Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 1 August 2016
In our previous articles we looked at statutory requirements relating to the legal basis for collection and processing of personal data as they are set by the Serbian Law on protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012) (the "LDP"), with our first article covering requirements and potential issues for collection and processing of sensitive health data and the second article covering requirements and potential issues for collection and processing of personal data by insurers.
The overall arc in both of the above articles was the issue of legal basis for collection and processing of personal data. Namely, in which cases collection and processing is allowed ex lege i.e. without the consent of the data subject and in which cases consent is required. Pursuant to the LDP and its Article 8 titled “Inadmissibility of Processing”, collection and processing of personal data could be either: (i) statutory based; or (ii) based on the prior informed consent of the person whose data is being collected and processed i.e. the data subject. For more detail on this, please see our previous articles.
However, even where a legal basis for collection and processing of personal data exists, the issue of proportionality between the scope of the gathered data and the purpose of processing could still raise practical problems and subsequent issues. The recent case of the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") provides instructive guidelines in regard proportionality requirements for collection of employees’ data in the case involving polygraph (lie detector) questioning by the employer.
In the case a Serbian company conducted an internal polygraph (lie detector) questioning and testing of 17 employees with an aim of gathering information in order, pursuant to the employer’s press release, to “detect offenders” and “protect consumers” following the discovery of theft of meat from employer’s warehouses.
The Serbian DPA conducted an investigation into the compliance with the LDP by the employer. As set out in a press release issued by the Serbian DPA certain issues were pinpointed as especially important. Namely: (i) whether there was a proper legal basis for questioning and testing with the lie detector by the employer; and (ii) whether there was a compelling interest by an employer that could justify such use of a lie detector.
The Serbian DPA rejected the employer’s argument that the lie detector questioning and testing was used to “detect offenders” stating that such detection and potential criminal persecution is within the authority of the police and prosecutor and not of the private party.
Use of lie detector (polygraph questioning) is regulated by the Law on police (Official Gazette of the Republic of Serbia, no. 06/2016) which authorises the police to use lie detectors. However, the use of lie detector, even by the police, is subjected to prior written approval of a person meaning that in case no such approval is granted by a person, lie detector questioning and testing cannot be performed (Articles 47 and 57 of the Law on police).
In this case the employer provided to the Serbian DPA written consents given by the employees allowing polygraph testing and questioning. The Serbian DPA rejected such consent as a valid legal basis for gathering and processing of personal data stating that it does not formally fulfil conditions set by the LDP in regard mandatory content of the consent for collection processing of personal data.
The Serbian DPA clearly stated that employer does not have legal basis for collection and processing of personal data i.e.: (i) there was no statutory basis for lie detector questioning conducted by a private party; and (ii) consent given by employees does not satisfy conditions set by the LDP.
However, even had the given employee consents been in line with the requirements set by the LDP, the issue of proportionality between the stated aim and means for achieving it remains open. Namely, such consents, pursuant to the Serbian DPA‘s reasoning, could not be accepted as materially and legally valid taking into account disproportionality both in regard the stated aim of “detecting offenders” and “protecting consumers” and the means for achieving stated goals but also because of disproportionality between the power and authority of employer and employees. Such disproportionality arises, to quote Serbian DPA, “from the contractual relationship between the employer and employee in which relationship employee as a weaker party is not in the position to freely decides without fearing potential repercussions.” This is the same position that the ICO takes in the UK for employee consent.
This case provides us with insight into the Serbian DPA’s methods of assessment of cases involving collection and processing of employees’ data but also could provide employers with the useful insight when dealing with collection and processing of employee’s data based on the consent.
Organisations should bear in mind that even if they have a legal basis for processing personal data, the Serbian DPA will also look to whether the processing is proportionate to an organisation's proposed purpose or aim.
The press release from the Serbian DPA can be accessed here.
Submitted by Aleksa V. Andjelkovic of Andjelkovic Law Office – Belgrade, Serbia
About the author:
Aleksa V. Andjelkovic is an attorney at law from Belgrade, Serbia and the principal in Andjelkovic Law Office. Aleksa V. Andjelkovic obtained a LL.M. degree at Central European University in Budapest, Hungary and specialization degrees from the same University and from the European University Institute in Florence, Italy. Aleksa V. Andjelkovic advises Serbian and international clients in areas of general corporate law, data protection, M&A, highly regulated areas of business including insurance sector, electronic communications and competition law.