The employment field is one of the main sectors where data protection issues arise. The special circumstances of the employer – employee relationship, particularly the dependence and the imbalance of power between the parties involved need to be taken into account when implementing the general data protection law principles. We provide herein below an outline of the main law and regulatory positions taken across SE European jurisdictions in relation to data protection in employment relationships.

Greece

Greek Law 4624/2019, implementing certain GDPR provisions avails of the option provided by the GDPR (article 88 par. 1) to regulate in more detail specific processing cases, such as the processing of data in the context of employment. Art. 27 thereof,  also taking into account the labor law principle imposing on the employer a general obligation to protect its employees, provides that employers may process the personal data of (existing or previous) employees and candidates, provided that it is absolutely necessary: (a) in order to decide whether to conclude an employment agreement; or (b) in order to execute such employment agreement after its conclusion.

Special categories of personal data may be processed only if necessary to exercise rights/ fulfil obligations deriving from labor law, social security and social protection law, and provided the data subject’s legitimate rights concerning the processing are not overriding. Consent may only exceptionally serve as an appropriate legal basis for the employee’s data processing (following settled case-law of the Hellenic Data Protection Authority – HDPA), provided it is assessed as freely given.

In relation to CCTV systems in employment spaces, their use is permitted only if necessary for the protection of people and goods, and with explicit relevant information to the employees, while the personal data collected from such systems cannot be used for the evaluation of performance of employees.

In the context and for the purposes of teleworking, the HDPA has issued additional Guidelines, providing for additional measures employers shall take to ensure the protection of employee personal data during teleworking, as well as compliance with applicable data protection law.

Albania

Albanian data protection legislation is currently undergoing a process of approximation with European Union legislation, as Albania is in the phase of negotiations for EU membership.

Law no. 9887/2008 (dated 10.03.2008) on the Protection of Personal Data, as amended (by virtue of Law no.48/2012 and Law no.120/2014) and the relevant secondary legislation that mainly includes regulations and guidelines approved by the Commissioner for Protection of Personal Data IDP (“supervisory authority”), defines general personal data and special categories of personal data in a fairly similar manner to the GDPR, although, the GDPR contains some more specific provisions, e.g., precise definitions of genetic, health and biometric data, which are not expressly included under the Albanian legislation.

The object of Law no. 9887/2008 is the enactment of rules for the protection and legal processing of personal data. The scope of the Law is the processing of personal data, in whole or in part, through automatic means, as well as the processing with other means of personal data, kept in an archiving system, according to the principle of respect and guarantee of rights and freedoms, fundamental human rights and, in particular, the right to privacy. The law applies to all public and private institutions as well as to individuals, when they process personal data, with the exception of the processing of data from a natural person for purely personal or family purposes.

According to the Law on Personal Data Protection, the filing of a Notice of Data Processing by Data Controller by filling in the relevant Form, is a legal obligation, serving not only the Commissioner in its supervisory competence, but also the data controllers, to ensure a high level of transparency and reliability towards data subjects. The primary purpose of the notice and the disclosure of information in the relevant register is ensuring transparency to the public, informing or giving the public the opportunity to find out who processes personal data, as well as other details of the processing activities, such as the purpose of processing.

Bosnia & Herzegovina

The main law regulating personal data protection in Bosnia and Herzegovina is the Law on Personal Data Protection ("Official Gazette of Bosnia and Herzegovina", No. 49/2006, 76/2011 and 89/2011 - corr.) (hereinafter: the Law). The Law is applicable within the territory of Bosnia and Herzegovina, i.e. the Federation of Bosnia and Herzegovina and Republic of Srpska, and the supervision over the application of the Law is entrusted to the Agency for Personal Data Protection (APDP) in Bosnia and Herzegovina. APDP has prepared the draft of a new Law on Personal Data Protection based on General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter: GDPR). Further implementation of the GDPR will be resolved within that framework.

Regarding the processing of employees’ data, Article 16 of the Law is of relevance, which stipulates that personal data processed by a data controller or a data processor constitute a business secret, while the employer shall keep them confidential even after the termination of employment. Regarding special categories of personal data (as defined in Article 3 of the Law), Article 9 provides that the processing thereof is prohibited, except if, inter alia, such processing is necessary to comply with an obligation or exercise special rights of the data controller in the field of labor law and to the extent authorized by law.

Apart from the Law, the issue of data protection in the employment sector is also regulated by the Labor Law of the Republic of Srpska (Official Gazette of the Republic of Srpska No. 1/2016, 66/2018 and 91/2021 - Decision of the Constitutional Court of the Republic of Srpska No. U-66/20 of 29 September 2021 and 119/2021), and in particular Article 102 thereof, under which an employee is entitled to inspect all documents containing their personal data, which are kept or processed by the employer, as well as to request the deletion of data irrelevant for the work they perform and correction of inaccurate data. Personal data relating to employees may not be made available to a third party, except in cases and under conditions determined by law or provided that it is deemed necessary for proving the rights and obligations arising from employment. Personal data of employees may be collected, processed, used and delivered to third parties only by an authorized by the employer employee in accordance with the regulation governing personal data protection. The Labor Law of the Federation of Bosnia and Herzegovina (Official Gazette of the Federation of Bosnia and Herzegovina No. 26/16 of 04.04.2016) stipulates in Article 30 that personal data of employees cannot be collected, processed, used or delivered to third parties, unless provided by law or if deemed necessary for the purpose of exercising the rights and obligations under employment. Non-compliance with this article by the employer/legal entity results in imposing monetary penalties ranging from 1,000.00 KM to 3,000.00 KM.

Bulgaria

As of 2 March 2019 the Bulgarian Personal Data Protection Act (BPDPA) has been amended in line with the GDPR. As the BPDPA has been (since its enactment in 2002) among the most stringent data protection legal frameworks even before the entry into force of the GDPR, said amendments resulted in more relaxed requirements than the ones in the previous version thereof. The main effect triggered by the mandatory application of the GDPR is liaised with the enhanced sanctions provided therein.

Employment relationships. Companies processing personal data in their capacity as employers seem to be subject to increased obligations than before the GDPR era. The requirements contained in the BPDPA include provisions concerning employment relationships, such as:

  • Employers are allowed to determine on their own the retention period for the personal data of job applicants. This period, however, may not exceed six months from the date the recruitment procedure is completed;
  • Employers shall adopt rules and procedures regarding whistleblowing, limitations on the use of a firm’s internal resources, access controls, working time and labor discipline.

The leading supervisory authority is the Bulgarian Personal Data Protection Commission (PDPC) which monitors and facilitates the processing and transfer of personal data. The PDPC is also responsible for the accreditation of bodies monitoring codes of conduct, and proceeds with the certifications of certification bodies, which issue, review and withdraw data protection certifications, seals and marks. The PDPC also approves codes of conduct in specific sectors. The responsibilities of the PDPC include conducting seminars and trainings of data protection officers (DPOs).

Instead of a data controllers’ register, the PDPC maintains separate registers for: controllers and processors who have appointed DPOs, accredited certifying bodies, codes of conduct, breaches of the GDPR and the Act with the measures implemented (internal register), as well as notifications of a personal data breach (internal register).

Other authorities connected with the PDPC are the Inspectorate to the Supreme Judicial Council. The Inspectorate receives all complaints, requests and signals related to processing of personal data by the courts, and the investigation and prosecutor's office, which will no longer be filed to the PDPC. The Inspectorate, like the PDPC, is entitled to impose sanctions for GDPR infringements of up to EUR 20 million.

Czech Republic

The Czech Data Protection Act does not include a specific provision about data protection for employees in the Czech Republic. The majority of such rules for employee personal data processing are included in Act No. 262/2006 Coll., the Labor Code.

The Labor Code contains several rules about the lawful processing of employee personal data by an employer as a controller. These rules regulate:

  • the personal data employees must provide to their employers prior to employment (Article 30(2) of the Labor Code)
  • the employer’s obligation to record the working hours of an employee (Article 96(1) of the Labor Code)
  • the employer’s right to monitor the use of equipment by employees for personal purposes (Article 316(1) of the Labor Code)
  • the employer’s restriction to monitor the employee’s privacy without a significant reason (Article 316(2) of the Labor Code)

The Labor Code further regulates the protection of employees' privacy. It prohibits the employer from requiring and further processing information that is not directly related to the performance of work and to the employment relationship. A potential employer should use candidates data only for the purpose of making a decision on employing a person. If this purpose is no longer present, the employer has to erase or destroy the data. The employer is not allowed to use the data from CVs for the purposes other than recruitment, for example for direct marketing.

The employer has the right to install systems for surveillance and control of the company automobiles without the employees’ consent only when this is necessitated by the nature of the professional activity performed and security precautions. If such systems are utilised, the employer must notify the employee about their existence and terms of use. There is also a need for regulating the use of these systems in the form of internal rules and the data must be processed only for the purposes stipulated by the rules.

Romania

In Romania, Law No 190/2018 has implemented the GDPR provisions. Regarding employment relationships, article 5 thereof Law regulates specifically the processing of personal data collected through electronic devices/ video surveillance in the labor law context.

According to said article 5 the collection of employee personal data by the employer and through electronic devices/ video surveillance at work is allowed only if the employer can prove that his legitimate interest is thoroughly justified and prevails of the rights and liberties of the employees. The legitimate interest of the employer should not be confused with the commercial interest, meaning that proving a commercial interest of the employer is not considered to be enough to justify a legitimate interest. The legal basis for the processing of personal data in the employment relationship when we refer to electronic devices/ video surveillance is usually the legitimate interest of the employer since consent of the employees is considered non-valid due to the subordination relationship between the employer and his employees.

When collecting personal data through electronic devices/ video surveillance, the employer must also prove that he has tried all other available and less intrusive means to protect his legitimate interest, such means have failed and the video surveillance/ monitoring through electronic devices of the employees is the only appropriate and effective means for such protection. The employees must be previously informed of their personal data collection at the working place and the employer must also discuss before implementing the personal data collection through electronic devices/ video surveillance with the union or with the representatives of the employees, as the case may be. 

The personal data obtained using the video surveillance or other electronic devices can be stored by the employer only in accordance with and proportionally to the relevant data processing purpose, but no more than 30 days, except in cases expressly regulated by law or otherwise thoroughly justified.

Serbia 

Serbian Law on Personal Data Protection (Official Gazette of the Republic of Serbia no. 87/2018) contains no specific provisions on processing of personal data related to employment, but refers to the regulatory framework governing employment (Employment Law, Safety and Occupational Health Law, Law on Employment and Unemployment Insurance, etc.), as well as the collective labour agreements (Article 91 of the Law). The applicable Employment Law prescribes a general obligation of the employer to keep the data confidential, as well as to enable data subjects - employees to have an access to such data so as to be able and request correction of false, or deleting of unnecessary data.

Article 91 of the Law on Personal Data Protection also prescribes that the regulatory framework related to employment and the protection of personal data, must include additional special measures (to protect the dignity, legitimate interests and fundamental rights of the data subjects, especially with regard to the transparency of processing, exchange of personal data within a multinational company, i.e. a group of economic entities, as well as the monitoring systems in the work environment). The fact that the change of the regulatory framework did not occur although it was supposed to  take place until the end of 2020, resulted in legal uncertainty with respect to this issue.

Processing of special categories of personal data in Serbia is based on the need to comply with the law and regulatory framework and to fulfil obligations under employment, social insurance and social protection law, provided that such processing is prescribed by law or a collective labour agreement which also provides for the application of appropriate measures to protect the fundamental rights, the freedoms and interests of the data subjects. Special categories of personal data are exceptionally processed on the basis of data subject’s freely given consent.

The use of CCTV and GPS systems in employment spaces/ vehicles is not subject to specific regulations in Serbia. The competent Public Commissioner, however, has issued a Decision on the list of personal data processing acts which require previous Assessment of impact to the personal data protection (Official Gazette of the Republic of Serbia no 45/2019 and 112/2020). Said Decision also provides that the Public Commissioner’s consent to the mentioned Assessment shall be obtained, in case of processing of biometric data used for identification of the data subjects, processing by using of applications and surveillance systems, automated processing, etc.