Every employer processes wages for their employees as part of their agenda. From the perspective of personal data protection, the purpose of processing wages as personal data about employees is to fulfill the employer's legal obligation to provide employees with wages for work performed.
Pursuant to Section 130(5) of Act No. 311/2001 Coll. the Labor Code, as amended (hereinafter referred to as "Act No. 311 Coll. Labor Code"), stipulates that "when settling wages, the employer is obliged to provide the employee with a document containing, in particular, information on the individual components of the wage, ..." – the so-called payslip. The payslip shall be provided in writing unless the employer and the employee agree to provide it by electronic means. The sending of wages by email (by electronic means) was the subject of a recent decision by the Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the "Office").
In its recent decision, the Office stated that an employee's salary and its individual components (fixed or variable – bonuses) are also considered personal data for the purposes of employment relationships. This is personal data that can be used to identify the economic identity of an employee. The Office dealt with the processing in question and the nature of the data on the basis of a complaint lodged by an employee (hereinafter referred to as the "complainant") against the controller.
The complainant, who was an employee of the controller – a church legal entity – received payslips for April, May, and June 2020 at his private email address. The controller sent the payslips in a manner that did not ensure the confidentiality of the attachments containing the complainant's personal data. In other words, the controller did not secure the email attachments with a password or other means of protection so that only the authorized person, the applicant to whom the attachments were intended, could access the content of the attachments. By doing so, the controller violated one of the fundamental obligations of a controller arising from the principle of confidentiality within the meaning of Article 5(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR"), namely the obligation to ensure that personal data are processed in a manner that guarantees their adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Although the controller had such measures properly incorporated into its internal guidelines, it acted in violation of them.
In connection with the above, the Office also pointed out that the controller had the option of choosing another secure means of communication, namely the use of registered mail addressed to the addressee, as the controller had the applicant's mailing address. By using this option, the controller would have fulfilled its legal obligation under Act No. 311 Coll. Labor Code, as well as its obligation under Article 39 of the GDPR, which states that personal data should be processed in such a way as to ensure appropriate security and confidentiality of personal data, including preventing unauthorized access to personal data and equipment used for processing, or unauthorized use of such data and equipment.
In his proposal, the applicant also objected to the fact that he had never been informed by the controller of his rights under Articles 12 to 23 of the GDPR, which the controller itself was unable to refute. The applicant was sent a document entitled "Consent to the processing of personal data", which the applicant refused to sign and which the controller used to argue that it had fulfilled its obligation under Article 13 of the GDPR. The controller did not demonstrate compliance with the obligation under Article 13 of the GDPR by claiming that each employee is informed in accordance with the GDPR before being hired, nor by referring to published information on the processing of personal data on the controller's website (as the link on the website did not refer to the adequate information obligation required by the GDPR). In its decision, the Authority emphasized that it is the controller who must proactively seek to fulfill this obligation in accordance with the GDPR, regardless of whether the data subject has expressed an interest in this information or not. The timely provision of information and easy access to it are important elements in demonstrating the transparent processing of personal data.
When imposing the fine, the breach of the principle of confidentiality within the meaning of Article 5(1)(f) of the GDPR was assessed as a more serious breach of personal data protection by the controller. The nature and severity of the breach, where a breach of a fundamental principle of processing, namely the principle of confidentiality, was found, was assessed as an aggravating circumstance. Another aggravating circumstance was the manner in which the Office became aware of the breach, namely on the basis of a complaint. Mitigating circumstances were also taken into account, namely that no previous breaches of the GDPR had been recorded in relation to the controller, that the breach in question concerned only the complainant, and that no harmful consequences were found that would directly affect the complainant or threaten his private or family life. that would directly affect the complainant or threaten his private or family life. Another mitigating factor was that the controller did not obtain any financial or non-financial benefit from the breach. In this case, the Office imposed a fine of €200 on the controller.
