Can investigators seize personal data in a post-GDPR world?

Picture the scene; investigators of the European Commission burst into your offices, collect laptops and mobile phones of a number of employees and start to make copies of the data on these devices. They also ask you for copies of these employees’ email accounts for the last five years.  As they are combing through the data, it dawns on you, the data they’re reviewing and copying includes personal data.

Your duties towards your employees’ data post-GDPR have been drilled into you, and the potential heavy fines flash before your eyes. But the cost of not complying with a competition investigation isn’t minor either….what do you do?

Since the GDPR entered into force, this dilemma has arisen unexpectedly for companies caught in the crosshairs of increased regulatory vigour on all sides, and it’s not the first scenario you focus on in your GDPR training.

A number of companies have refused to give investigators access to employee data, claiming that: 

  • the GDPR prevents them from disclosing personal data of their employees during inspections or in reply to information requests; and
  • if they were to disclose such personal data , they would have to inform the employees concerned.

Some companies have also refused to commit to audit/inspection clauses in EU funding agreements, arguing that the GDPR prevents them from doing so. 

Several EU institutions therefore turned to the European Data Protection Supervisor (EDPS) for guidance. In an open letter of November 2018, the EDPS  told the institutions that “the GDPR is not an obstacle to obtaining the personal data you need for your tasks”.

According to the letter, two situations can be distinguished:

a) If a company is under an obligation to provide information to EU institutions which includes personal data (e.g. in case of an on-site inspection or a formal information request), this creates a legal obligation for the data controller within the meaning of Article 6(1)(c) GDPR, which authorizes the company to disclose the personal data.

b) If a company voluntarily provides information to EU institutions which includes personal data (e.g. response to an informal information request or whistleblowing about the company’s involvement in a cartel), this may be lawful given that the disclosure is necessary to pursue the company’s legitimate interest and these interests are not overridden by the interests of fundamental rights of the data subject or employee (Article 6(1)(f) GDPR).

So do you still need to tell your employees what’s happening? The EDPS’ letter explains that Article 14(1)(e) GDPR obliges data controllers to inform data subjects about the “recipients” of their personal data, but that Article 4(9) GDPR specifies that “public authorities which may receive personal data in the framework of a particular inquiry … shall not be regarded as recipients”. This means, for instance, that companies providing personal data of employees to the European Commission or a national competition authority in the EU in response to an information request, or voluntarily in view of a (pending or future) investigation, are not required to inform the employees concerned about the disclosure of their personal data.

Similarly, companies reviewing personal data of employees as part of an internal audit to uncover wrongdoing should be able to rely on legitimate interest as the basis for not informing the employees concerned. Given the transparency requirements of GDPR, it may be useful to state in employment contracts that employees' personal data may be accessed during internal audits.

In a decision of February 2019, the Court of Appeal of The Hague came to the same conclusion as the EDPS in relation to a Dutch cartel case. The Court confirmed that the GDPR provides no justification for a refusal to cooperate with a cartel investigation of the Dutch Competition Authority (ACM). The Court of Appeal underlined that the data collection by the ACM serves a task of general interest within the meaning of Article 6(1)(e) of the GDPR. The Court of Appeal dismissed the appellant's argument that the ACM's powers of inspection are limited to business data / documents and do not extend to personal data.

So what does all that mean for you when investigators are knocking at your door? Essentially two things: on the one hand, the GDPR does not provide you with an excuse for not supplying data the investigators are requesting. But on the other hand, you won't have to worry about GDPR compliance in a situation that is stressful enough in itself. The GDPR allows you to disclose also personal data to investigators and does not require you to inform the employees concerned.