GDPR Standards and Law on Personal Data Protection
Since the EU General Data Protection Regulation (GDPR) entered into force in 2018, there has been an ongoing debate on the implementation of this Act in Serbia. Bearing in mind that the territorial validity of the GDPR is very broadly defined, many have considered it applicable whenever data is collected from a person who holds the citizenship of an EU Member State. We have tried to debunk that misconception in our blog post Territorial Scope of GDPR in Serbia, by stating the conditions your company needs to fulfill in order to comply with the GDPR.
However, even if your company does not have to comply with GDPR, unfortunately, you still have the obligation to review your company procedures pertaining to personal data protection.
Video surveillance at the workplace, monitoring employees’ e-mails, not notifying the employees on collecting their personal data, monitoring social networks and improperly applying BYOD (bring your own device) policies are just some of the questions that, as an employer, you must coordinate with the rules regulating personal data protection of the employees.
In the Republic of Serbia, the Law on Personal Data Protection is in force. This Law was adopted on October 2, 2018, and it has entered into force on August 21, 2019 (the Law).
Although the task force ignored the negative comments of the European Commission, which we have mentioned in one of our previous blogs, GDPR in Serbia – Ministry of Justice Got Lost in Translation – Again, the Law nevertheless represents a significant shift in the protection of personal data. It sets far higher standards than before, related to data protection in Serbia, following the reputation of the GDPR.
Significant attention is paid to the processing of personal data of employees by the employer, which is the area most often ignored by national companies.
The practice has shown us that employers have a number of misconceptions about what is allowed in the light of processing of personal data of the employees, and that they are, for the most part, unaware of their obligations regarding the protection of employees’ privacy. Not knowing the obligations regarding the processing of personal data of employees, and acting contrary to the obligations arising for the employer in this regard, can result in significant responsibility of the employer, as we could see in European practice on the example of H&M (Hennes & Mauritz) in Germany, which was fined 35.3 million euros for unlawful collection of employee personal data. Although not to this extent, the domestic law also contains penal provisions in case of non-compliance with the obligations prescribed by it. For this reason, we decided to deal with the most common mistakes employers make and to offer solutions in the light of the Law in this blog post.
Misconception no. 1: “My Company Does Not Process Personal Data”
This is the first mistake that most employers make. If the company’s core business does not involve directly collecting personal data of third parties (for example, as would be the case with the collecting of customer data, clients, patients, etc.), companies in Serbia often do not deal with the issue of personal data protection.
However, the truth is that every company processes personal data. If these are not the data of third parties within the core business of the company, surely there are data about the employees. Namely, each employer processes personal data of their employees.
For example, name and surname, address, contact details, payroll bank account number, data on earnings, family status, etc. All this is considered personal data. In addition, “processing”of personal data implies any action taken in relation to data, such as collection, recording, use, analysis, etc.
It is obvious that already at the first contact with an employee, their personal data are being processed… And this is not only the case with employees, but with prospective employees as well, who are often being forgotten by the employers. Also, under the context of this text, an employee is considered not only the person who is employed, but interns, persons in professional practice and training, as well as persons who perform work outside the work relationship.
All this is considered processing of personal data, so you must follow certain obligations that the new Law prescribes in this respect. One of the basic obligations is to notify all the employees about collecting their personal data before you start processing personal information.
Misconception no. 2: “Employer Does Not Have to Notify Employees on Processing Their Personal Data”
Incorrect. The employer must inform employees on processing their personal data. And not only that, but the notice must contain all the necessary elements prescribed by the Law. This should be done in writing. Thus, you must inform employees on the type of information you are collecting, what is the purpose of the processing, what is the legal basis of processing, the way you are storing data, whether you will transfer that data abroad, data retention period, employee rights, etc.
Therefore, the data processing process must be completely transparent, and the employee must know exactly what information the employer processes and for what purpose.
Misconception no. 3: “Employee Consent is Sufficient for the Processing of Personal Data”
The very fact that there are many technical possibilities for processing personal data does not mean that all are legally allowed. The legal basis is necessary for each case of personal data processing. According to the new law, there are 6 bases for personal data processing! And the employee consent is only one of those.
Moreover, employee consent is the weakest basis for data processing.
You must be wondering why this is so.
First, consent can always be withdrawn. In that case, if consent was the legal basis for processing, and you do not have that consent anymore (because the person whose data are processed in this case has the right to withdraw consent at any time), you do not have the right to continue collecting data.
Second, the advisory body that dealt with the interpretation of GDPR1 even characterized the employee consent as being deceptive for the employee, and stressed that the consent was a completely inappropriate basis for data processing when it comes to employees.
When you think about it, such an explanation makes perfect sense. The employer has a certain authority and the employee is still in a subordinate position to the employer, and such employee consent could not be considered to be freely given. For example, it can be expected that the employee, as a party in a subordinate position, due to the fear of losing the job if denying the consent, might sign a consent to the processing of certain categories of data, that he would not otherwise share with a third party.
Third, consent is required only on exceptional occasions – for example, you want your employees to take their pictures for marketing purposes (for example, for printing publications, uploading photos to the website, etc.). In this case, consent is required, as this is not necessary for the employment relationship itself and, therefore, cannot be classified as another legal basis.
Fourth, when consent is given, it cannot be given in general for all processing, but for precise and precisely defined processing. At the beginning of the work relationship, not all types of processing can be foreseen, and it is not possible to give consent in advance.
Misconception no. 4: “Employer Can Freely Monitor Employees Work”
There are many ways in which an employer can monitor the work of an employee, from video surveillance to controlling the communication. We have witnessed a sudden expansion in the use of various tools for monitoring of the work and productivity of employees, which occurred during the coronavirus pandemic. Although the pandemic is coming to an end, work from home and monitoring of employees through these tools is not waning but is still expanding to the even greater extend. However, is the employer completely free and has unlimited right to monitor the work? Of course not.
If the data processing is not transparent and there are no restrictions, there is a high risk that the employer’s legitimate interest will turn into unfair supervision that affects the privacy of employees.
Misconception no. 5: “Employer Can Freely Install Video Surveillance at Workplace”
It is essential that you have a legitimate interest if you want to set up video surveillance. Want to secure your property? This could be a legitimate basis that would have precedence over the interests of employee’s privacy. However, you must always ask yourself whether there is another tool that would be less endangering for the privacy of employees and which would enable you to achieve the same goal. For example, set the camera to record only the front door, but not the work environment of employees.
However, even if you have a legitimate basis to set up video surveillance, you have to inform your employees about that.
The practice has shown that employers freely introduce video surveillance, without any prior notice to their employees. Please note that after the Law has come into force, it is not enough to just have a label indicating that the facility is under video surveillance, but the notice will have to contain all the elements prescribed by the Law.
Misconception no. 6: “Employer Can Freely Check Employees Emails”
Business email is not private – this is usually used as an argument in favor of misconception no. 6. Although employers can monitor communication through business email, the question arises whether this control is completely self-governing?
It is true that e-mails that are being sent or received via a work email address are generally not considered private. The employer is free to monitor this communication, but only under the condition that there is a valid business reason for such action.
In any case, the employer should regulate these issues and inform the employees, so that everything is transparent.
Misconception no. 7: “BYOD Policy Does Not Restrict Employer’s Control”
The BYOD trend (Bring Your Own Device), which means that employees use their own devices to work, for example, phone, laptop, tablet, is getting more and more popular.
This opens the question of conflicting interests: protecting the employer’s confidential data and monitoring the work of employees, on one hand, and the protection of personal data of employees and their family members, on the other.
GDPR itself does not take as much account as to who is the device owner – it puts safety and data security in the first place.
This does not mean that you as an employer should not worry, as ownership of the device can be of great importance, if it contains data for which you are responsible. GDPR treats data on your company’s computer the same way when it comes to employee’s personal devices – consider where you will store your confidential information.
In any case, it cannot be legitimate to monitor through a device that measures the number of keystrokes, screen activity, webcam recording, and/or through microphone to track employee activities. Although such technologies are available, privacy invasion is too great to justify such controls, even if the equipment is owned by the employer.
Misconception no. 8: “Employer Has Full Control Over Employees Mobile Phones”
If you have provided your employees with an official phone number, it means that you are the owner of the phone number. This means that as a proprietor you can apply for a monthly call list so you will have an insight into all the numbers that the employee called and how long these calls lasted. However, the question arises what if an employee uses the phone for private purposes? Have you violated his privacy right?
First of all, the employer could prohibit the use of official phones and an official e-mail for private communications, but he does not have the right to prohibit an employee from the appropriate amount of private communication while in the workplace.
As for the recording of employee’s phone calls, the employer has this right only if in the job description of the employee is communication with the clients. For example, if the employees work in the call-center or technical support of the company. In contrast, recording an employee’s private conversations would be a violation of privacy.
Misconception no. 9: “Employer Can Fully Control Employees on Social Networks”
You must have wondered whether it is allowed to check private profiles of candidates or employees on social networks.
As for the candidates, neither the Law nor the GDPR explicitly regulate this issue. However, the body dealing with the interpretation of GDPR has published its opinion stating that it is possible to carry out such checks, but under the following conditions:
1) Candidates must be informed that you will check their profiles on social networks (even if they are set as public).
2) Employer has a legitimate basis to process such data
3) It is possible that the profile contains information on the abilities and characteristics of candidates that may be very important for employment or job performance.
4) Employer must comply with all the principles prescribed by the GDPR.
Of course, this opinion is not binding. However, the recommendations of this body have a significant impact on the courts and other EU institutions that implement and interpret GDPR. Since we do not have relevant case law yet, nor do we have proper interpretations on this question, we believe that our courts, as well as the competent state authorities, will be guided by these opinions. Therefore, it is recommendable for employers to align their actions and ensure that their behavior is in line with domestic and European regulations.
As far as employees are concerned, the same rules apply as for job applicants.
What about the use of social networks on part of your employees? It would be best to pass an appropriate Rulebook to govern the use of social networks and employee in order to direct their behavior. You must always keep in mind that any prohibitions are not possible, and that the only thing you can do is try to kindly guide the behavior of your employees.
Of course, in all these cases, you must not violate the privacy of your employees, as well as to process only those data for which there is a legal basis. It is necessary for employees to be always informed in advance on the implementation of supervision and data processing. Otherwise, even if in case of a ban on the use of social networks, telephones and other means of communication, the employer risks the danger of infringing rights under Article 8 of the European Convention on Human Rights.
9 Most Common Misconceptions of Employers on Personal Data Protection – Summarized
On the basis of everything aforesaid, we can draw a couple of very important conclusions.
Firstly, you must always follow the principles of necessity and proportionality in each case of data processing. It means that you have to keep in mind that the measures you use are really necessary and in proportion to the purpose you want to achieve.
Secondly, transparency and openness are necessary. Employees must be informed of any processing of data in a clear and comprehensible manner.
Thirdly, data processing must be fair to your employees.
In the end, if we have not persuaded you so far to harmonize your actions with the Law, we remind you that fines for violating legal obligations go up to 2,000,000.00 RSD. It is up to you to decide whether it is worth taking such a risk.