On the 25th of October, 2019, the Cypriot Supervisory Authority banned the processing of an automated tool, used for scoring sick leaves of employees, known as the “Bradford Factor’’ and subsequently fined the three companies.
The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.
The reasoning behind Bradford Factor’s system for scoring employees’ sick leave was that short, frequent and unplanned absences are worse for a company than longer absences.
The date and frequency of a person’s sick leave involves processing of “special categories of personal data” (health), as defined under Article 9(1) of the GDPR. Scoring the data using the ‘Bradford Factor’ and profiling individuals based on the results is considered processing of personal data and must comply with the GDPR.
The Cypriot Supervisory Authority stated that:
(1) the companies failed to demonstrate that their legitimate interests prevailed over the interests, rights and freedoms of their employees;
(2) that the processing using the Bradford Factor had no legal basis; and
(3) none of the exemptions in Article 9(2) that allow the processing of health data would apply.
The Authority ordered the companies to stop using the Bradford Factor and delete all data collected. Moreover, it imposed fines on all three companies:
LGS Handling Ltd – €70.000
Louis Travel Ltd – €10.000
Louis Aviation Ltd – €2.000
When deciding on the amount of the administrative fines, the Authority considered the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.
While this is a Cypriot decision, it still very relevant to the UK as many businesses here use the Bradford Factor.