Find Out What Rights You Have If An Employer Failed To Protect Your Data Privacy
In this guide, we look at what evidence and justifications could lead to potential employee data breach claims against Unilever. If your employer caused a personal data breach, making you suffer mentally or financially, then this guide could help you.
The GDPR came into force in 2018 and was enacted into UK law through the Data Protection Act 2018 (DPA). Data protection laws are designed to reduce the number of data breaches that occur.
During the course of the guide, we’ll look at how the General Data Protection Regulation (GPDR) could apply to the personal data held by your employer. Furthermore, we’ll show you what responsibility the Information Commissioner’s Office (ICO) has in enforcing data safety laws.
As you could claim compensation for any psychological or financial suffering that results from data breaches, we’ll look at potential settlement amounts that might be paid in employee data breach claims.
We’ll look at a case at the Court of Appeal that clarified the fact that it is possible to claim for any psychological suffering (distress, anxiety, depression, etc.) that is caused by a data breach regardless of whether you also endured financial loss. If you can evidence them, you could also claim back any financial losses too.
Our team is able to help if you need any support while reading this guide. Should you decide to take legal action following a Unilever data breach, Legal Expert could appoint a solicitor to your case. For a free review of your claim, please call 0800 073 8804 or click on their banner found on this page.
Select A Section
- What Is An Employee GDPR Data Breach Claim Against Unilever?
- What Is The GDPR?
- Is Unilever Employee Data Protected By GDPR Rules?
- Looking At The Main GDPR Principles
- Categories Of Private Data Protected By GDPR Rules
- What Is A Breach Of GDPR Privacy By An Employer?
- What Could My Employer Have Done To Be In Breach Of GDPR?
- Do Employers Have To Get Your Consent Before Sharing Data?
- How Should A Data Breach Be Dealt With?
- What Is The Information Commissioner’s Office?
- ICO Guidance On Employment Data Protection Practices
- Can Employers Be Reported For Breaches Of GDPR Rules?
- Employee Data Breach Claims Against Unilever: Compensation Calculator
- No Win No Fee Employee Data Breach Claims Against Unilever
- Related Guides
- FAQs About Employee Data Protection Breaches
What Is An Employee GDPR Data Breach Claim Against Unilever?
To help you throughout this guide, we’ve listed some GDPR terms in this section. They are:
- The data controller: A company or organisation that decides how and why to process your personal data.
- A data subject: This is you or the person whose information is to be processed.
- Data processing: The dissemination, storage, collection and other actions used on personal data.
- The data processor: This is a separate entity from the data controller and the data controller’s employees. For example, this could be an agency that your employer outsources to process personal data on their behalf.
Employee data breaches happen because of some type of security incident. Due to the incident, information relating to a data subject will be illegally changed, disclosed, lost, destroyed or accessed.
When making employee data breach claims, you must be able to prove that:
- Your personal information was involved in a data breach; and
- You suffered financially or psychologically because of the breach.
It is important to note that breaches that aren’t deliberate could entitle you to claim in the same way as one caused by a cybercriminal could. So long as you can prove the mental or financial harm it caused, you could begin legal action.
Generally, you’ll need to claim within a 6-year limitation period from the date you became aware of the breach. However, time limits are 1 year in cases based on human rights breaches, so please bear this in mind.
What Is The GDPR?
The GDPR is a strict set of rules regarding data safety. These rules apply to all data controllers who process data within the UK. Also, the rules are relevant to foreign companies that process data about residents in the UK.
One of the key requirements of the GDPR and the DPA is that a lawful basis to process data must be established. This could be based on a legal requirement, a contract or by seeking permission from the data subject, for example. This requirement explains why so many pop-up boxes appear on websites these days.
Another requirement is that data processing should be secure. As a result, data controllers should use new tougher security processes and ensure they are legal too.
Where personal information is recorded on printed documents or hand-written sheets, they fall into the GDPR’s rules. For example, they may be stored in files or on paper before being transferred to an electronic or computer system. It goes without saying that digital data is also covered by the new laws.
Is Unilever Employee Data Protected By GDPR Rules?
If you work for Unilever, they will need to retain a lot of personal information about you. This will be for operational and legal reasons. Because much of the information is labelled as personal or sensitive, secure storage methods should be used.
Where data from your personnel records is stolen by criminals, it could result in you losing money. Where unsecured personal information about you ends up being viewed by colleagues, you might suffer a lot of stress or anxiety. It is that type of suffering that might entitle you to begin legal action.
Cybercrime is commonly reported as being a cause of some data breaches. However, they can happen because of basic human error as well. For instance, if your line manager discusses the details of your disciplinary in front of colleagues who’re unauthorised to hear about it, it is likely a data breach has taken place.
If you can prove that you suffered mentally or financially after a data breach, you may be considering employee data breach claims against Unilever. Contact us through our live chat if you have evidence of a valid claim.
Looking At The Main GDPR Principles
The GPDR is based on seven principles relating to how data processing is carried out. Here is a brief summary of them:
- Lawful, fair and transparent methods of data processing must be used.
- Data processors are only allowed to collect and process limited data that is required for the purpose.
- Any information that is collected must not be used for reasons other than those specified at the time of processing.
- It is important to keep the personal data that is stored up to date. If mistakes are identified, they need to be amended or removed.
- Confidential and secure methods of processing must be used at all times.
- Storing personal information is allowed but it shouldn’t be kept for longer than it is required.
- Data controllers must show adherence to these principles and be accountable for the protection of the data.
Categories Of Private Data Protected By GDPR Rules
Data controllers should take time to assess whether they are processing personal data or not. The ICO says that the test is whether or not the information could identify the data subject. Data will fall within the GDPR’s protection if it directly identifies an individual, or if it could be used to identify someone in combination with other data.
Data that might identify you:
- Your name.
- A National Insurance Number.
- Staff number.
- Email address.
- Telephone number.
- Network username.
- Home address.
Forms of sensitive information that might identify you:
- Information about a disability.
- Marital status.
- The employee’s age.
- Ethnicity or race.
- Sexual orientation.
- Religious beliefs.
Where personal information is processed electronically or stored within a filing system, it is likely to be protected under the GDPR’s rules.
What Is A Breach Of GDPR Privacy By An Employer?
As we mentioned earlier, while criminal activity can lead to a data breach, it’s not the only cause. Accidental or deliberate actions by staff could also lead to a data breach. Where that’s true, employee data breach claims might be possible if they result in harm. Here are some of the actions that could result in GDPR breaches happening:
- Where an email detailing your next pay rise is sent to a colleague who’s not authorised to see it.
- Where hackers attack the company with phishing emails, denial of service attacks or ransomware to steal data.
- If a member of staff is able to read your personnel record because it is stored on an insecure part of the network.
- If laptops or portable devices without encryption are stolen or lost.
- Where physical documentation is found by a member of the public because it wasn’t securely destroyed before disposal.
- Where somebody is able to access information about you because a computer wasn’t locked when its user was away.
Need advice on whether you could claim compensation? If so, hit the live chat button today.
This guide aims to provide you with information about potential employee data breach claims against Unilever. However, if you need anything else, use our live chat.
What Could My Employer Have Done To Be In Breach Of GDPR?
The ICO has a database of action it’s taken regarding fines and enforcement notices. At the point of writing this guide, no Unilever data breaches were listed. Therefore, we are going to look at a data breach involving employee data relating to another firm in this section.
As part of regular training, the sales staff at Regus are aware that they’re sometimes filmed when selling. However, in 2020, it came to light that the outcome of the exercise was published online. 900 employees were affected. The data was posted to a task management website and included staff names, addresses and details of their work performance.
The task management website’s founder explained that, by default, task lists are private. Therefore, proactive action must’ve been taken to make this list public.
For more information, you can read the full article at: https://www.bbc.co.uk/news/technology-51175508
Do Employers Have To Get Your Consent Before Sharing Data?
In the digital age that we live in, data flows around the world in seconds. Data sharing is something that makes things so much easier. However, it can also cause more risks too. That’s why data sharing is covered by the GDPR’s rules when it involves personal information.
Back at the start of this article, we explained that getting your consent is one way to achieve a lawful basis to process data. However, that doesn’t always mean that your employer needs your permission before sharing your information.
There are other ways the lawful basis to share data can be established. For example, where a legal obligation to share exists, the employer should share it. This is the case where income details must legally be filed with HMRC.
Another example is where your employer believes somebody’s life is at risk. In that situation, there would be grounds to supply your details without consent.
When data sharing does occur, only data that is absolutely necessary is allowed to be shared. The idea here is to reduce the amount of personal information that’s floating around and, therefore, to reduce risk.
How Should A Data Breach Be Dealt With?
If your employer is alerted to the possibility of a GDPR data breach, they need to take action. This will involve an investigation into the incident and a risk assessment. If the breach risks the rights and freedoms of data subjects, it has to be reported to the ICO within 72 hours. They must tell the ICO about:
- What has happened.
- When and how they were made aware of the data breach.
- Who has been, or may have been, affected.
- What is being done to remedy the situation.
On top of informing the ICO, the company needs to let anybody who might be at risk know about the breach without undue delay. If you are told that your data has been exposed (by letter or email), keep a copy of the communication. It could be a key piece of evidence in an employee data breach claim.
To find out what else you could do to help prove your case, please get in touch by using our live chat.
What Is The Information Commissioner’s Office?
As the UK’s data protection watchdog, the ICO has a lot of different functions to fulfil. They include:
- Keeping a database of fee payers.
- Being responsible for the enforcement of several different pieces of legislation.
- Dealing with concerns from members of the public and data controllers.
- Looking into data breaches that are reported.
- Showing companies how to change how they work if things go wrong.
- Issuing financial penalties where data protection laws are broken.
Additionally, they supply guidance and training materials to companies as you’ll see in the next section.
ICO Guidance On Employment Data Protection Practices
While the ICO does have powers to penalise those found guilty of data breaches, it also works hard to try and prevent them from happening. They do this by providing training documentation for data controllers and processors.
One example of this is the Employment Practices Code. It is a great way for employers to check that their processes comply with data protection legislation.
Can Employers Be Reported For Breaches Of GDPR Rules?
You can ask the ICO to investigate any concerns you have about a data breach, but should only do so after you’ve contacted your employer about it. If you receive a response from a formal complaint that you’re not happy with, you could escalate it to the ICO.
They will check that you’ve logged your complaint and received a written response before allowing you to proceed. Their advice is that you should make a complaint to the ICO before 3 months have passed since your employer’s final response.
Employee Data Breach Claims Against Unilever: Compensation Calculator
When you make a compensation claim for a data breach, you can base it on two different elements:
- Any injuries you’ve sustained due to the breach (non-material damages).
- Financial losses caused by the data breach (material damages).
An important trial in the UK provided some guidance on these types of claims. During the hearing of Vidal-Hall and others v Google Inc [2015], the Court of Appeal held that:
- Claimants can be compensated if it is found that the data breach caused psychological injuries. They don’t have to have suffered a financial loss because of the data breach to claim this.
- Where payments are made, the amount should be decided as they are for personal injury claims.
To show you what amount of compensation could therefore be awarded, we’ve listed some figures from the Judicial College Guidelines (JCG) in the table below. The JCG is a publication solicitors may use to value injuries.
These figures are provided just for guidance at this point. If you use the services of a data breach lawyer, they should be able to provide a more accurate estimate.
Injury (Psychological) | Level of Severity | Compensation Bracket |
---|---|---|
Psychiatric Injury (General) | Severe | £51,460 to £108,620 |
Psychiatric Injury (General) | Moderately Severe | £17,900 to £51,460 |
Psychiatric Injury (General) | Moderate | £5,500 to £17,900 |
Psychiatric Injury (General) | Less Severe | Up to £5,500 |
PTSD | Severe | £56,180 to £94,470 |
PTSD | Moderately Severe | £21,730 to £56,180 |
PTSD | Moderate | £7,680 to £21,730 |
PTSD | Less Severe | Up to £7,680 |
To prove the extent of your injuries, and that they were caused or worsened by the data breach, you will require a medical assessment as part of your claim. This will be used to show what injuries have already been caused and explain if your suffering will continue in the future.
The assessment will be performed by an independent medical expert. They will use a series of questions and review any medical records to reach their conclusion. Once they have finished, they’ll provide a report that sets out their findings. This report can help when valuing the compensation for your condition.
No Win No Fee Employee Data Breach Claims Against Unilever
As many people worry about the cost of hiring a data breach solicitor, many lawyers offer No Win No Fee services. Essentially, if your case wins, the solicitor would take their fee, but if not, they wouldn’t. It helps to reduce the financial risk of funding a solicitor.
Importantly though, a solicitor will need to check your case is suitable before you’ll be accepted as a client. If your case is deemed to be strong enough, you will receive a Conditional Fee Agreement (the formal term for a No Win No Fee agreement). This contract shows you that you will only pay your solicitor for their work if you are compensated.
Where a positive outcome to your case is achieved, your solicitor will retain a small percentage of the compensation. This success fee percentage is listed within your No Win No Fee agreement so you’ll know how much it is right from the start of your claim. Also, such fees are capped by law.
If you have evidence of a valid claim and would like to see if a No Win No Fee data breach solicitor might take your case on, you could ask Legal Expert by clicking one of their banners on this page.
Related Guides
In this part of our guide exploring what validates potential employee data breach claims against Unilever, we’ve added further resources that you might find helpful.
Asking For Copies Of Your Data – Advice from the ICO about how to request copies of the information a company holds on you.
Dealing With Problems At Work – Some helpful guides from Acas on trying to resolve workplace issues.
Data Breaches By An Employer – This guide explains the process of claiming if you’ve been harmed by a breach caused by your employer.
HSBC Employee Data Breaches – This guide explores how employees of a bank could claim if they have evidence of mental suffering or financial loss.
NHS Staff Data Breach Claims – A look at the process NHS employees need to use if they’ve been affected by a data breach.
FAQs About Employee Data Protection Breaches
Thanks for reading about claiming for an employee information data breach. As we have almost reached the end of our guide, we’ve provided answers to some common questions below.
What happens if you breach data protection at work?
As an employee, you should abide by your company’s data protection policies and the GDPR. If you break the rules, you could face the appropriate consequences from your employer. Subsequently, if your employer is a data controller or processor, they could be investigated and fined by the ICO.
Can you be sacked for breaching data protection?
The ICO does not get involved with employment issues. Each company is different, so it’s best to contact your HR department to discuss what consequences you may face.
Can I sue my employer for a data breach?
If identifiable information about you held by your employer is unlawfully disclosed, lost, destroyed, altered or accessed illegally, you could have grounds to begin a claim. That is, suing your employer could be possible if you can prove you suffered psychological injuries. Furthermore, you could claim financial losses caused by the data breach if you can evidence them.
Thank you for reading this guide exploring the concept of employee data breach claims against Unilever.
Guide by HAM
Edited by VIC