In our previous articles we looked at statutory requirements relating to the legal basis for collection and processing of personal data as they are set by the Serbian Law on protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012) (the "LDP"), with our first article covering requirements and potential issues for collection and processing of sensitive health data and the second article covering requirements and potential issues for collection and processing of personal data by insurers.
The overall arc in both of the above articles was the issue of legal basis for collection and processing of personal data. Namely, in which cases collection and processing is allowed ex lege i.e. without the consent of the data subject and in which cases consent is required. Pursuant to the LDP and its Article 8 titled “Inadmissibility of Processing”, collection and processing of personal data could be either: (i) statutory based; or (ii) based on the prior informed consent of the person whose data is being collected and processed i.e. the data subject. For more detail on this, please see our previous articles.
However, even where a legal basis for collection and processing of personal data exists, the issue of proportionality between the scope of the gathered data and the purpose of processing could still raise practical problems and subsequent issues. The recent case of the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") provides instructive guidelines in regard proportionality requirements for collection of employees’ data in the case involving polygraph (lie detector) questioning by the employer.
In the case a Serbian company conducted an internal polygraph (lie detector) questioning and testing of 17 employees with an aim of gathering information in order, pursuant to the employer’s press release, to “detect offenders” and “protect consumers” following the discovery of theft of meat from employer’s warehouses.
The Serbian DPA conducted an investigation into the compliance with the LDP by the employer. As set out in a press release issued by the Serbian DPA certain issues were pinpointed as especially important. Namely: (i) whether there was a proper legal basis for questioning and testing with the lie detector by the employer; and (ii) whether there was a compelling interest by an employer that could justify such use of a lie detector.
The Serbian DPA rejected the employer’s argument that the lie detector questioning and testing was used to “detect offenders” stating that such detection and potential criminal persecution is within the authority of the police and prosecutor and not of the private party.
Use of lie detector (polygraph questioning) is regulated by the Law on police (Official Gazette of the Republic of Serbia, no. 06/2016) which authorises the police to use lie detectors. However, the use of lie detector, even by the police, is subjected to prior written approval of a person meaning that in case no such approval is granted by a person, lie detector questioning and testing cannot be performed (Articles 47 and 57 of the Law on police).
In this case the employer provided to the Serbian DPA written consents given by the employees allowing polygraph testing and questioning. The Serbian DPA rejected such consent as a valid legal basis for gathering and processing of personal data stating that it does not formally fulfil conditions set by the LDP in regard mandatory content of the consent for collection processing of personal data.
The Serbian DPA clearly stated that employer does not have legal basis for collection and processing of personal data i.e.: (i) there was no statutory basis for lie detector questioning conducted by a private party; and (ii) consent given by employees does not satisfy conditions set by the LDP.
However, even had the given employee consents been in line with the requirements set by the LDP, the issue of proportionality between the stated aim and means for achieving it remains open. Namely, such consents, pursuant to the Serbian DPA‘s reasoning, could not be accepted as materially and legally valid taking into account disproportionality both in regard the stated aim of “detecting offenders” and “protecting consumers” and the means for achieving stated goals but also because of disproportionality between the power and authority of employer and employees. Such disproportionality arises, to quote Serbian DPA, “from the contractual relationship between the employer and employee in which relationship employee as a weaker party is not in the position to freely decides without fearing potential repercussions.” This is the same position that the ICO takes in the UK for employee consent.
This case provides us with insight into the Serbian DPA’s methods of assessment of cases involving collection and processing of employees’ data but also could provide employers with the useful insight when dealing with collection and processing of employee’s data based on the consent.
Organisations should bear in mind that even if they have a legal basis for processing personal data, the Serbian DPA will also look to whether the processing is proportionate to an organisation's proposed purpose or aim.
The press release from the Serbian DPA can be accessed here.
Submitted by Aleksa V. Andjelkovic of Andjelkovic Law Office – Belgrade, Serbia, in partnership with DAC Beachcroft LLP