Article written by Adi Shoval
The Cypriot Commissioner for Personal Data imposed an €82,000 fine on a group of companies that used an automated tool to score their employees’ sick leaves, highlighting that such processing lacked a legal basis under the GDPR.
The Commissioner explained that the companies conducted an impact assessment of the processing operations, but after reviewing it, the Commissioner was not convinced that the companies’ legitimate interest prevailed over the interests, rights, and freedoms of its employees. Consequently, the processing was found to have no legal basis. The Commissioner also noted that the companies failed to show the applicability of any of the provisions of the GDPR that allow them to process the health data of employees.
In addition to the penalty, the Cypriot Commissioner ordered the deletion of all the personal data collected.
CLICK HERE for the Commissioner’s decision (in Greek).