CJEU raises questions over retaining investigation data in HR reports

The Court of Justice of the European Union (CJEU) has ruled that holding information about an investigation where no evidence of wrongdoing was found may not meet the public interest test that an ongoing investigation or a conviction would justify, if that information is being kept for HR rather than investigative requirements.

It comes after the CJEU was asked to rule on whether the retention of arrest information relating to a police officer constituted a breach of GDPR rules, after the officer had been denied promotions because the information was kept in his personnel file.

Malcolm Dowden, a data privacy expert with Pinsent Masons, said that although the case had focused on interaction between law enforcement processing - which is outside the scope of GDPR - and processing for HR purposes, which is not, the ruling has wider implications.

“Where a criminal investigation has been suspended, no charges brought, and no evidence of wrongdoing found, the justification for retaining that data in a personnel file is significantly weakened,” he explained.

“This suggests that data subjects in similar situations may have strong grounds for requesting erasure. In relation to public authorities, when a single public authority acts both as employer and as investigating body, the transfer of investigation data into HR files engages GDPR and must be supported by a clear, proportionate legal basis.

“The mere fact that the employer is also the investigating authority does not, in itself, justify the retention. Even where retention is initially justified, the passage of time may render it disproportionate.

“The court signals that indefinite retention of investigation-related data, particularly from proceedings that yielded no adverse findings, is likely to violate the storage limitation principle.”

The case had been referred to the CJEU for a preliminary ruling by the district court in Bulgaria after questions over the validity of storing information about an arrest in a police officer’s personnel file.

The officer in question worked for more than 10 years in various posts in Bulgaria’s security police and national police, but in 2016 was arrested as part of an internal investigation into a robbery. During the investigation he had his fingerprints taken and a search was made of his home. He took part in a suspects’ line-up where the victims did not identify him, and no trace of his fingerprints was found on the victims’ belongings.

After 24 hours in custody, the officer was released and not charged over the robbery, with the investigation suspended as the perpetrator could not be identified.

The officer continued to perform his duties with Bulgaria’s Ministry of the Interior – but after sitting exams to secure promotion, was refused on the grounds he had been arrested in connection with the robbery investigation, with his personal file and the Ministry’s records containing information concerning his detention and the investigation into him.

As a result, he brought action against the public prosecutor’s office for compensation for the impact on his career and the humiliation of being arrested in front of his colleagues, highlighting that his employer – which also arrested him - refuses to remove or delete data about his arrest from the police database.

The District Court in Sofia had stayed the case due to the questions around the data retention, and referred it to the CJEU for their ruling over whether GDPR applies to cases where a single organisation is both employer and investigating authority.

It also sought clarity on whether retaining arrest information in an employee’s personnel file constitutes ‘processing of personal data’ under GDPR; if refusing promotion on the grounds of an employee being a former suspect is permitted; if GDPR’s ‘right to be forgotten’ applies to personnel file data; and if the refusal to promote the officer because of that data despite his performance in the exams constitutes discrimination.

The court ruled that not promoting the officer was not a breach of protected characteristic rules around equal treatment, as the previous arrest was not within the relevant grounds.

It also said it remains on the Bulgarian authorities to determine if it meets national data requirements but advised that GDPR would mean the period for retaining information should not be excessive.