Up until recently, many people would have assumed that spoken, oral conversations about someone did not constitute ‘processing’ (using) their personal data in terms of the relevant laws - the EU GDPR, and the Data Protection Act 2018 (DPA 2018) which applies the United Kingdom’s near-identical (for the time being at least), post-Brexit version of the Regulation, the UK GDPR.
Indeed, it has been a popular way for organisations to communicate personal data about individuals (‘data subjects’) without having to worry about their responsibilities (e.g., needing to have a lawful basis for the sharing of the data) and the data subject’s rights (e.g., to have access to the shared data) which would flow from the data protection legislation, if such disclosures were considered to be processing.
This is because the legislation only covers processing of personal data ‘wholly or partly by automated means’ – i.e., where the data is stored or manipulated electronically – or of data which forms part of, or is intended to form part of, what is known as a ‘filing system’. A filing system is a structured dataset held in non-electronic, hard copy form which is searchable according to specific criteria. So, a common example of a filing system might be a paper employee file where it is reasonably easy to flick through and locate the personal data of the data subjects (the employee and others mentioned in the file). The words ‘…data which form part of’ in the definition of a filing system have always been taken to mean that the data concerned must have first been recorded in a tangible form (on the hard copy structured file) and then extracted and processed also in a physical or electronic manner (not just memorised and orally repeated). Indeed, there is case law under the previous UK legislation, the Data Protection Act 1998, which confirms precisely this (Scott -v- LGBT Foundation Ltd), so it used to be safe for UK organisations to presume that the principles and conditions set out in the GDPR (in both its forms) were not engaged in such situations.
The organisations sharing the data verbally would still need to consider the effects of other laws, e.g., any common law duty of confidentiality they might owe to the data subject, anti-discrimination laws, or the law of defamation. But the DPA 2018 and the GDPR would not apply.
At least that has been the thinking up to now. However, a judgement of the European Court of Justice (ECJ) in March 2024 has upended this assumption. In Endemol Shine Finland (Case C-740/22) the ECJ ruled that oral communications are not exempt from the EU GDPR - the Court holding that the possibility of circumventing the GDPR by disclosing personal data orally rather than in writing would be “manifestly incompatible” with the objectives of the Regulation.
The case involved a request by the claimant, a Finnish film production company, for information about a participant in a competition which the production company was running. The company asked a local court for an oral statement of any criminal proceedings ongoing or concluded against the data subject (the competition entrant). The Finnish court refused to disclose the criminal offences and convictions information in any form, even just verbally, arguing that it would constitute processing of personal data under the EU GDPR. The company appealed to a higher national court (the Finnish Court of Appeal), which referred the case to the ECJ.
In a judgement which runs counter to precedent (in the UK at least) the ECJ held that if orally disclosed personal data is derived from a filing system (in the Endemol Shine Finland case, the court’s register of criminal records) then that disclosure counts as processing for the purposes of the EU GDPR. As such, an oral disclosure of personal data may only take place if it complies with the principles and conditions of the EU GDPR, such as lawfulness, fairness and transparency, and the oral disclosure of criminal data in particular is also subject to further conditions and safeguards provided by Article 10 of the EU GDPR.
This ruling has important implications for employers in the EU which provide or receive oral references, particularly where such references contain special category or criminal data. Picking up the phone is not as risk free as previously thought. As such, EU employers should ensure that they:
- Have a legal basis for processing the personal data in this way
- Limit the disclosure of personal data to what is relevant and necessary for that reference
- Ensure that the reference is given or received in a secure and confidential manner, and that the personal data is not shared with any third parties without legal justification
- Respect the data subject rights of the candidate including those to access, rectify or erase the personal data, or to object to the processing.
So, that is the position in the EU, but what is the status of the ECJ’s judgement for UK organisations? The UK has not been a member of the Union since 31 December 2020, and consequently is not bound by rulings of the ECJ. However, it is very likely that in future court actions in the UK dealing with similar facts, parties will argue that the Endemol case has authority, and that the UK courts would at least have regard to the ruling. Whether they would find it persuasive, especially if the UK GDPR is modified in the interim by UK legislation to diverge from the EU GDPR, is open to question.
And a final point specifically for employers in the UK. The DPA 2018’s Schedule 2, at paragraph 24, contains an exemption from some of the data subject rights (including the right to be informed and the rights to confirmation of processing and access to data) for employment and other references given ‘in confidence’. So, if employers want oral references to be exempt from these rights, then at the start of the conversation the organisation disclosing the reference should confirm to the entity seeking it that the oral reference is provided ‘in confidence’.
How URM can help?
If your organisation wants to find out more about how to give or obtain job references safely in the light of the Endemol Shine Finland judgement, or with any aspect of GDPR compliance, URM can leverage its 19 years of experience assisting organisations remain compliant with data protection legislation to provide you with practical support and up-to-date guidance. We can offer a wide range of GDPR consultancy services to help ensure your processing activities are aligned with the Regulation’s requirements. For example, one of our highly qualified and experienced GDPR consultants can conduct a gap analysis of your processing against regulatory requirements to help you identify any areas where you are not currently complying. We can also assist you in your development and maintenance of key compliance documents, such as a record of processing activities (RoPA), data protection impact assessment (DPIA), or your privacy notice. To help you remain compliant in your handling of data subject access requests (DSARs), URM can offer a GDPR DSAR redaction service, where we remove any information that cannot be disclosed to the data subject and identify any relevant exemptions. Meanwhile, our virtual data protection officer (DPO) service provides you with ongoing access to and support from an entire team of data protection practitioners, each with their own specialised area of GDPR consultancy.
To enhance your own understanding of the UK data protection landscape, URM also runs a range of data protection-related training courses, all of which are led by a practising GDPR consultant. This includes courses on how to conduct a DPIA, a data transfer impact assessment (DTIA), and how to manage a DSAR request. If you would like to gain an industry-recognised data protection qualification, we regularly deliver the BCS Foundation Certificate in Data Protection (CDP) Training Course.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
We are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions.
URM’s blog discusses changes to the SCCs British organisations can use to legitimise restricted transfers of data under the UK GDPR
Is there a catch-all international standard that effectively proves external verification of data protection compliance?