GDPR did not prevent company from sharing employee data with trade union

Besides from always having to have a lawful basis, processing of personal data must also always – among other things - be limited to what is necessary. However, when companies at the same time have to balance these rules with other legal or contractual obligations when processing data as part of day-to-day operations, it gives rise to several questions and challenges.

In this case, a large snus company was bound by a collective agreement which included an obligation upon the company to share copies of employment contracts with the local trade union.

Briefly after the new data protection rules entered into force, the trade union requested the company to hand over copies of its employment contracts. The purpose was to review the contractual terms to make sure that the company was complying with the collective agreement. In response to the trade union’s request, the company shared approximately 50 copies of its employment contracts. However, the contracts had been redacted so that the employees’ names, social security numbers, address, phone numbers and other data had been masked from the trade union.

Because the trade union refused to accept the redacted versions of the contracts, the case was brought to the Swedish Labour Court. The court had to determine, if the company had breached its obligations under the collective agreement by not having shared unredacted versions of the contracts.

Collective agreement was the lawful basis for processing

The dispute had been triggered by a disagreement between the parties on how the obligation to provide copies of the employment contracts to the trade union should be understood. However, what form the employment contracts should be provided in had not been discussed between the parties during the negotiations of the collective. The court could therefore not rely on any common intention to clarify the issue.

Because the wording in the collective agreement was clear and seeing that there was no other information on the original intention of the parties, the court concluded that the contracts had to be provided in an unredacted form, including all personal data.

According to the court, the company could therefore both have shared unredacted versions of the contracts and complied with the data protection rules at the same time. The reason was that the collective agreement in itself provided for the necessary lawful basis, because the company was complying with a legal obligation. The company was consequently issued a fine for having breached its obligations under the collective agreement.

IUNO’s opinion

This decision shows the importance of companies being aware of how data protection obligations interplay with other legal obligations. In Sweden, companies are especially subject to extensive obligations under collective agreements, which may give rise to considerations to ensure compliance with data protection obligations at the same time.

IUNO recommends that companies always make sure that there is an appropriate lawful basis before sharing personal data with third parties and if in doubt, seek prior legal advice.
Read more of how IUNO can help your company to ensure compliance with the GDPR here.

[The Swedish Labour Court Case 23/2021 of 26 May 2021]