This article addresses an interesting issue in the field of personal data protection within employment relations, which was examined in the judgment of the Belgrade Court of Appeals, Gž1 2367/24, dated July 18, 2024.
The court held that delivering salary slips via email to a work email address constitutes a violation of the employee’s right to personal data protection if another employee could access the email account, and if the employee concerned had not given consent for the salary slips to be delivered in that manner.
Relevant Regulations
The Labor Law stipulates that salary or salary compensation calculations may be delivered to the employee in electronic form.
It also provides that personal data relating to an employee may not be made available to third parties, except in cases and under conditions prescribed by law, or when necessary for the exercise of rights and obligations arising from or related to the employment relationship.
Furthermore, personal data may be collected, processed, used, and disclosed to third parties only by an employee authorized by the company director.
The Personal Data Protection Law defines a personal data breach as a breach of data security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
This law also requires that any data processing must be based on one of the legal grounds provided, one of which is the consent of the data subject.
Factual Background
For a period of several months, an employee received salary slips delivered by another employee performing administrative duties for the employer, whose job description included delivering documentation.
By a decision of the Commissioner for Information of Public Importance and Personal Data Protection, issued in connection with this case, the employer received a warning for delivering the salary slips to a work email address accessed by two employees (the employee concerned and another employee – the witness).
According to the witness testimony, both he and the concerned employee had access to the said work email, that the employee had agreed to that arrangement, and that the witness was not using the email account during the time when the salary slips were sent.
The employee first raised the issue internally with the employer, who issued a decision on the matter. Subsequently, the employee filed a lawsuit seeking:
First-Instance Decision
Based on the conclusion that the administrative employee responsible for delivering documentation could be considered an authorized person, and that the other employee sharing the email account was not using it during the relevant period, the court held that none of the actions described by the plaintiff constituted a breach of personal data security involving accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
Accordingly, the court rejected the plaintiff’s claim in its entirety as unfounded.
Appellate Decision
The second-instance court upheld the finding that the administrative employee could not be considered unauthorized since delivering documentation fell within her job description. Therefore, the plaintiff’s claim regarding the alleged violation of his right to data protection by delivery through an unauthorized person was deemed unfounded.
The court further stated that the absence of a specific written authorization from the director for delivering salary slips was irrelevant, as the applicable regulations did not require such special authorization.
However, the appellate court overturned the first-instance decision in the part of the claim concerning the delivery of salary slips via a work email without written consent and confirmation of receipt, which allegedly made the data accessible to another employee. It also annulled the employer’s decision in this regard. The case was returned to the first-instance court for retrial, with instructions for further proceedings.
Conclusion
Delivering salary slips to employees via email undoubtedly simplifies, speeds up, and - in large organizations - reduces the cost of fulfilling this legal obligation. However, employers must consider all aspects of this practice, one of the most important being personal data protection, especially considering the sensitivity of the data included in salary slips, such as salary amounts.
As the court emphasized in its reasoning, the fact that the email account was used only by the plaintiff during the relevant period does not eliminate the violation if another employee had the ability to access it and the employee had not consented to receiving salary slips in that manner.
Therefore, the court holds that such a method may constitute a violation of the employee’s right to personal data protection. Accordingly, this issue should be regulated through internal policies aligned with legal requirements, and appropriate training should be provided to employees who handle personal data as part of their regular job duties.
Author:
Borinka Dobrnjac, Senior Associate
Email: borinka.dobrnjac@prlegal.rs