Every employer processes payroll for its employees as part of its routine operations. From a data protection perspective, the purpose of processing payroll—which constitutes personal data about employees—is to fulfill the employer’s legal obligation to pay employees for the work they have performed.
Pursuant to Section 130(5) of Act No. 311/2001 Coll., the Labor Code, as amended (hereinafter referred to as “Act No. 311 Coll., the Labor Code”), it is stipulated that “when settling wages, the employer is required to provide the employee with a document containing, in particular, information on the individual components of the wage, ...” – the so-called pay stub. The pay stub is provided in written form unless the employer and the employee agree on its provision by electronic means. It was precisely the sending of pay stubs via email (by electronic means) that was the subject of a recent decision by the Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as the “Office”).
In its recent decision, the Office stated that, for the purposes of labor-law relationships, an employee’s salary and its individual components (fixed or variable—bonuses) are also considered personal data. This constitutes personal data through which the employee’s economic identity can be identified. The Office addressed the processing in question as well as the nature of the data based on a complaint filed by an employee (hereinafter referred to as the “complainant”) against the data controller.
The petitioner, who was an employee of the controller—a religious legal entity—received pay stubs for the months of April, May, and June 2020 at his private email address. The controller sent the pay stubs in a manner that did not ensure the confidentiality of the attached files containing the applicant’s personal data. In other words, the controller did not secure the email attachments with a password or other means of protection so that only the authorized person—the applicant, to whom the attachments were intended—could access their contents. By this action, the controller violated one of the fundamental obligations of a controller arising from the principle of confidentiality within the meaning of Article 5(1)(f) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”), specifically the obligation to ensure that personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through appropriate technical or organizational measures. Although the controller had properly incorporated such measures into its internal guidelines, it acted in violation of them.
In connection with the above, the Office also pointed out that the controller had the option of choosing another secure method of communication, specifically the use of a registered letter delivered to the addressee’s own hands, since the controller had the applicant’s mailing address. By utilizing this option, the controller would have fulfilled its legal obligation under Act No. 311 Coll., the Labor Code, as well as the obligation under Article 39 of the GDPR, which states that personal data should be processed in a manner that ensures appropriate security and confidentiality of personal data, including the prevention of unauthorized access to personal data and the equipment used for processing, or the unauthorized use of such data and equipment.
In his complaint, the complainant also objected to the fact that he had never been informed by the controller of his rights under Articles 12 through 23 of the GDPR, a fact that the controller himself was unable to refute. The applicant was sent a document titled “Consent to the Processing of Personal Data,” which the applicant refused to sign and which the controller used to argue that it had fulfilled its obligation under Article 13 of the GDPR. The controller did not demonstrate compliance with the obligation under Article 13 of the GDPR either by claiming that every employee is informed in accordance with the GDPR prior to employment, nor by referring to the published information on the processing of personal data on the controller’s website (since the link on the website did not refer to the adequate information obligation required by the GDPR). In its decision, the Office emphasized that the controller is the party that must proactively strive to fulfill this obligation in accordance with the GDPR, regardless of whether the data subject has expressed an interest in this information or not. The timely provision of information as well as easy access to it is an important element in demonstrating transparent processing of personal data.
In imposing the fine, the violation of the principle of confidentiality within the meaning of Article 5(1)(f) of the GDPR was assessed as a more serious violation of personal data protection by the controller. The nature and gravity of the breach, in which a violation of a fundamental principle of processing—namely the principle of confidentiality—was found, was assessed as an aggravating circumstance. Another aggravating factor was the manner in which the Office became aware of the breach—based on a submitted complaint. Mitigating circumstances were also taken into account, specifically that no previous breaches of the GDPR had been recorded in relation to the controller, the infringement in question concerned exclusively the complainant, and that no harmful consequences were identified that would directly affect the complainant or threaten their private or family life. Another mitigating factor was that the controller did not derive any financial or non-financial benefit from the infringement. In this case, the Office imposed a fine of €200 on the controller.
