Data Protection Authority decision on communicating the circumstances for a dismissal to remaining staff - is silence golden?

In their decision of 1 June 2021 (Decision No 63/2021), the Data Protection Authority determined that an employer who communicated the reasons and circumstances for the dismissal of two former employees, was to a limited extent in breach of the General Data Protection Regulation (GDPR). Although  employers have the right to inform their employees about the dismissals themselves, they need to limit this information to what is strictly necessary for the intended purpose, i.e. a brief communication stating that an employee is no longer part of the staff.

Facts and relevant information

Two former employees of a residential care centre filed a complaint with the Data Protection Authority against their former employer due to the internal communications following their dismissals. Their former employer had informed the remaining staff of their departure, as well as the circumstances and facts underlying the dismissals. Both former employees were of the opinion that this was in breach of the GDPR and one of them also requested additional compensation. Both complaints were merged into one file and were dealt with together by the Data Protection Authority on 1 June 2021.

The Data Protection Authority’s reasoning and decision

The final decision by the Data Protection Authority was based on several points:

Lawfulness of processing personal data

Since both complaints fall within the scope of the employment relationship between the plaintiffs on the one hand and the defendant (i.e. the residential care centre) on the other hand, the processing of personal data by the defendant must be based on GDPR article 6.1b (‘lawfulness’). The processing of the plaintiffs' personal data in the event of the termination of the employment relationship is part of the performance of the employment contract and thus has to be considered as lawful. No further comments were made by the Data Protection on this point.

The principle of data minimisation

Furthermore, when processing personal data, the employer is obliged to respect the principle of data minimisation (GDPR art. 5.1c) - personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.

As concerns plaintiff 1, the email that had been sent out by the employer only stated that the collaboration with plaintiff 1 had been terminated and that therefore they would no longer appear on the workfloor of the residential care centre. In that regard, the Data Protection Authority reasoned that the communication by email concerning the dismissal of plaintiff 1 had been limited and in line with the principle of data minimisation (strictly necessary for the intended purpose) and that the defendant had not committed an infringement of GDPR art. 5.1c.

As concerns plaintiff 2, however, the communication sent out by the employer had been more elaborate. it not only communicated the dismissal to staff, but also the information that the dismissal took place after three written warnings and performance reviews. The Data Protection Authority reasoned that the information about the number of written warnings and performance reviews was by no means necessary for the intended purpose. This could have been reasonably achieved without communicating this additional information. As such, the Data Protection Authority concluded that in regard to plaintiff 2 there was in fact an infringement of GDPR art. 5.1c by the defendant.

Claim for compensation by plaintiff 1

Plaintiff 1’s request for additional compensation was not accepted by the Data Protection Authority as this does not fall within the Data Protection Authority’s competences. Furthermore, no GDPR infringement took place in the case of plaintiff 1.

The Data Protection Authority’s Decision

In conclusion, the Data Protection Authority was of the opinion that there was no GDPR infringement in the case of plaintiff 1. However, in regard to plaintiff 2, the Data Protection Authority issued a reprimand to the defendant as a result of the infringement of GDPR article 5.1c.


Although the Data Protection Authority took no formal action against the defendant, communication in light of the dismissal of employees must always be strictly limited to what is necessary to avoid  any issues regarding the privacy of former employees. Although communicating a dismissal in itself will not constitute a breach of GDPR principles, employers must tread carefully if they also want to communicate on the circumstances surrounding the dismissal. Therefore it’s like the old saying goes ‘speech is silver, but silence is golden!’

Related : PwC Legal


All articles Labour law

Lastest articles Labour law

EU Court of Justice says headscarf ban is not discriminatory

Following the STIB judgement of 3 May 2021 by the Labour Court of Brussels, ordering the STIB to end its policy of neutral...

Read more

Succession of fixed-term employment contracts and replacement contracts: the Constitutional Court...

On 17 June 2021, the Constitutional Court issued an important decision in which it ruled that the fact that there are no s...

Succession of fixed-term employment contracts and replacement contracts: the Constitutional Court rules on the issue Read more

ECtHR rules on social media-linked dismissal in Melike v. Turkey

The European Court of Human Right’s ruling of 15 June 2021 concerned the dismissal of a contractual cleaning lady in...

ECtHR rules on social media-linked dismissal in Melike v. Turkey Read more

Returning to the workplace, Part 2 - when working from home comes at a price

At the risk of kicking in an open door, working from home and the return to the office has become this summer’s...

Read more

LexGO Network