DPAs have imposed a total of 162 fines (+27 fines in comparison to the ETR 2024) related to the processing of employee data. The total amount in this category has increased by a remarkable amount to above EUR 355 million (+EUR 296 million in comparison to the ETR 2024) due to a new record fine. As a consequence, the average fine amount has also increased to EUR 2.3 million (+EUR 1.8 million in comparison to the ETR 2024). The new highest fine as of March 2025 was issued by the Dutch Supervisory Authority for Data Protection in an amount of EUR 290 million (ETid-2447) in July 2024.
Employers are well advised to take protection of employee data seriously. Employee data processing is and will remain a focus for supervisory authorities across Europe. From a legal perspective, employees are considered to be particularly vulnerable. Data protection law is now an established part of the instruments for specific protection of these vulnerable data subjects in addition to the common mechanisms under general employment law. A considerable number of enforcement cases remain based on data subjects’ complaints to supervisory authorities. The employment relationship is an environment in which such complaints – especially in termination scenarios – are now a standard procedure. In addition, (dismissed) employees regularly introduce lawsuits before the employment courts to assert additional claims for damages under data protection law. The legal admissibility of processing activities including employee data is largely shaped by employment law which – regardless of legal harmonisation in this area – still varies significantly between jurisdictions.
Against this background, employers may wish to use the Enforcement Tracker entries in the employment section to improve their risk management: Every fine indicates a "no go" – at least from a DPA perspective.
Let's take a closer look
- The new 'employment record fine' entered our lists in July 2024 when the Dutch supervisory authority issued its EUR 290 million fine against a mobility service provider for transferring personal data of European drivers to the USA without sufficient privacy safeguards (ETid-2447). The DPA’s investigation – launched after a complaint of 170 French drivers – revealed that the provider had stored sensitive personal data – such as location information, payment details, identity documents and health data – on US servers for over two years without adequate safeguards, as required by the standard contractual clauses.
- Significant fines for the excessive storage of employee data are a common phenomenon, starting with a EUR 35 million fine issued in 2020 by the supervisory authority in Hamburg, Germany against a fashion company (ETid-405): Supervisors at one site had compiled extensive "secret dossiers" on employees over several years, including sensitive data such as health data to evaluate employees' work performance and to make employment decisions. Several years later, supervisory authorities still have to intervene because of similar inadmissible data collections: The Italian supervisory authority issued a fine of EUR 5 million against a food delivery service for mishandling personal employee data, the second-highest new fine since March 2024 (ETid-2531). The company collected information including drivers' location data without their knowledge or consent – not only during working hours but also when the app was running in the background or inactive. Additionally, the DPA found that the company shared driver data with third parties without a valid legal basis and used automated data processing for functions such as the evaluation system and task allocation during shifts, but the company had failed to implement necessary GDPR measures, such as allowing human intervention or enabling drivers to contest decisions made through the automated systems. Comparable fines have been imposed earlier, such as one fine by the supervisory authority in Berlin, Germany in an amount of EUR 215,000 against a company that had documented sensitive information about individual employees – such as interest in forming a works council as well as health data – without sufficient legal basis (ETid-1995). The French DPA issued a similar fine for the collection of data on the private lives of employees and their family members, including blood type, ethnicity and political affiliation (ETid-2044).
- The non-compliant use of biometric data – such as fingerprints and/or facial recognition – was the reason for various fines imposed over the last year: In the aforementioned EUR 5 million case from Italy, the DPA found that the food delivery service was using biometric data, including facial recognition, without a legal basis. The Spanish DPA closed three other cases with significant fines in this respect: A EUR 365,000 fine was imposed against a controller who had requested fingerprints of employees for the purpose of a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. Moreover, the controller had failed to carry out a data protection impact assessment and was unable to demonstrate sufficient security measures for the processing of fingerprints (ETid-2267). A fine of EUR 220,000 was imposed against a controller who had also failed to carry out a data protection impact assessment for a facial recognition system to track working hours (ETid-2510). Another fine in the amount of EUR 220,000 was handed down against a controller who did not perform a data protection impact assessment in relation to its facial recognition attendance system (ETid-2530).
- Insufficient protection of data subject rights still plays a key role among new entries: A relevant number of the new cases started with an employee exercising their rights of access, followed by a complaint regarding the insufficient action by the employer. In addition to the data subjects’ rights aspect, DPA inquiries frequently led to additional findings that were taken into account in the fining procedures.
- The remainder of the new fines were essentially based on employer missteps in the regular course of HR administration. Special attention should be paid to the implementation of technical and organisational measures in the employment context: The Spanish DPA issued a fine of EUR 270,000 against a fashion retailer who disclosed payslip information of multiple employees to one employee and had failed – according to the DPA – to implement measures to prevent such an incident (ETid-2431).
