The Czech Data Protection Office (Úřad pro ochranu osobních údajů) has published its annual performance report for 2022. This article summarizes some of the data protection authority’s findings in the area of labor-law relationships.
In its latest annual report for 2022, the Czech data protection authority (hereinafter the “DPA”) describes the findings from various reviews and audits triggered by complaints which were brought by employees who felt their (former or current) employer had violated the General Data Protection Regulation (“GDPR”).
According to the published report, it is a fairly common occurrence for employees to complain about breaches of the law by employers in the role of the data controller, who fail to answer requests by their (current or former) employees in connection with the exercise of their rights under GDPR. The DPA found that the most frequent complaint concerns requests by data subjects for erasure of their personal data.
Pursuant to Art. 17 GDPR, data subjects (i.e., the employee or former employee) has a right to demand that the data controller (i.e., the employer) promptly erase personal data related to the respective data subject. This is mirrored by an obligation on the part of the data controller to immediately perform the erasure of data if the grounds for doing so are present (as per the list given in Art. 17 (1) GDPR). In employment matters, the relevant grounds for erasure will presumably be that the personal data of the data subject is no longer needed for the purpose for which it was collected or processed by the data controller.
In the annual report, the DPA notes that in the majority of cases, bringing the wrongdoing to the attention of the employer in an official reminder was enough to compel them to finally respond to the petitioner, usually citing the reason for which the employer initially failed to respond to the request and making a formal apology. Provided that the data controller promptly reacted and made remedies, the DPA saw no reason to initiate an administrative proceeding against them.
Among the other offenses committed by employers according to the DPA’s annual report was e.g. the failure to cancel the company e-mail account of terminated employees. Here, the DPA criticized the furthergoing processing of personal data within the scope of the e-mail address (which, after all, is usually comprised of the first and last name of the affected employee. Together with the data controller’s domain, this results in personal data which is attributable to the account holder and which may only be processed if the statutory grounds within the meaning of GDPR are present). In some cases, e-mail accounts of former employees were not cancelled out of sheer negligence; however, in other cases, the DPA found that incoming e-mail messages were deliberately forwarded to other employees and the accounts were still being monitored. In the view of the DPA, this may even constitute a breach of the privacy of correspondence. In such cases, the DPA advised the data controller of the possibility of a breach of GDPR and instructed the affected ex-employees about their right to compensation for the harm which they may have suffered.
As can be seen, the DPA encounters employee complaints about employers’ non-compliance with their duties as a data controller under GDPR on a fairly frequent basis. All told, it is generally advisable to have an effective data protection regime in place in order to be able to swiftly respond to requests and complaints from data subjects related to the exercise of their rights under data protection laws. The DPA’s monitoring activities indicate that employers who quickly remedy their own offenses may avoid formal administrative proceedings. If you receive petitions of complaints from current or former employees, you should always respond and make sure that all your obligations as the employer under GDPR have been fulfilled.
Annual report of the Data Protection Authority for 2022