• Insights

Happy… data protection breach? When wishing an employee happy birthday becomes a GDPR matter

Germany
26.11.19
3
Written by
Kliemt.HR Lawyers, the first port of call in employment law for top-class and future-proof advice.
Does wishing an employee a happy birthday breach data protection rules? This article sets out employers’ obligations when using an employee’s date of birth for this purpose.

For more up-to-date information about data privacy

A person’s birthday is generally a reason for joy and is often taken as an opportunity to convey congratulations to the birthday boy or girl. It is no different in the workplace, when the boss personally congratulates an employee with a birthday bouquet of flowers or card. Often employees’ birthdays are made known in the workplace using a birthday list or an entry in an Outlook calendar, so that work colleagues get a chance to give their congratulations. But caution: well-meant congratulations may prove to be a breach of the GDPR, as this article shows.

Date of birth is protected information under the GDPR

The employee’s date of birth is part of the key data that he or she communicates to an employer on hiring. Why shouldn’t it also be used to congratulate the employee on his or her birthday?

According to the GDPR, data processing is generally prohibited, unless there is a permission expressly regulated by law (Article 6(1)). In addition, the principle of purpose limitation (Article 5(1)b GDPR) must be respected. According to this principle, personal data cannot be used for purposes other than those specified in advance. If an employee notifies the employer of his or her date of birth, this relates to the employment relationship, for example, because it is required for payroll accounting. In this case, processing the employee’s date of birth is necessary for the performance of the contract (Article 6(1) b GDPR) or to conduct the employment relationship (s26 paragraph 1 sentence 1 BDSG).

The use of the date of birth for congratulatory purposes is not necessary for execution of the employment relationship. Congratulating an employee on a birthday may be an employer’s way of respecting its duty of courtesy, but it is not necessary. Using a date of birth for congratulatory purposes is also a violation of the principle of purpose limitation, since the employee has not provided his or her date of birth for the purpose of receiving congratulations. In view of this, the Bavarian State Office for Data Protection Supervision considered posting birthday lists to be inadmissible under data protection law even before the GDPR came into force.

Employees’ consent required

So what is to be done if an employer wants to congratulate employees on their birthdays and comply with data protection regulations? Ultimately, the only option is to obtain the employee’s consent in advance (Article 6(1)a GDPR). Employers must ensure that the employee is informed of exactly what his or her date of birth (and name) is to be used for and whether disclosure to third parties, for example by posting birthday lists, is also intended. Consent must also be voluntary. There is, however, an exception: according to s26 paragraph 2 sentence 2 BDSG consent may be voluntary if the employer and employed person pursue similar interests. As an example of this, the explanatory memorandum to the BDSG expressly mentions the inclusion of name and date of birth in a birthday list (BT-Drs. 18/11325 p. 97). Of course, individual circumstances will always be decisive.

Conclusion

It may seem strange, but the result cannot be denied: congratulating an employee on his or her birthday is data processing that requires the employee’s prior consent in the absence of any other relevant statutory provision. The same applies to similar occasions such as weddings or the anniversary of joining an organisation. To be on the safe side as an employer, you must get the employee’s consent in advance. Otherwise, we can only hope that congratulating an employee (as happens regularly) will remain a cause for celebration and not a reason to involve the data protection authorities.

Authors
Dr Christoph Bergwitz
Attorney - Germany
Kliemt.HR Lawyers