Believe it or not, this is the fourteenth in our series of articles based on a report by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy. This time, we’re going to look at the risks and challenges of sharing employee data with a third party, be that another company or a private individual who is using your services.
It has become increasingly common for companies to transmit their employees’ data to their customers for the purpose of ensuring reliable service provision. These data may be quite excessive depending on the scope of services provided (e.g. an employee’s photo may be included). However, employees are not in a position, given the imbalance of power, to give free consent to the processing of their personal data by their employer, and if the data processing is not proportional, the employer does not have a legal ground.
Example: A delivery company sends its customers an e-mail with a link to the name and the location of the deliverer (that is, they share employee data). The company also intended to provide a passport photo of the deliverer. The company assumed it would have a legal ground for the processing in its legitimate interest, allowing the customer to check if the deliverer is indeed the right person.
However, it is not necessary to provide the name and the photo of the deliverer to the customers. Since there is no other legitimate ground for this processing, the delivery company is not allowed to provide these personal data to customers.