In October 2015, the Court of Bosnia and Herzegovina (BiH) upheld a ruling of the Personal Data Protection Agency ("Agency") which found unlawful the use of surveillance cameras by the Ministry of Finance of Federation BiH. The judgment and the Agency ruling are among the few pronouncements by courts or data protection agencies in BiH, Serbia, or Montenegro, on the issue of video surveillance.

The Agency and the Court of BiH had to decide on the boundaries of permissible surveillance. They lacked clear guidance from the Bosnian Data Protection Act. Since 2011, the law prescribes little more than the controller's obligation to enact a decision containing the rules of processing (unless surveillance is prescribed by a statute) and to post a notification stating that the area is under surveillance and identifying a contact through which details about video surveillance can be obtained (Article 21a of the Data Protection Act).

The Agency ruling from November 2013 (UP1 03_1_37_2_145/13) deserves particular attention, because of its analytic approach to the issue of privacy at workplace.

The Agency received a claim from an employee of the Federal Ministry of Finance stating that the surveillance cameras placed in the hallways of the Ministry enabled his superior to monitor his whereabouts. ("Federation" is one of the two territorial and political entities – the other is Republika Srpska – of which, along with the small Brčko District, Bosnia and Herzegovina consists). The employee requested from the Agency to examine the legal grounds for installing the surveillance cameras and viewing the recorded material for the purpose of monitoring employee movements. If the Agency were to find that the practices violate employees' privacy rights, the employee requested that the Agency order their removal.

After the Agency performed on-site inspection at the Ministry premises in September 2013, it found that cameras covered not only the area of entrance to the elevator and the staircase, but also the hallways leading to the offices. The Ministry practice was to keep the recordings for about three days before new images overwrite the old ones.

The Agency found that the Ministry processed personal data without a legal basis. In the absence of a statute prescribing the surveillance practiced by the Ministry, and in the absence of data subjects' consent, the only remaining ground for processing personal data via video cameras would be the existence of Ministry's lawful interest, pursuant to Article 6, para. 1(e), of the DP Act. That provision allows for data processing without the data subject’s consent "if it is necessary for the protection of lawful rights and interests of the controller or a third party, and if such processing is not in variance with the right of the data subject to protection of personal privacy and personal life". Although the Agency recognised in principle this ground for processing, it dismissed its applicability in the instant case because the monitoring was excessive to the purpose.

Contrary to Article 21a of the DP Act, the purpose of the surveillance was not specified because the Ministry failed to enact a decision on the rules of data processing. The Agency assumed that the purpose was to contribute to the protection and security of the Ministry building, because the cameras were recording the entrance to the elevator and the staircase. However, the Agency questioned the propriety of recording the additional area covered by cameras, i.e. the hallway. The Agency concluded that hallways can be used for various private purposes and communication, during which the employees express personal habits and engage in activities, all of which assumes a certain level of privacy.

The Agency especially considered that a security guard was already controlling who enters the premises, thus already ensuring a level of security. This fact strengthens the argument about the excessiveness of the surveillance.

The Agency dismissed as irrelevant the argument by the Ministry that it was not aware of any instance in which somebody would access the recorded material in order to control the claimant's movements or attendance. The mere possibility of such misuse was unacceptable.

The Agency offered to the Ministry the option of continuing with the surveillance under the condition that it enact the decision on the rules of data processing and ensure that the cameras do not cover the hallways. Otherwise, the use of video surveillance would have to end.

The Agency concludes by citing paragraph 29 of the decision of the European Court of Human Rights in the case of Niemietz v. Germany (1992), in which the Court found a violation of right to respect for private and family life (Article 8 of the European Convention of Human Rights). The paragraph states, in part:

"The Court does not consider it possible or necessary to attempt an exhaustive definition of the notion of 'private life'. However, it would be too restrictive to limit the notion to an 'inner circle' in which the individual may live his own personal life as he chooses and to exclude therefrom entirely the outside world not encompassed within that circle. Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings. There appears, furthermore, to be no reason of principle why this understanding of the notion of 'private life' should be taken to exclude activities of a professional or business nature since it is, after all, in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world."

In Serbia, permissibility of video surveillance is not regulated by any law. The Serbian DPA had proposed detailed regulation of video surveillance back in 2014, in its Model personal data protection act, but the Ministry of Justice failed to regulate this subject in the draft Personal Data Protection Act from November 2015.

In the meantime, DPA's brief answer published in a Q&A section on its website – addressing a question on surveillance in residential buildings – delineates some general principles that may be applied when it comes to privacy at work, too. The DPA stresses the importance of following commonly accepted international standards. In the DPA’s view, the standards involve: setting the surveillance camera in such a way that it covers the minimum area sufficient for achieving the purpose of surveillance; posting a notification in a visible place that the area is under surveillance (with the name of the data controller and contact details as to where data on the surveillance may be obtained); and, protecting the video material from unauthorised access.

However, these guidelines offer no answer to the question of which areas of business premises can be justifiably monitored, so to reconcile the employer's legitimate right to have control over the work process, on one hand, and the principle of proportionality of processing personal data, on the other hand. 

In contrast, the Montenegrin Personal Data Protection Act from 2008 dedicates an entire section to video surveillance and explicitly leaves room to reasonable enjoyment of privacy at work. Access to business premises can be surveilled for the purpose of ensuring the safety of persons and property or for controlling entries into and exits from business premises. Also, the monitoring is permissible if the particular business poses a risk to the employees. Surveillance of inner premises may be implemented if necessary for the protection of safety or data secrecy, provided that it cannot be achieved in any other way. No video surveillance is allowed outside the place where employee performs work, such as at dressing rooms, elevators, and the areas designated for clients and visitors.

Furthermore, the Montenegrin law stipulates additional requirements for ensuring privacy: the company should enact a decision containing the reasons for the introduction of video surveillance (unless surveillance is prescribed by a statute); employees must be informed in writing of video surveillance; the controller should seek trade union's opinion before implementing surveillance of inner premises; and, the controller must visibly post a notification stating that the area is under surveillance, containing the name of the data controller and a contact phone number where the data subject can get information on the location of video material and the retention period.