Hacked off employees - what potential rights does an employee in Germany, France and the UK have against their employer in the event of their personal data being hacked?

United Kingdom

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

Instances of data hacking seem to be making the news on an almost daily basis whether it is in relation to theft of patient files or customer card details. Though such cases in the past were related mainly to customers of e-commerce ventures, banks or credit card companies, data hacking has become an evident and very risky issue for employers. Recently an employer was sued by employees in a class action after their personal data, including credit card and social security numbers, was published on the internet by hackers following a cyber attack on the employer's central servers. The employees argued that the employer should have been better prepared to protect against hackers.

Going forward, the financial impact of data breaches is likely to increase significantly. For data controllers - including employers - across the EU, the potential cost of failing to protect personal data could be set to rocket under the proposed EU draft General Data Protection Regulation. This currently proposes a sanctions regime of maximum fines of up to 100,000,000 euros or 5% of global turnover. If ultimately enacted, this makes the cost of investment for employers in appropriate data security measures look like small change!

We take a look at the rights an employee in Germany, France and the UK might currently have against their employer where their personal data is the subject of a successful cyber attack.

Interestingly, in Germany employers are expressly required to use the latest encryption techniques in order to safeguard personal data. To learn more about an employee's rights in the event of their personal data being hacked, click here.

In France employee rights could be bolstered by proposals to enable trade unions to take action against employers on behalf of all their affected members in appropriate cases of data breach - for more details, click here.

In the UK there are a number of options available to an employee whose personal data has been compromised by their employer's failure to protect their personal data including potentially, in very serious cases, a claim for constructive dismissal - click here to read more.