Well, this is where GDPR comes to help.
The employer - controller of our personal data - has an obligation to keep the information they collected about you confidential. Is only the employer bound by it? Well, no. Anyone in business who obtained our personal information, such as on our health, should keep it secret.
Our ancestry, political views, religious beliefs, philosophical beliefs, the state of our health (mental and physical), sexual orientation, etc. are so-called sensitive data, or data concerning our private life. Hence GDPR protects them in a special way - by prohibiting their processing (with certain exceptions). Such data can only be processed by people who have written authorisation from the employer to process them. They must keep the entrusted data confidential - they cannot share it with, for example, a colleague at work or after work.
Remember that sensitive data interfere very deeply into our privacy, and their disclosure to colleagues can carry a whole lot of consequences, such as damaging the atmosphere at work, negatively affecting the perception of the person whose data have been disclosed, becoming a reason for discrimination, or even leading to identity theft. Therefore, it is extremely important that sensitive data be properly secured to prevent them from falling into the wrong hands.
But it happened - data disclosed, everyone already knows, for example, what is wrong with us. What now?
Once you realise that your data have been leaked, in addition to having the right to demand an explanation from your employer regarding the leak, you should notify the employer's data protection officer. A data protection officer is a person who assists the employer (the controller of our data) in all matters associated with the protection of personal data. They are also the contact person for employees on matters involving the processing of their personal data. You can expect the Data Protection Officer to:
- review your case and give you answers to your questions,
- explain your rights under GDPR,
- advise you on actions you should take,
- verify the employer's conformity with regulations on personal data,
- recommend specific actions to the employer, upon detecting a data breach, and then to investigate whether these actions have been carried out.