The Belgian national data protection authority (DPA) has recently reprimanded a public employer, following a complaint for a breach of GDPR-rules concerning data procession of personal health information, filed by a dismissed employee.
During an internal meeting of HR staff the dismissal of the employee in question was discussed, without the employee herself present. During the meeting, a service manager had read out a document provided by an external service for prevention and protection at work. This document contained the information that the employee had been absent for several weeks and that she later had been declared indefinitely incapacitated for work by the company doctor. These facts were included in the minutes of the meeting which were sent to all the employees of the department, regardless of their presence at the meeting and moreover, posted online on the public authority’s intranet, where employees of other departments could access them.
