The Commissioner for Information of Public Importance and Personal Data Protection has sent a letter to the Minister of Labour, Employment and Social Policy, highlighting a number of issues in connection with personal data processing in labour relations and calling for systemic solutions for those issues to be adopted as soon as possible.
The Commissioner reminded that the Government of the Republic of Serbia had adopted a Personal Data Protection Strategy more than 3 years ago, but no Action Plan had been adopted to implement that Strategy and to define the activities, the implementing agencies in charge of specific tasks and the timeframe for its implementation, adding that a prominent position in the never-to-be Action Plan should have been given to personal data processing in labour relations.
Emphasising that the pending amendments to labour legislation would provide a golden opportunity to systemically address all outstanding issues, Commissioner Rodoljub Sabic also said:
"The Constitution of the Republic of Serbia guarantees personal data protection and provides that personal data processing must be regulated by laws. This constitutional right is elaborated further in the Law on Personal Data Protection, which states that explicit authority contained in a law or freely given consent of the data subject are the only valid legal basis for personal data processing.
Notwithstanding these provisions, the important issues associated with personal data processing in the context of labour relations are mostly not regulated by a law but, at the very best, by secondary legislation (e.g. the Bylaw on Employment Record Booklet; the Bylaw on the Manner of Issuing and the Content of A Certificate of Temporary Incapacitation; the Bylaw on Occupational Safety and Health Records; the Bylaw on Detailed Content and Manner of Keeping Records in the Field of Employment), which is contrary to the Constitution and the Law on Personal Data Protection.
Large quantities of personal data are processed on the basis of "consent". However, consent given by employees and job applicants is seldom reasonably seen as proper legal basis for personal data protection, because of the power imbalance in their relations with the employer. Freely given consent is possible only if such consent can be withheld without any harmful consequences for one's labour law status or employment opportunities, which is clearly not the case. The alleged "consent" is often used as a smoke screen for violations of employees' and job applicants' rights. This is why any issues in this field should be regulated by a law.
In addition to these rather general issues, there has been a range of specific problems and conflict situations to which the citizens have drawn the Commissioner's attention in an increasing number of complaints. These issues, too, are a direct result from the completely lacking or insufficient statutory rules governing personal data protection. As an illustration, I would like to point to your attention cases of processing enormous volumes of personal data without apparent purpose and justification, employer's surveillance of employees' electronic communication, video surveillance, GPS tracking, processing of biometric personal data, processing of sensitive data such as medical diagnoses, processing of data on convictions etc.
It is essential to establish clear rules for these and numerous other situations in connection with personal data processing in the context of labour relations by a law. All arrangements need to take into account the fact that expectations of privacy must necessarily be significantly reduced in the workplace, but privacy does not cease to exist when one is at work. In this context, I would like to recall that the case law of the European Court of Human Rights has established the concept of "reasonable expectation of privacy", which should apply to Serbian employers as well, and that the International Labour Organisation's Code of Practice requires that the type and number of processed personal data be restricted to the absolute minimum that is necessary and justified by the purpose of processing."
