Oral references now count as processing for GDPR purposes (in the EU at least)

Indeed, it has been a popular way for organisations to communicate personal data about individuals (‘data subjects’) without having to worry about their responsibilities (e.g., needing to have a lawful basis for the sharing of the data) and the data subject’s rights (e.g., to have access to the shared data) which would flow from the data protection legislation, if such disclosures were considered to be processing.  

This is because the legislation only covers processing of personal data ‘wholly or partly by automated means’ – i.e., where the data is stored or manipulated electronically – or of data which forms part of, or is intended to form part of, what is known as a ‘filing system’.  A filing system is a structured dataset held in non-electronic, hard copy form which is searchable according to specific criteria.  So, a common example of a filing system might be a paper employee file where it is reasonably easy to flick through and locate the personal data of the data subjects (the employee and others mentioned in the file).  The words ‘…data which form part of’ in the definition of a filing system have always been taken to mean that the data concerned must have first been recorded in a tangible form (on the hard copy structured file) and then extracted and processed also in a physical or electronic manner (not just memorised and orally repeated).  Indeed, there is case law under the previous UK legislation, the Data Protection Act 1998, which confirms precisely this (Scott -v- LGBT Foundation Ltd), so it used to be safe for UK organisations to presume that the principles and conditions set out in the GDPR (in both its forms) were not engaged in such situations.

The organisations sharing the data verbally would still need to consider the effects of other laws, e.g., any common law duty of confidentiality they might owe to the data subject, anti-discrimination laws, or the law of defamation.  But the DPA 2018 and the GDPR would not apply.

At least that has been the thinking up to now.  However, a judgement of the European Court of Justice (ECJ) in March 2024 has upended this assumption.  In Endemol Shine Finland (Case C-740/22) the ECJ ruled that oral communications are not exempt from the EU GDPR - the Court holding that the possibility of circumventing the GDPR by disclosing personal data orally rather than in writing would be “manifestly incompatible” with the objectives of the Regulation.

The case involved a request by the claimant, a Finnish film production company, for information about a participant in a competition which the production company was running.  The company asked a local court for an oral statement of any criminal proceedings ongoing or concluded against the data subject (the competition entrant).   The Finnish court refused to disclose the criminal offences and convictions information in any form, even just verbally, arguing that it would constitute processing of personal data under the EU GDPR.  The company appealed to a higher national court (the Finnish Court of Appeal), which referred the case to the ECJ.

In a judgement which runs counter to precedent (in the UK at least) the ECJ held that if orally disclosed personal data is derived from a filing system (in the Endemol Shine Finland case, the court’s register of criminal records) then that disclosure counts as processing for the purposes of the EU GDPR.  As such, an oral disclosure of personal data may only take place if it complies with the principles and conditions of the EU GDPR, such as lawfulness, fairness and transparency, and the oral disclosure of criminal data in particular is also subject to further conditions and safeguards provided by Article 10 of the EU GDPR.

This ruling has important implications for employers in the EU which provide or receive oral references, particularly where such references contain special category or criminal data.  Picking up the phone is not as risk free as previously thought.  As such, EU employers should ensure that they:

• Have a legal basis for processing the personal data in this way
• Limit the disclosure of personal data to what is relevant and necessary for that reference
• Ensure that the reference is given or received in a secure and confidential manner, and that the personal data is not shared with any third parties without legal justification
• Respect the data subject rights of the candidate including those to access, rectify or erase the personal data, or to object to the processing.

So, that is the position in the EU, but what is the status of the ECJ’s judgement for UK organisations?  The UK has not been a member of the Union since 31 December 2020, and consequently is not bound by rulings of the ECJ.   However, it is very likely that in future court actions in the UK dealing with similar facts, parties will argue that the Endemol case has authority, and that the UK courts would at least have regard to the ruling.  Whether they would find it persuasive, especially if the UK GDPR is modified in the interim by UK legislation to diverge from the EU GDPR, is open to question.

And a final point specifically for employers in the UK.  The DPA 2018’s Schedule 2, at paragraph 24, contains an exemption from some of the data subject rights (including the right to be informed and the rights to confirmation of processing and access to data) for employment and other references given ‘in confidence’.  So, if employers want oral references to be exempt from these rights, then at the start of the conversation the organisation disclosing the reference should confirm to the entity seeking it that the oral reference is provided ‘in confidence’.