The Commissioner for Information of Public Importance and Personal Data Protection, Rodoljub Sabic, has sent a warning to the company Perutnina Ptuj-Topiko d.o.o. (ltd.) from Backa Topola for unauthorized personal data processing during a polygraph testing of 17 employees, since the company had no valid legal basis for such processing and the response was not proportionate to a legitimate purpose.
The company shall, within 15 days as of receipt of the warning, notify the Commissioner of the measures taken in order to prevent further unauthorized processing so that he can decide on possible further measures within his authorities.
The Commissioner has ex officio, based on the information from public articles published in electronic media, initiated a supervision procedure over the implementation and application of the Law on Personal Data Protection in the company. During the inspection, it was found that the company conducted polygraph testing of a total of 17 employees for the purpose of gathering information "for detecting the offender stealing meat" from the company storehouse.
Detection and prosecution of offenders is under the exclusive authority of the police and the prosecution. The provisions of Articles 47 and 57 of the Law on Police provide for the possibility of using polygraph tests by the police, which is the only such (and in this case optional) authorization contained in a law.
A company does not possess the legal authority for personal data processing by polygraph tests for any purpose. Also, examination of the text of the consent signed by all the persons tested found that the consent did not meet the formal requirements of validity as proscribed in Article 10 of Law on Personal Data Protection. Irrespective of the above, assuming that the consents were formally valid, they could not be accepted as substantively and legally valid, due to the apparent disproportion of influence and power between those who obtained the consents and those who were requested to give them. The disproportion is obvious due to the very nature of the employer-employee relationship, where the employee as the "weaker" party is not really free to decide.
The Commissioner reminds that this particular case is only one of the numerous similar problems that are a direct consequence of a complete lack of legal rules or not nearly sufficient legal rules on personal data processing. Enormous amounts of personal data are processed without identifiable purpose and justification, employees' electronic communication is monitored by employers, video surveillance and GPS tracking systems are used, biometric personal data are processed, as well as particularly sensitive data such as medical diagnoses, etc.
At the time of opening negotiating chapter with the EU on human rights it is important to once again underline the need to establish clear rules in legislation that would guide these and numerous other situations regarding personal data processing in the field of labour relations. It is thereby necessary to take into account the fact that, although privacy in the workplace must be reduced significantly, it never completely ceases to exist. The concept of "reasonable expectation of privacy" was introduced in the practice of the European Court of Human Rights and it should be applied in our country as well. In addition, the International Labour Organisation Code of Practice clearly states the requirement that the kind and amount of personal data collected shall be reduced to a minimum – only to data whose processing is absolutely necessary and fully justifiable.
