Data Protection Authority of North Rhine-Westphalia: Employer's use of WhatsApp to transfer employee data is not permitted under data protection law

Dr. Carlo Piltz Dr. Carlo Piltz

Dr. Carlo Piltz

Lawyer - Partner at Piltz Legal

发布日期: 2020年5月22日
+ 关注

In its current activity report (pdf, p. 51), the Data Protection Authority from North Rhine-Westphalia (DPA) deals with the question of how employers and employees can communicate via WhatsApp. Specifically, the report deals with a complaint that an employer wrote to all employees of his company and asked them to use WhatsApp to send sickness reports with receipts to the personnel department.

The employer explained that this was only an additional offer to the employees to send documents containing personal data. However, the letter explaining the procedure to the employees did not indicate that this offer was only an alternative.

The DPA criticizes this procedure as illegal. The employer has no influence on the data processing operations at WhatsApp or Facebook. Therefore, he does not have the necessary technical and organizational means to effectively protect employee data.

"If the employer nevertheless offers the use of WhatsApp, he/she is in breach of the principles of security of data processing in accordance with Art. 32 and 5 para. 1 lit. f GDPR".

According to the DPA, the employer cannot rely on the voluntary participation of the employees and thus on their consent. The DPA assumes that employees - at least in general - are not sufficiently informed about the risks of communication via WhatsApp and the lack of protection of their data.

The DPA's view is of course not surprising. Nevertheless, I do not find the position justifiable in this generalized form. The requirement that employees must be informed may indeed not be easy to implement. However, in my opinion, it is not per se (as assumed by the DPA) impossible for employees to give informed consent. In my view, reference should always be made to the circumstances of the individual case. The fact that the employer has no influence on the security measures at WhatsApp is also not a convincing argument in my opinion. After all, in other situations it is common for data to be transferred to other parties whose security measures cannot be influenced by the employer. It is then the legal obligation of the other entity to comply with the requirements of Art. 32 GDPR itself.

要查看或添加评论,请登录

Dr. Carlo Piltz的更多文章

社区洞察

其他会员也浏览了