1. The company prepared and made available to its staff (data subjects) a Privacy Notice for the purpose, inter alia, of transparent communication and information about the personal data held in the company (including special categories of data), the purpose of their collection and processing, their rights regarding personal data, the legal basis for their collection, the administrative and technical protection measures applied, their retention period, etc.
2. The personal data collected from the data subjects is necessary for the execution of the work [contact] and the observance of the obligations of the company as an employer arising from its contractual obligations, from the relevant legal framework and for safeguarding the legitimate interests of the company.
3. The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled
   up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
   Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

Decision
Subject: Authorisation for the release of medical records and processing of health-related data in the context of employment by Sea Chefs Cruises Ltd

A. Case description

A complaint was lodged in Germany against the company Sea Chefs Cruises Ltd (the controller), which was subsequently transmitted to the Commissioner for Personal Data Protection (Cyprus SA), which is acting as the lead authority in this matter.

The company’s main activity is the provision of seafarer recruitment and placement services on cruise ships.

Sea Chefs Cruises Ltd owns/manages the following companies: sea chefs River Cruises Ltd, sea chefs River Management Ltd, Ocean Spa Ltd, sea chefs Holding AG, sea chefs Cruises Worldwide GmbH, sea chefs Human Resources Services GmbH, sea chefs Cruise Management GmbH, sea chefs Malta Ltd, sea chefs Cruise Services GmbH, sea chefs Human Resources Services GmbH/Branch office Hamburg (jointly referred to as “the Company”).

In the framework of its activities the company is held to comply with its legal obligations to conform with relevant laws, regulations and international conventions which makes it obligatory for the company to hold and process health-related data of employees and namely the Maritime Labour Convention, MLC 2006, International Labour Organisation, International Convention on Standards of Training, Certification and Watchkeeping for Seafarers 1978, as amended (“STCW”) International Management Code for the Safe Operation of Ships and for Pollution, Prevention (International Safety Management (ISM) CODE), Guidelines on the medical examinations of seafarers, International Labour Organisation (ILO), International Maritime Organisation, Merchant Shipping Act (Cap. 234)/ Flag State Requirements of Malta, Merchant Shipping CH. 268 / Flag State Requirements of Bahamas and the Collective Bargaining Agreement.

The obligation includes the mandatory medical examinations for issuance of the Fit-For-Duty certificates.

Prior to beginning work on a ship, the company requests from employees to sign a general Authorisation for the release of medical records in order to have access to their medical records to be able to assist the employees with medical care, to arrange any associated travel and to handle any medical claim, in the event of a medical incident taking place onboard.
Namely the “Authorisation for release of medical records” provides multiple purposes inter alia (1) the authorisation given to any doctor, pharmacist, insurance company etc. to disclose to Sea Chefs Cruises Ltd all health information and medical records […] (2) consent given to any other company or any other doctor […] who is in possession of medical/health data to allow Sea Chefs Cruises Ltd free access to those data (3) consent to the ability of the Company to ask questions and discuss the medical information […] (4) consent to transfer or disclose medical data to local or foreigh Authorities an/or Agents etc. when it is provided by law or collective agreements or according to the terms of the employment […].

Under the section “Purpose of the authorisation for release of medical records” of the Privacy notice (issue date 15-03-2019) the following is provided:
“The Company needs to have your Authorisation for release of Medical Records, attached below, signed by you in order to be able to have access to your medical records. This will only be necessary in the event of a medical incident taking place onboard and for enabling the Company to manage your medical care and any associated medical claims timely and effectively.

You have the right to refuse signing the Authorisation. However, in such a case please note that we will not be in the position to offer you employment since we will not be able to abide by our collective bargaining agreement obligations, offer you medical treatment when necessary, confirm you are fit for duty to safeguard your personal health and safety and to reduce risks to other crew members and for the safe operation of the ship.”

The complainant, who works for the company, considers that such Authorisation is breach of the rules provided under the General Data Protection Regulation (GDPR).

B. Explanations provided by Sea Chefs Cruises Ltd

In the framework of the investigation by Cyprus SA, Sea Chefs Cruises Ltd provided the following information on 12.05.2020:
The company prepared and made available to its staff (data subjects) a Privacy Notice for the purpose, inter alia, of transparent communication and information about the personal data held in the company (including special categories of data), the purpose of their collection and processing, their rights regarding personal data, the legal basis for their collection, the administrative and technical protection measures applied, their retention period, etc.
The personal data collected from the data subjects is necessary for the execution of the work [contact] and the observance of the obligations of the company as an employer arising from its contractual obligations, from the relevant legal framework and for safeguarding the legitimate interests of the company. The relevant laws, regulations, international conventions and related contracts that render mandatory the collection and processing of health-related data by the controller are laid down in a separate list [attachment 1].
The need to provide an Authorisation for Release of Medical Records arose from the fact that the doctors/practitioners on board and the doctors at the medical centers where crew members are transported for treatment, refuse to release the medical data to the company without the consent of the crew member. It is clarified that most doctors on board are employed by the clients of Sea Chefs Cruises Ltd, who are the ship-owning companies (outsourcing). Some doctors/practitioners work as free-lancers and in a few cases the doctors are employed by Sea Chefs Cruises Ltd.

Due to incomplete and/or insufficient relevant medical data provided by employees, the company is constantly exposed to the following risks:
1. Exposure the crew member and his health to danger, during his repatriation after illness or accident. The responsibility for the safe repatriation of each patient (employee) is assigned to the employer and not to the ship’s doctor after disembarkation from the ship. In addition, postrepatriation recovery supervision is still the responsibility of the employer.
2. Failure to properly inform the family of each crew member (next of kin), after illness or accident. Informing the family is a contractual obligation under the Collective Bargaining Agreement .
3. Inability to properly defend a legal case in the event of legal proceedings.
4. Refusal of Maritime Insurance (P&I Club) to pay compensation.
5. Charging the company with the payment of Sickness Compensation for up to 130 days due to failure to submit relevant and sufficient medical data.

Several times, the company engaged discussions with its customers (mostly Germans) to find a solution to the release of medical records without much result. German customers continuously allege that in the industry all companies seek the consent of their employees to collect their medical data. If the company chose a different approach, the customers are afraid that the company would have a problem with employees and would constantly receive complaints and resignations. Some customers threatened to terminate their cooperation if the company did not provide this option.

Initially the Authorisation was a separate document and was given to the crew member when he orshe needed medical care, off board, due to illness or after an accident. However, it was difficult and sometimes impossible to ask the crew member to sign the Authorisation at the time of a health problem or the accident. Therefore, the company decided to collect the Privacy Notice (general Authorisation) in advance, upon commencement of the employment, together with the Privacy Statement. If no medical incident or injury takes place and no medical claims are made against the Company, there will be no requirement to access medical records of the employees. In order to assess whether the processing of employee’s health related data by Sea chefs Cruises Ltd is line with the GDPR, Cyprus SA acquired additional information and namely:

Concerning the collection of health related data prior to employment –
(a) the categories of all health data collected by Sea Chefs Cruises Ltd
(b) anonymized copies of medical records provided by employees

In the event of illness and injury of an employee while serving on board of a vessel-
(c) the procedure followed by Sea Chefs Cruises Ltd in relation to the collection and sharing of health related data after the incident (illness and injury)
(d) the categories of all health data collected by Sea Chefs Cruises Ltd
(e)anonymized copies of medical certificates and medical records provided by employees

The company provided in due time all documentation requested, by letter of 12.10.2020. In their letter of 22.12.2020 the company explained that “the particular circumstances of the industry sea chefs operates in and the multitude of laws, regulations and agreements we must abide by especially with regards to the crewmembers’ health and safety as well as passengers. For this reason, essentially, we cannot employ anyone without collecting and processing their medical data and we are obliged to retain and have available such information. We are also obliged to offer medical care to our crewmembers.” They further pointed out that “the Authorisation for the release of medical records’ clearly states the purposes and reasons such release is requested and very strictly declares that such process will be protected, restricted, limited and only when necessary for the purposes contained therein.”

C. Legal framework

Definition of consent Article 4(11) GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 5: Principles relating to processing of personal data Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Article 7: Conditions for consent
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Article 9: Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation shall be prohibited.”.

Paragraph 2:
Paragraph 1 shall not apply if –
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective
agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject ().
or/ and
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the
basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

D. Views of Cyprus SA and Reasoning

As it stands now, the Authorisation appears to be based on the consent of the employee. Indeed, under article 9(2)(a) of the GDPR the controller may rely on explicit consent of the data subject for the processing of special categories of data. Cyprus SA underlines that in such a case, various
conditions should apply for the validity of the consent: not only should the consent be explicit it must also be freely given, specific and informed (article 4(11) of the GDPR).
Cyprus SA considers that the condition of freely given consent does not apply in the present case, as employees of Sea Chefs Cruises Ltd who are requested to sign the Privacy Notice in advance upon commencement of the employment, have no real choice. They feel compelled to consent and if they do not consent, they will endure negative consequences, and namely they will “not be offered employment”. Consequently, consent is not considered to be freely given when the employee is unable to refuse or withdraw his or her consent without detriment. In line with article 7(3) of the GDPR, the data subject shall have the right to withdraw his or her consent at any time and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Moreover, Cyprus SA considers that in the employment sector, in general, consent should not be used as the lawful basis for the processing due to the imbalance of the relationship between employer and employee. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal.
Reference should be made in this regard to previous decisions of Cyprus SA, [decision against Louis Group Ltd of 12/10/2019, Decision against Gan Direct Insurance of 24/5/2018, Decision against Apollonion Hospital of 02/10/2012] where the authority ordered the controllers to cease the processing, among other reasons, due to the fact that consent cannot be used as the lawful basis for the processing.

In relation to the condition of freely given consent, reference is made to the EDPB Guidelines 05/2020 on consent, which state that:
The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.

Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR. (§ 13 page 7)
When assessing whether consent is freely given, one should also take into account the specific situation of tying consent into contracts or the provision of a service as described in Article 7(4).
Article 7(4) has been drafted in a non-exhaustive fashion by the words “inter alia”, meaning that there may be a range of other situations, which are caught by this provision. In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid. (§ 14 page 7)

An imbalance of power also occurs in the employment context.1 Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, the EDPB deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee. (§ 21 page 9)
It follows from the above that “consent” of the employees provided in the form the “Authorisation for release of medical records” of the Privacy notice (issue date 15-03-2019) does not fulfil the requirements of valid consent.
Furthermore, in accordance with the minimisation/ proportionality principle (article 5(1)(c) of the GDPR), the data processed by the controller should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In this regard, Cyprus SA considers that the controller should collect and generally process only data that are absolutely necessary to be able to assist the employees with medical care, to arrange any associated travel and to handle any medical claim, in line with relevant laws and the purposes laid down in Article 12 (Medical Care, Sick Pay and Maintenance) and Article 14 (Death and Disability Compensation) of the Collective Bargaining Agreement.
As previously explained, in the framework of its activities, Sea Chefs Ltd is held to comply with its legal obligations to conform with relevant laws, regulations and international conventions which makes it obligatory for the company to hold and process health-related data of employees, as well as for the purposes set out in the Collective Bargaining Agreement.
According to the explanations given by Sea Chefs Ltd, due to incomplete and/or insufficient relevant medical data provided by employees, the company is constantly exposed to the following risks:
1. Exposure the crew member and his health to danger, during his repatriation after illness or accident. The responsibility for the safe repatriation of each patient (employee) is assigned to the employer and not to the ship’s doctor after disembarkation from the ship. In addition, postrepatriation recovery supervision is still the responsibility of the employer.
2. Failure to properly inform the family of each crew member (next of kin), after illness or accident. Informing the family is a contractual obligation under the Collective Bargaining Agreement.
3. Inability to properly defend a legal case in the event of legal proceedings.
4. Refusal of Maritime Insurance (P&I Club) to pay compensation.
5. Charging the company with the payment of Sickness Compensation for up to 130 days due to failure to submit relevant and sufficient medical data.

Article 9(2) GDPR provides a list of possible exemptions to the ban on processing special categories of data. Apart from consent, Article 9(2) describes nine additional lawful bases on which a controller can rely on.

Cyprus SA was called upon to assess whether the controller could rely on another legal basis for the collection and general processing of employees’ health-related data, other than consent.
On the basis of the information available to it, Cyprus SA considers that Sea Chefs Ltd is entitled to process health-related data of employees on the basis of article 9(2)(b) of the GDPR, when the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment in so far as it is authorised by the collective agreement and only where necessary to achieve those purposes for the benefit of employees, in particular in the context of the management of health care services and systems.
Yet, the collective agreement should provide for appropriate safeguards for the fundamental rights and the interests of the data subject. Those safeguards must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing and the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

On the basis of article 9(2) (h) of the GDPR, Sea Chefs Ltd is entitled to process health-related data of employees, when the processing is necessary for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment, under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.
In light of the above, the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment, should only be done under the responsibility of a professional subject to the obligation of professional secrecy and Sea Chefs can only access those data authorised by law and collective agreements.

E. Decision
Cyprus SA assessed all the information available in relation to this case and decided that the consent provided by employees to the controller “Sea Chefs Cruises Ltd”, by means of the “Authorisation for release of medical records” of the Privacy notice (issue date 15-03-2019), is not in accordance with the rule of Article 4(11) and Article 7 of the General Data Protection Regulation.
Cyprus SA considers that in the employment sector, consent should not be used as the lawful basis for the processing due to the imbalance of the relationship between employer and employee.
Sea Chefs Cruises Ltd should explore the specific exceptions in Article 9(2) subparagraphs (b) to (j) to lawfully process health-related data of employees.
In accordance with the minimisation/ proportionality principle (article 5(1)(c) of the GDPR), Cyprus SA considers that the controller should collect and generally process only data that are absolutely necessary to be able to assist the employees with medical care, to arrange any associated travel and to handle any medical claim, in line with relevant laws and the purposes set out in Article 12 (Medical Care, Sick Pay and Maintenance) and Article 14 (Death and Disability Compensation) of the Collective Bargaining Agreement.

In light of the above, and in accordance with the powers conferred to the Commissioner by Article 58(2)(d) of the GDPR, the Commissioner orders the controller:
a) to cease the processing of health data of employees based on consent,
b) to bring the processing operations into compliance with the provisions of the GDPR and in particular to take actions as to process only those health related data in the employment context which are necessary for the discharge of obligations laid down by law or by the collective agreements for the purposes of the recruitment, the performance of the contract of employment, health and safety at work, and the exercise and enjoyment of rights and benefits of employees,
c) to inform the Commissioner on the actions taken to comply with this Decision at the latest within one month from the date of this decision.

In the event that Sea Chefs Cruises Ltd does not comply with the above order within the aforementioned deadlines, the Commissioner shall envisage additional corrective actions.