9 Most Common Misconceptions of Employers on Personal Data Protection

EU GDPR, GDPR Data protection, GDPR Serbia

GDPR Standards Finally in Serbia

Since the EU General Data Protection Regulation (GDPR) entered into force, there has been an ongoing debate on the implementation of this Act in Serbia. Bearing in mind that the territorial validity of the GDPR is very broadly defined, many have considered it applicable whenever data is collected from a person who holds the citizenship of an EU member state.

However, even if your company does not have to comply with GDPR, unfortunately, you still have the obligation to review your company procedures pertaining to personal data protection.

Video surveillance at the workplace, monitoring employees’ e-mails, not notifying the employees on collecting their personal data, monitoring social networks and improperly applying BYOD (bring your own device) policies are just some of the questions that, as an employer, you must put in the light of new, tectonic changes in the Serbian legislative framework.

After many years of debate, the new Law on Personal Data Protection was adopted on October 21, 2018. We only have nine months to harmonize and prepare for this law, which will start to apply from August 21, 2019.

Data protection law, Personal data protection law,

Although the task force ignored the negative comments of the European Commission, which we have mentioned in one of our previous blogs, GDPR in Serbia – Ministry of Justice Got Lost in Translation – Again, the new law nevertheless represents a significant shift in the protection of personal data. It sets far higher standards than before related to data protection in Serbia, following the reputation of the EU General Data Protection Regulation (hereinafter: GDPR).

Significant attention is paid to the processing of personal data of employees by the employer, which is the area most often ignored by national companies.

The practice has shown us that employers have a number of misconceptions about what is allowed and that they are, for the most part, unaware of their obligations regarding the protection of employees’ privacy. For this reason, we decided to deal with the most common mistakes employers make and to offer solutions in the light of the new law in this blog post.

Misconception no. 1: My Company Does Not Process Personal Data

This is the first mistake that most employers make. If the company’s core business does not involve directly collecting personal data of third parties (for example, as would be the case with the collecting of customer data, clients, patients, etc.), companies in Serbia often do not deal with the issue of personal data protection.

However, the truth is that every company processes personal data. If these are not the data of third parties within the main (core) business of the company, surely there are data about the employees. Namely, each employer processes personal data of their employees.

For example, name and surname, address, contact details, payroll bank account number, data on earnings, family status, etc. All this is considered personal data.

In addition, processingof personal data implies any action taken in relation to data, such as collection, recording, use, analysis, etc.

It is obvious that already at the first contact with an employee, their personal data are being processed… And this is not only the case with employees, but with prospective employees as well, who are often being forgotten by the employers. Also, under the context of this text, an employee is considered not only the person who is employed, but interns, persons in professional practice and training, as well as persons who perform work outside the work relationship.

All this is considered processing of personal data, so you must follow certain obligations that the new Personal Data Protection Act prescribes in this respect. One of the basic obligations is to notify all the employees about collecting their personal data before you start processing personal information.

Misconception no. 2: Employer Does Not Have to Notify Employees on Processing Their Personal Data

Incorrect. The employer must inform employees on processing their personal data. And not only that, but the notice must contain all the necessary elements prescribed by the Law. Thus, you must inform employees on the type of information you are collecting, what is the purpose of the processing, what is the legal basis of processing, the way you are storing data, whether you will transfer that data abroad, data retention period, employee rights, etc.

Therefore, the data processing process must be completely transparent, and the employee must know exactly what information the employer processes and for what purpose.

Clearly, transparency and honesty are paramount. The best way to do this is to give each employee a written notice, or to implement a Personal Data Protection Policy. It is important to emphasize that the notice must be sent to the employee beforehand, or when entering into work relationship, since the employee will be able to get acquainted with the Regulations only when they start to perform the job.

If you have not fulfilled this obligation towards your current employees, you need to provide them with such notice as soon as possible, and certainly before August 21, 2019 (date of entry into force of the new Personal Data Protection Act).

Data protection officer, GDPR consent requirements, Data protection breach

Misconception no. 3: Employee Consent is Sufficient for the Processing of Personal Data

The very fact that there are many technical possibilities for processing personal data does not mean that all are legally allowed. The legal basis is necessary for each case of personal data processing. According to the new law, there are 6 bases for personal data processing! In the case of employee data processing, the employer has as many as 4 legal bases available. And the employee consent is only one of those.

Moreover, employee consent is the weakest basis for data processing.

You must be wondering why this is so.

First, consent can always be withdrawn. In that case, when consent was the legal basis for processing, and you do not have that consent anymore, you do not have the right to continue collecting data.

Second, the advisory body that dealt with the interpretation of GDPR1 (i.e. regulations in the field of personal data protection) even characterized the employee consent as being deceptive for the employee, and stressed that the consent was a completely inappropriate basis for data processing.

When you think about it, such an explanation makes perfect sense. The employer has a certain authority and the employee is still in a subordinate position to the employer, and such employee consent could not be considered to be freely given.

Third, consent is required only on exceptional occasions – for example, you want your employees to take their pictures for marketing purposes (for example, for printing publications, uploading photos to the website, etc.). In this case, consent is required, as this is not necessary for the employment relationship itself and, therefore, cannot be classified as another legal basis.

Fourth, when consent is given, it cannot be given in general for all processing, but for precise and precisely defined processing. At the beginning of the work relationship, not all types of processing can be foreseen, and it is not possible to give consent in advance.

Misconception no. 4: Employer Can Freely Monitor Employees Work

There are many ways in which an employer can monitor the work of an employee, from video surveillance to controlling the communication. However, is the employer completely free and has unlimited control? Of course he is not. If the data processing is not transparent and there are no restrictions, there is a high risk that the employer’s legitimate interest will turn into unfair supervision that affects the privacy of employees.

Let’s look at what are the types of monitoring and under which conditions it is allowed.

cameras in the workplace, cameras in the workplace employee rights, video surveillance gdpr,

Misconception no. 5: Employer Can Freely Install Video Surveillance at Workplace

It is essential that you have a legitimate interest if you want to set up video surveillance. Want to secure your property? This could be a legitimate basis that would have precedence over the interests of employee’s privacy. However, you must always ask yourself whether there is another tool that would be less endangering for the privacy of employees and which would enable you to achieve the same goal. For example, set the camera to record only the front door, but not the work environment of employees.

However, even if you have a legitimate basis to set up video surveillance, you have to inform your employees about that.

The practice has shown that employers freely introduce video surveillance, without any prior notice to their employees. Please note that after August 21, it will not be enough to just have a label indicating that the facility is under video surveillance, but the notice will have to contain all the elements prescribed by the new Law on Personal Data Protection.

Also, it is not possible to justify CCTV in toilets or canteens. It is difficult to find a justification for video surveillance in offices where employees perform their work. A legitimate reason could not be found for such a thing, as the job performance would turn into Big Brother or Orwell’s novel.

It should be emphasized that the employees consent to video surveillance would not be a valid legal basis, as it would lead to paradoxical situations. This would mean that if at least one employee withdrew their consent for video surveillance, you would need to get rid of video surveillance everywhere. This would lead to an absurd situation and, of course, in such cases, the legal basis for data processing, i.e., video surveillance, would not be the consent, but another legally allowed basis. This is another confirmation that the consent is the weakest basis for personal data processing.

email monitoring at work, monitoring employee emails

Misconception no. 6: Employer Can Freely Check Employees Emails

Business email is not private – this is usually used as an argument in favor of misconception no. 6. Although employers can monitor communication through business email, the question arises whether this control is completely self-governing?

It is true that e-mails that are being sent or received via a work email address are generally not considered private. The employer is free to monitor this communication, but only under the condition that there is a valid business reason for such action. Many companies regulate this right by giving employees a written notice that their business email is not private and that they are subject to control by the employer. However, even though there is no written e-mail alert notification, this does not mean that there is no legitimacy in the employer’s conduct.

In any case, the employer should regulate these issues and inform the employees, so that everything is transparent. Also, the body dealing with the interpretation of GDPR1 points out that it would be best to introduce appropriate procedures (e.g., employees should keep copies of e-mails, create a separate folder for private e-mails as the employer would not accidentally disclose their contents, etc.). In this way, the employer would take all the necessary measures, and the basis of processing would be the existence of a legitimate interest of the employer, and not the consent of the employee.

Misconception no. 7: BYOD Policy Does Not Restrict Employer’s Control

The BYOD trend (Bring Your Own Device), which means that employees use their own devices to work, for example, phone, laptop, tablet, is getting more and more popular.

This opens the question of conflicting interests: protecting the employer’s confidential data and monitoring the work of employees, on one hand, and the protection of personal data of employees and their family members, on the other.

GDPR itself does not take as much account as to who is the device owner – it puts safety and data security in the first place.

This does not mean that you as an employer should not worry, as ownership of the device can be of great importance, if it contains data for which you are responsible. GDPR treats data on your company’s computer the same way when it comes to employee’s personal devices – consider where you will store your confidential information.

In any case, it cannot be legitimate to monitor through a device that measures the number of keystrokes, screen activity, webcam recording, and/or through microphone to track employee activities. Although such technologies are available, privacy invasion is too great to justify such controls, even if the equipment is owned by the employer.

If the employee and not the employer owns the equipment, the placement of any device for any of the above forms of supervision would even be considered as cybercrime. The employer must ensure that its servers or applications do not accidentally use employee personal data. Also, you always have to bear in mind the family members who may be using your employee’s devices. If you monitor family members of the employee without their knowledge, this is a serious violation of privacy. If this is possible, you must inform the employee.

Employee data protect, General data protection regulation

Misconception no. 8: Employer Has Full Control Over Employees Mobile Phones

If you have provided your employees with an official phone number, it means that you are the owner of the phone number. This means that as a proprietor you can apply for a monthly call list so you will have an insight into all the numbers that the employee called and how long these calls lasted. However, the question arises what if an employee uses the phone for private purposes? Have you violated his privacy right?

First of all, the employer could prohibit the use of official phones and an official e-mail for private communications, but he does not have the right to prohibit an employee from the appropriate amount of private communication while in the workplace.

As for the recording of employee’s phone calls, the employer has this right only if in the job description of the employee is communication with the clients. For example, if the employees work in the call-center or technical support of the company. Also, employees must be informed on this in each instance, either through via contract or special notice.

electronic monitoring of employees in the workplace, workplace monitoring,

Misconception no. 9: Employer Can Fully Control Employees on Social Networks

You must have wondered whether it is allowed to check private profiles of candidates or employees on social networks.

As for the candidates, neither the Law nor the GDPR1 explicitly regulate this issue. However, the body dealing with the interpretation of GDPR has published its opinion stating that it is possible to carry out such checks, but under the following conditions:

1) Candidates must be informed that you will check their profiles on social networks (even if they are set as public). For example, when the candidates apply for a job on your website, you could give them appropriate notice.

2) Employer has a legitimate basis to process such data

3) It is possible that the profile contains information on the abilities and characteristics of candidates that may be very important for employment or job performance.

4) Employer must comply with all the principles prescribed by the GDPR.

Of course, this opinion is not binding. However, the recommendations of this body have a significant impact on the courts and other EU institutions that implement and interpret GDPR. Since we do not have relevant case law yet, nor do we have proper interpretations, we believe that our courts, as well as the competent state authorities, will be guided by these opinions. Therefore, it would be best for employers to begin to align their actions, to ensure that their behavior is in line with domestic and European regulations.

As far as employees are concerned, the same rules apply as for job applicants.

What about the use of social networks on part of your employees? It would be best to pass an appropriate Rulebook to govern the use of social networks and employee in order to direct their behavior. For example, you can regulate the question of whether employees can give a personal opinion that is related to the activity of your company and, if so, under what conditions. You can also regulate the situation whether and under what conditions employees can use social networks during working hours. You must always keep in mind that any prohibitions are not possible, and that the only thing you can do is try to kindly guide the behavior of your employees.

Of course, in all these cases, you must not violate the privacy of your employees, as well as to process only those data for which there is a legal basis. It is necessary for employees to be always informed in advance on the implementation of supervision and data processing. Otherwise, even if in case of a ban on the use of social networks, telephones and other means of communication, the employer risks the danger of infringing rights under Article 8 of the European Convention on human rights.

workplace privacy and employee monitoring, employers monitoring employees, employee surveillance

Conclusion

On the basis of everything aforesaid, we can draw a couple of very important conclusions.

Firstly, you must always follow the principles of necessity and proportionality in each case of data processing. It means that you have to keep in mind that the measures you use are really necessary and in proportion to the purpose you want to achieve.

Secondly, transparency and openness are necessary. Employees must be informed of any processing of data in a clear and comprehensible manner.

Thirdly, data processing must be fair to your employees.

In the end, if we have not persuaded you so far to harmonize your actions with the new Law, we remind you that fines for violating legal obligations go up to 2,000,000.00 dinars. It is up to you to decide whether it is worth taking such a risk.

Available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
Available at: https://edps.europa.eu/data-protection/data-protection/reference-library/access-ecommunications-data-when-employee-absent_en
Article 29 Data protection Working party, Opinion 2/2017 on data processing at work

NEWSLETTER

NEWSLETTER