Office for Personal Data Protection imposes fine for excessive keeping of copies
Last year, the Office for Personal Data Protection dealt with a case of an employer who kept excessive copies of employee documents. This is common practice among employers who, for safety’s sake make copies of all such documents. Nevertheless, this is against the law, as was confirmed by the office in the case in question. The inspected entity was fined CZK 180 000 for the ascertained breaches.
Employers are obliged to keep a personnel file for each employee. The file may only contain documents necessary for the employee’s work performance; yet, no specific list of such documents has been stipulated. At the same time, employers must observe legal regulations regarding personal data protection; namely, they may only keep copies of documents stipulated by law, and follow data adequacy and data minimisation principles.
In an inspection, the office ascertained that in personnel files, the employer kept copies of health insurance cards, extracts from criminal register, cards stating bank account numbers, and other copies. It was also ascertained that the employer kept copies of birth certificates of some of the employees’ children, and scanned photographs of the employees. In its ruling, the office summarised that an employer is not generally authorised to keep copies of documents submitted for HR purposes; an employer may only make a note in the personnel file that the requested information was supplied by the employee, and by whom, when and based on what documents it was verified.
In the inspection, it was also discovered that the employer excessively retained copies of employees’ ID cards. This is only possible with the employee’s consent under the Act on Identity Cards. Even if the employer were to prove having obtained such consent, making a copy is only possible under the condition that all personal data be processed solely for the purpose stipulated by the employer. If the employer has not stipulated the specific processing purpose for retaining the personal data given in the ID such as the employee’s photograph or their spouse’s name and surname, the employer is not authorised to process such personal data.
Finally, the office pointed out that the automated systems used by the employer for personal data processing did not have a log-in feature, meaning that it was impossible to check when, by whom, and for what purpose the personal data had been recorded or otherwise processed; yet, the duty to keep electronic records of this is explicitly stipulated by law.
The inspection was carried out by the office based on previous legal regulations. However, in light of the GDPR, its conclusions remain applicable. As for the content of personnel files, let’s just say that in this case, the fewer documents, the better.