Scottish case confirms legal proceedings exemption as possible defence for GDPR claims

The case relates to a claim brought by a former employee of a student housing company against his employer, who he alleged had breached UK General Data Protection Regulation (GDPR) rules when processing his personal data in the context of defending employment tribunal proceedings brought by another employee.

The claim was dismissed by the court, as the claimant’s allegations against the employer were found to be “lacking in specification” and “irrelevant”. However, a data protection law specialist said the decision provides businesses with “useful guidance” on the extent to which controllers may rely on the legal proceedings exemption.

“The decision makes it clear that the intention of the data protection laws is not to stand in the way of a fair trial or for controllers to ‘shoot themselves in the foot’ by deleting personal data or withholding personal data for fear of breaching the data protection laws,” said Kathryn Wynn of Pinsent Masons.

“It provides an interesting analysis of how legal proceedings exemption can be relied upon to disclose personal data without specifically notifying the affected data subject ahead of that disclosure. However, as the court has clarified, this is usually an inherently fact-sensitive exercise,” she said.

In the hearing, the former employee argued that although he was not involved in the employment tribunal proceedings directly, the employer should have informed him about the tribunal claim and asked him to comment on the allegations made against him, as well as invited him to provide a witness statement. Its failure to do so, he alleged, was a breach of the employer’s duty to process his personal data fairly under the UK’s 2018 Data Protection Act (DPA), specifically article 5(1)(a) which requires personal data to be processed lawfully, fairly and in a transparent manner.

The employer’s argument relied on the legal proceedings exemption provisions of the DPA, which it said made it exempt from the usual GDPR requirements because the disclosures of personal data in question were made in connection with legal proceedings and for the purposes of defending legal rights.

In reaching its decision (32-page / 629KB PDF), the court considered the rationale for the DPA legal proceedings exemption provisions. It said: “The rationale … appears to be that a party’s duties as a data controller should not fetter its discretion to conduct litigation as it sees fit in pursuance of the vindication of its legal rights, or impinge on its right to a fair trial in terms of Article 6 of ECHR. It is because of the potential for tension to arise between these considerations that the exemption is necessary.”

The court concluded that “given the scope for the process of applying Article 5(1)(a) to restrict or prevent the content of disclosures, Paragraph 5(3) of Schedule 2 exempts a data controller from complying with it. This interpretation is consistent with the purpose of the exemption, which is to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.”

The case also reminds parties that, since 2017, employment tribunal decisions have been public by default and published in full in an online database, said employment law expert Stephanie Paton of Pinsent Masons.

“A tribunal does have discretion to make a restricted reporting order to protect the identity of any party to the proceedings – however, an RRO is often a temporary measure and can only be ordered in very limited circumstances, such as where there are issues of national security or allegations of sexual misconduct,” she said.