An individual submitted an access request to their employer, a SME business-to-business service provider. Based on the documentation provided by the organisation to the individual  in response, the individual submitted a complaint to the DPC alleging that the organisation unlawfully disclosed their personal data, including special category data, to a third party, a Human Resources Service Provider (HR provider).

When examining the information provided it became apparent to the DPC that  the organisation had engaged the HR provider to investigate an allegation of bullying made by the individual against a co-worker. The organisation provided various categories of the individual’s personal data to the HR provider, including the individual’s personal contact details, medical data and a letter confirming the individual’s fitness to partake in the alleged bullying investigation.

The individual provided evidence to the DPC proving that they had asked the organisation not to disclose their personal data to a third party and claimed  that they were not informed that their personal data had been provided to  the third party. 

As part of the examination of the complaint, the DPC sought to establish if the organisation had a valid lawful basis for disclosing the individual’s personal data and special category data to the HR provider in line with Article 6 and Article 9  of the GDPR. The DPC also sought to establish whether the personal data disclosed to the HR provider was relevant and limited to what is necessary for  the purposes for which they were processed, in accordance with the principle  of data minimisation under Article 5(1)(c) of the GDPR.

From its responses to the DPC it appeared that the organisation relied on Articles 6(1)(b) (contract); 6(1)(c) (legal obligation) and; 6(1)(f) (legitimate interests) of the GDPR, as the lawful bases under which it disclosed the individual’s personal data to the HR provider. 

The organisation stated it had legitimate reasons to provide the personal data and medical data to the HR provider under the terms of the individual’s contract of employment and that the individual had consented to take part in the alleged bullying investigation. Further, the organisation stated that the HR provider requested it obtain from the individual a doctor’s letter to confirm that the individual was fit to take part in the alleged bullying investigation.

The DPC accepted that provision of certain categories of the individual’s personal data to the HR provider would be necessary under the terms of their  employment contract in line with Article 6(1)(b) of the GDPR. However, the  organisation failed to identify the legal obligation to which it stated it was subject to rely on under Article 6(1 (c) of the GDPR as a lawful basis for processing the personal data. The organisation also failed to provide evidence that it conducted a balancing test under Article 6(1)(f) of the GDPR prior to providing the individual’s personal data to the HR provider. Additionally, the organisation failed to identify a lawful basis for disclosing the individual’s medical data under Article 9 of  the GDPR.

The DPC engaged with the organisation further to ensure that going forward  it was aware of its obligations under the GDPR in relation to the lawful bases for processing.