparency and the concept of equal pay

logo
HR Legal

23 May 2025

Employee could not take on parallel employment

The team

Alexandra

Jensen

Associate

Alma

Winsløw-Lydeking

Senior legal assistant

Anders

Etgen Reitz

Partner

Cecillie

Groth Henriksen

Senior associate

Elias

Lederhaas

Legal assistant

Emilie

Louise Børsch

Associate

Johan

Gustav Dein

Associate

Kirsten

Astrup

Managing associate

Laura

Dyvad Ziemer Markill

Legal assistant

Sunniva

Løfsgaard

Legal assistant

Søren

Hessellund Klausen

Partner