Irish court decision demonstrates standards expected when handling employee personal data

“The decision underscores the importance of adhering to the General Data Protection Regulation (GDPR) and respecting individuals’ personal data rights,” said Zara West, commercial litigation expert at Pinsent Masons.

In the ruling seen by Pinsent Masons an individual, Mr McCabe, claimed his confidential information was recorded, used and processed, infringing a number of provisions of article 5 of the GDPR and section 71 of the Data Protection Act 2018.

The court found that the personal footage and confidential information – in the form of a video recording of McCabe - must be made available to its subject in the interest of transparency and fairness, or that the subject must be made aware of its destruction.

“The ruling is a clear signal to employers of the stringent standards expected in the handling of employee personal data and the serious consequences of failing to meet these standards,” said West.

McCabe, an employee of AA Ireland, was on sick leave. On his final day of leave, McCabe was helping his mother-in-law by cutting an overhanging branch at her home. He became aware that an operations manager for AA Ireland was recording him from within a car parked across the road and approached the car. McCabe became angry, claiming he was being recorded without his knowledge or consent outside the workplace.

McCabe later attended a disciplinary hearing and was summarily dismissed. The video did not feature in the disciplinary process.

McCabe claimed that the video comprised personal data because he was identifiable and that its recording was processing. He claimed that AA Ireland breached data protection laws by unlawfully processing his personal data without consent, failing to process the footage in a fair and transparent manner and collecting the personal data for an illegitimate purpose. The company also breached the principal of data minimisation, he said, as there were three witnesses to the event, therefore it was unnecessary to video him.

AA Ireland denied processing the video or being in possession of it at any time, claiming it had not been taken on its instruction and it had been deleted. However, the judge referenced the fact that the company had not provided any affidavit evidence that the video had been deleted. The operations manager swore by way of affidavit that he did not hold the video, he had never showed anyone at the company a video of McCabe and that did not transfer any video to anyone. The current status of the video was not referenced in sworn testimony.

McCabe maintained the video had been in AA Ireland’s possession and if was not then it had been unlawfully erased or had been lost in violation of the GDPR. He claimed that he had suffered significant distress and anxiety as a result of the loss of control of his personal data.

The court referred to a Court of Justice of the EU (CJEU) case known as GP, in which the CJEU held that the loss of control over personal data, even for a short period of time, may constitute a non-material damage within the meaning of article 82(1) of the GDPR.

AA Ireland questioned whether the video was covered by the GDPR and the 2018 Act as it did not go beyond the operations manager’s phone and as such, there had been no ‘processing’ on its part. AA Ireland argued that it never used the video and therefore never processed it, so McCabe’s application must fail. The company further argued that article 82 of the GDPR applied to exempt it from liability as the controller on the basis that it was in no way responsible for the event giving rise to damages.

However, McCabe claimed that AA Ireland should be liable for its operation manager’s action as the manager’s reaction to the recording was part of the reason for him losing his job.

AA Ireland argued that if the court did find that it did process the information then it did so lawfully under article 6(1)(f) of the GDPR. In this case it was in AA Ireland’s interest to collect data in relation to its employee, where he was out on sick leave and cutting a hedge. Counsel for AA Ireland pointed out that all of the cases cited by both parties related to instances where the employer had disseminated data, and this was not the case in this instance.

The court found that it was incumbent on AA Ireland to account for the erasure of the video, as taking the video was closely related to the operations manager’s duties for the company. The court directed AA Ireland to account for the video and its current status.

It found that, given the serious steps taken against McCabe following the creation of the video, the video would be made available to McCabe or alternatively McCabe should have been notified of its destruction.

The defence of ‘legitimate expectation’ failed, as AA Ireland denied reliance on the video in making its decision to terminate McCabe’s employment. The court said that this defence would only arise if it had actually used the data. At the same time, the GDPR gave McCabe the right to access data collected by his employer or the employer’s agent where that data is closely connected to his role as employee.

The court awarded a total of €5,500 compensation to McCabe for the breach of his personal data rights.