Dutch sickness data rules breached

Wouter Seinen, Andre Walter and Nienke Kingma of Pinsent Masons, the law firm behind Out-Law, were commenting after the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), fined employer CP&A after determining that it had breached data protection laws by processing more employee sickness data than it should have. The AP also held that CP&A had failed to meet its requirements on data security.

“These are two very serious violations of the EU General Data Protection Regulation (GDPR),” Walter said. “Only the limited financial capacity of CP&A stopped the AP from imposing a larger fine in this case.”

The AP had proposed to fine CP&A more than €1 million over the breach but reduced the sanction to just €15,000 after it determined the company was “financially unable” to bear the full penalty.

Seinen said international businesses may be unaware of the local restrictions on the processing of employee sickness data in the Netherlands. He said businesses reliant on global HR systems will commonly find that those systems are not configured to meet the specific requirements of Dutch law.

“In the Netherlands, employee sickness data can generally only be processed by the occupational health service provider, or company doctor, and not the employer itself,” Seinen said.

The AP confirmed that employers can ask sick employees questions that are necessary to determine how to proceed with their work, but said that they can only record the nature and cause of an employee's illness where it is necessary, such as to note a condition the employee suffers from and understand the actions they need to take in the event of an occurrence of the condition in the workplace.

Kingma said the AP had assessed the security of CP&A’s absence registration system in detail before finding failings in how access to the employee health data was controlled.

“The regulator visited CP&A’s website several times and found that it was able to view the absence registration without any form of authentication or other access control,” Kingma said. “This case shows that companies should be aware that the AP can look over their shoulder.”

CP&A said it has taken corrective measures to address its non-compliance, including no longer recording reasons for absence nor the prognosis, except from this can be deduced from doctor reports “without medical information”. It said it has also tightened controls on who can access the absence registration data.

Katja Mur, a board member at the AP, said: "It is of course quite understandable that an employer wants to know if someone is ill for a short or long period of time. But for this, the employer does not have to process health data himself or sit in the doctor's chair. The occupational health and safety service or occupational physician may simply inform him about the expected duration of the disease and its load capacity."