The annual tax settlement is not only an administrative peak each year, but also a stress test for data protection. For the 2025 settlement, the deadline falls on Monday 16 February 2026. It is on these days that the largest volume of sensitive documents (mortgages, interest, donations, family situations) flows through companies. But GDPR requires more than “discretion”: a controlled approach, clear instructions, secure channels and traceable processes.
Quick overview
The annual tax return means dealing with extremely sensitive personal data of employees (financial obligations, family situation, deductions). Employers must set up processes to ensure data integrity and confidentiality: collect only necessary documents, limit access to need-to-know individuals, use secure sharing, and have storage and shredding rules. The GDPR also requires that those with access process data only at the direction of the employer and that security is appropriate to the risk.
Most employers view the annual accounts as a “deadline” and a payroll marathon. However, from a privacy perspective, this is the period when the largest volume of documents that do not normally circulate in the workplace are concentrated in the organisation. Employees typically apply for annual settlements (and document claims for discounts and tax-free amounts) by mid-February. In addition, the Income Tax Act states that the taxpayer will not carry out the annual settlement if the employee does not submit the necessary documents by the statutory deadline.
Employers often treat the annual settlement mainly as a deadline and an administrative matter. But in reality, it is also the period when the most sensitive personal data circulates in the company – which is why there needs to be clear rules about who accesses what and how documents are handed over.
Recommendation for the practice: plan annual reconciliations as a process. Make a single point of receipt, set the format (digital vs. paper), designate responsible persons and expect to receive a large number of attachments in a short window. It is the volume and time pressure that tends to trigger errors: unwanted copies, sending to the wrong recipient or ‘temporary’ storage in inappropriate places.
Not sure how to do your taxes correctly so you don’t get it wrong? We can help you navigate the law, whether it’s dealing with a specific tax situation, preparing for an audit by the tax authority or defending yourself in court.
It is common to find information in the annual accounts documents that is more intimate to the employee than the normal payroll. It’s not just about identification and income levels, but about a ‘privacy map’: marital status, children and claiming tax benefits, information about donations, insurance, pension products – and most importantly, finances and liabilities.
Typical examples are documents relating to non-taxable amounts: for example, receipts for interest paid on a mortgage or building society loan (and sometimes information on whether and to what extent another person claims the interest deduction). In practice, this means that payroll (and sometimes HR) can see significantly more into an employee’s private life than the employee realises.
Legally, it is important not to succumb to the impression that “since the employee brought it up, we can deal with it any way we want.” The GDPR works with the principle of integrity and confidentiality: data should be processed in such a way that it is protected from unauthorised access, accidental loss or disclosure. This doesn’t just apply to hackers – it’s often internal risks: a colleague “helping” without permission, a shared folder with overly broad permissions, a printed receipt on a printer, or forwarding an email to a private address to work from home.
In addition, employees usually hand over documents under time pressure. The more complex the process, the greater the pressure for “quick fixes”. And quick fixes are exactly what generate trouble in data protection. That’s why it makes sense to view the annual settlement as a “season of heightened risk” and adjust rules, access rights and technical tools accordingly in advance.
The annual tax settlement is the easiest way for employees to have their payroll tax settled through their employer and to get back any overpayment of allowances and deductions. In our article, we explain who can apply for an annual tax clearance for 2025 and when you need to file your tax return.
GDPR is not just about “payroll is discreet”. Data protection law translates into specific obligations for employers as data controllers: to set up processes to demonstrate that data is processed securely and only to the extent necessary.
First: whoever has access to the data must only process it on the instructions of the controller (typically the employer), unless the processing is directly mandated by law. In practice, this means having clearly defined roles (who collects, who controls, who accounts, who archives) and not allowing “ad hoc” approaches such as “HR will see if it fits”.
Second: theemployer has an obligation to put in place appropriate technical and organisational measures according to the risks, including encryption or other security mechanisms, and to be able to justify why it has chosen that level of protection. Annual clearing is a typical situation where the risk is higher (concentration of documents, time pressure, more people in the process).
Third: stick to minimisation. The collection of documents should be set up in such a way that no extra information is “piled on”. Specify in internal guidelines that the employee should not send entire contracts (e.g. loan agreements) if a confirmation from the bank is sufficient. Allow the employee to safely black out sensitive passages that are not relevant to the purpose (as long as this does not make it impossible to check the claim). And for paperwork, deal with copies: if you don’t need a copy, don’t make a copy.
With annual accounts, it’s easy for documents to be circulating by email or lying printed on the desk. But GDPR needs to be based on a controlled approach, demonstrable guidelines and secure processes – even within the business.
The good news: data protection in annual clearing can be significantly improved without expensive projects. The key is to remove improvisation and make the process a “controlled corridor”.
1) Single point of receipt of documents. Choose a single channel: a secure HR/payroll portal, a controlled folder, or a data-secure form. If it must be email, at least set a “to a designated address only” rule, ideally with encrypted transmission and limited access to the mailbox.
2) Need-to-know approaches. Access to documents should not be “all HR”. Set access rights by role: collection ≠ inspection ≠ clearing ≠ archiving. GDPR requires that unauthorized disclosure is prevented and that data is handled securely.
3) No free copying. For digital documents, keep an eye out for copies being made on the desktop, in personal clouds or in chat apps. For paper, minimize printing and address “printer incidents” (a document forgotten in the output tray).
4) Document work records. For higher risks, it pays to have traceability: who opened the document, when, where it is stored, who deleted it. It’s not about spying on employees, it’s about being able to retrospectively investigate the incident and demonstrate that you have the process under control.
5) Retention and shredding time. Annual reconciliations must not end up “in the file cabinet forever”. Set retention rules: what you archive, for how long, where, who has access, and when shredding (paper) or secure deletion (digital) takes place. Attach a simple internal directive so that the process can be repeated the same way every year.
Many employers today outsource payroll or use external payroll/HR systems. This is common, but from a GDPR perspective, this adds another layer of obligations: to clearly set up the controller-processor relationship and security standards.
If an outsourced supplier processes your employees’ personal data on your behalf, they typically act as a processor and you must have an appropriate GDPR contract in place. This should cover, among other things, the subject matter and duration of processing, types of data, obligations of the processor, confidentiality of individuals, security measures, subcontractor regime and conditions for erasure/return of data after the end of the service.
For annual settlements, think of two practical situations:
Finally: remember that accountants often work from home. If you allow this, set a minimum standard (corporate devices, VPN access, no personal storage, automatic screen locking, secure deletion of temporary files). In practice, this tends to be the biggest weak point – and the easiest to fix with rules and training.
The annual tax return is an annual ‘season’ of increased administration and a time when employers process employees’ most sensitive personal data. This includes not only identification and payroll data, but also the basis for deductions and discounts that may reveal family circumstances, donor status, and especially financial obligations (e.g., mortgage interest). It is the combination of large volumes of documents, time pressure and multiple people in the process that creates the typical risk of errors: extra copies, sharing via email, loose files or printed documents left unattended.
Meanwhile, the GDPR requires that data be processed in a way that ensures integrity and confidentiality and that those with access only process data at the direction of the employer. The controller should have appropriate technical and organisational measures in place that are appropriate to the risk and be able to demonstrate that the processes are working.
In practice, this means: unifying the point of receipt of documents, limiting access to ‘need-to-know’, using secure channels and controlled storage, minimising copies, setting retention rules and shredding. For outsourced payroll, it is essential to contractually address the role of the processor and security standards. And because incidents most often happen at speed, it pays to have a simple process for catching and resolving them. Then annual settlements stop being an annual impromptu exercise – and become a repeatable process that protects both employees and employers.
Yes. If the employee does not submit the necessary documents by the deadline, the taxpayer will not make the annual settlement.
Normally by 15 February after the end of the tax year; if this day falls on a weekend/holiday, it is moved to the next working day.
No. The GDPR also requires controlled access, clear instructions and reasonable technical and organisational measures to protect data from unauthorised access or disclosure.
Uncontrolled transfer of documents (email, chat, personal storage), overly broad access rights and unnecessary copies (prints, scans, forwarding).
Contractual treatment of the processor’s role under the GDPR (typically a processing contract) and set security standards, including working with subcontractors and the data erasure/return regime.
One secure channel for document collection, limiting access to “need-to-know”, prohibiting storage in personal repositories, rules for printing and shredding, and a simple incident handling procedure.
Not sure how to do your taxes correctly so you don’t get it wrong? We can help you navigate the law, whether it’s dealing with a specific tax situation, preparing for an audit by the tax authority or defending yourself in court.
Ondřej is the attorney who came up with the idea of providing legal services online. He's been earning his living through legal services for more than 10 years. He especially likes to help clients who may have given up hope in solving their legal issues at work, for example with real estate transfers or copyright licenses.
In person and online. Just choose the appropriate service or opt for an independent consultation when you are unsure.
