Serbian data protection authority – the Commissioner for Information of Public Importance and Personal Data Protection – has not issued any guidance on the processing of personal data in the workplace, during the coronavirus outbreak. Serbian employers who wish to know the boundaries of permissible data processing under the current circumstances are left with the task of identifying the limits wholly by themselves.
Because Serbian Data Protection Act (2018) (“DP Act“) almost verbatim transposes the principles and rules contained in the GDPR, the employers would do well to look into the guidelines issued by the data protection authorities of the EU member states. That exercise, however, may be too demanding. Moreover, as comparative analyses have already shown, the EU members states do not interpret the GDPR in the same way: some have more restrictive or permissive approach than the other.
Below is a list of the most important Q&As concerning the processing of personal data in the workplace, in Serbia, as informed by the EU member states’ interpretation of the GDPR provisions with equivalents in the DP Act.
1. Does the exceptionality of the current situation enable employers to disregard data protection legislation when it comes to the processing of COVID-19-related information?
No. The personal data protection legislation, which aims at safeguarding a fundamental right, applies in its entirety to the current situation. Therefore, even in these exceptional times, data controllers must ensure the protection of the personal data of the data subjects.
In any case, the Serbian DP Act contains the necessary safeguards and rules to legitimately allow the processing of personal data in situations, such as the present one, in which there is a general health emergency.
2. Which kind of personal data are employers likely to process in the context of the coronavirus outbreak?
- Employees’ contact with infected persons or trips to risk zones, which the DP Act does not consider as special categories of data.
- Whether any employee is infected with coronavirus, which amounts to health information and is considered as a special category of data pursuant to Art. 17 of the DP Act.
- Employees who are in quarantine. It is not crystal clear whether this kind of information amounts to health-related data. According to the data protection authorities in the Scandinavian countries, information that someone is in quarantine is not a personal health information, unless it contains more detailed information about the cause.
3. Under which legal basis should employers process the abovementioned kinds of personal data?
Although each case requires an analysis of the specific situation, the legal basis on which employers are most likely to base the use of non-sensitive data are Arts. 12(3) (compliance with a legal obligation of the controller, such as prevention of occupational risks of employees), 12(4) (protection of the vital interest of the data subject or some other person) and 12(6) (legitimate interests of the employer or the third parties (including the other employees)) of the DP Act.
Not all of these bases can necessarily be used for the processing of health data. For example, the data protection authorities in the EU have not included legitimate interest among the bases which make the processing of health information lawful.
Processing of health data requires, in addition to one of the generally applicable legal bases for the processing of personal data, the applicability of, at least, one of the statutory exceptions from the general prohibition to process sensitive data. In the present case, the exception that could be used is performance of employment, social security and social protection law-related obligations and rights (Art. 17(2)(2) of the DP Act).
It is not clear whether the DP Act, taken together with the health-specific legislation in Serbia, also enables the employers to rely on Art. 17(2)(7) (reasons of substantial public interest) or Art. 17(2)(9) (public interest in the area of public health). In fact, a negative answer seems to be more likely than a positive one, but the matter is complicated and the Commissioner’s clarification would be most welcome.
4. Can employers collect, in a systematic and generalized manner, information aimed at discovering possible symptoms of coronavirus in their employees and/or visitors?
No, if the Serbian Commissioner would follow the lead of the EU member states’ data protection authorities. Such an approach would, in most cases, be considered disproportionate and against the principle of data minimization (Art. 5(2) and (3) of the DP Act). Employers should refrain from things like:
- daily measuring body temperature of its employees or requiring that they fill out medical sheets about their health, their contact with infected persons or their visit of risk countries; or
- having visitors or other external persons signing pre-established declaration certifying that they have no coronavirus’ symptoms, travelled to risk zones, etc.
Arguably, employers can require employees to inform the employer if they have been in contact with infected persons or have visited risk countries. This approach should help to minimize the information that employers need to collect.
It is not clear whether employers may ask a particular employee if he or she is experiencing symptoms. Some data protection authorities have taken a restrictive position under which the employer cannot ask an employee about the nature and cause of his or her health condition. In that case, the employer could only instruct an apparently sick employee to go to the doctor’s for examination; subsequently the employer could not ask either the employee or the physician to disclose the details of the health condition to the employer.
5. If an employer is informed that any of its employees is infected with coronavirus, should it pass that information to the rest of employees?
The employer should pass the information that an employee has been tested positive for coronavirus to those employees who have been working with infected employee at the same place of work, in order to effectively ensure their safe working conditions and to protect their health at the workplace.
6. When passing the above information to its employees, should employers reveal the name(s) of the infected employee(s)?
As stated above, employers should keep their staff informed about the existence of COVID-19 cases in the company. However, pursuant to the principle of confidentiality (Art. 5(6) of the DP Act), unless it is strictly necessary, employers should avoid naming the specific infected individuals.
7. Do employers need to prepare a new privacy notice for the processing of coronavirus-related information?
Not necessarily. Employers must make sure that they have privacy notices in place which adequately address COVID-19 related data processing, including the type of personal data which will be processed, the purpose of the processing, the legal basis and the retention period.
Employers which are not addressing such issues can, either, update their existing notices or prepare new ones, which are specific to the coronavirus-related processing.
8. Is there something that employers should take into account in relation to remote working?
The obligations to have in place appropriate technical, organizational and staffing measures which ensure the security of the personal data (Art 50 of the DP Act) keeps being applicable in the present circumstances, where many companies have most of its employees working from home.
In this sense, the guidelines given by the Irish Data Protection Authority on protecting personal data when working remotely can be useful. To access the guidelines, click here.
9. Are the data controllers who, due to the current situation, are unable to strictly comply with their data protection obligations (for example, when it comes to answering data subject requests on time), likely to be penalized?
It is impossible to know which will be the stance of the Serbian Commissioner for Information of Public Importance and Personal Data Protection.
In any case, it would be reasonable that it takes an approach similar to that announced by the UK and Irish Data Protection Authorities. They have acknowledged the exceptionality of the current situation and suggested (here and here) that, up to a certain extent, they will grant a higher degree of flexibility to data controllers.