Happy Birthday! How a Data Protection Breach Could Ruin Your Day

17.11.21 02:19 PM Comment(s) By Phillip

This article addresses the following questions: When you wish an employee a happy birthday, does it breach data protection rules? And if so, what can you do to avoid a breach?


All our lives, we celebrate other’s birthday with the best of wishes. Birthday cards are sent, flowers are sent to their offices or home, sometimes cake is also presented on their desk to make the celebration exceptional. This is possible because the colleagues would know the birthday dates of other colleagues. However, how does it happen that celebrations become an issue in light of Article 9 of the GDPR which prohibits processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person , data concerning health or data concerning a natural person’s sex life or sexual orientation? We will explore this further.


It is legal to process date of birth when it is required by law, but under the GDPR it is also legal to process it for any other legitimate reason.


An employee's date of birth is part of the key data that the company uses to identify its employees. Why shouldn't it also be used to send birthday greetings?


According to the GDPR, the processing of personal data is generally prohibited unless a specific legal permission exists (Article 6(1)). In addition, the principle of purpose limitation (Article 5(1)b) must be respected. This limits how an organization processes the birthdate to only what is necessary for that specific purpose. Also, according to the GDPR, personal data may not be processed in a way that is incompatible with the purposes for which they have been collected.

The use of the date of birth for congratulatory purposes is not necessary for execution of the employment relationship. This may be an employer's way of respecting its duty of courtesy, but it is not necessary. The use of a date of birth for congratulatory purposes is entirely optional and may even be considered as undue and unnecessary information given to another person.


You will need employees’ consent to wish them happy birthday


If an employer wants to congratulate employees on their birthdays and comply with data protection regulations, ultimately the only option is to obtain the employee’s consent in advance (Article 6(1)a GDPR). Employers must ensure that the employee knows that they intend to send them a birthday message for this purpose. However, there is an exception: according to §26 paragraph 2 sentence 2 BDSG consent may be voluntary if the employer and employee are engaged in similar interests.



It may seem odd, but the result cannot be denied: congratulating an employee on his or her birthday is data processing that requires the employee's prior consent in the absence of any other relevant statutory provision. The same applies to similar occasions such as weddings and anniversaries of employees as well. To ensure compliance with data protection requirements, you must get the employee's consent in advance. Otherwise, you can only hope that congratulating an employee will remain a cause for celebration and not a reason to involve the data protection authorities.

Share -