Since the introduction of the state of emergency, the Government of the Republic of Serbia has taken a number of measures, many of which result in restrictions on human rights. The right of protection of personal data is one of the constitutionally guaranteed rights, which is not currently covered by the aforementioned restrictions, accordingly, controllers and processors are obliged to process personal data in accordance with the Law on Personal Data Protection (hereinafter: the Law) even during the state of emergency.
1. The processing of health and healthcare related information by the Employer
During a state of emergency, Employers find themselves in a position to process personal information they do not normally process (such as health data, employee movement data, etc.).
Pursuant to Article 17 of the Law, data on a person's health status represent a special category of personal data. It is therefore particularly sensitive data whose processing requires a higher level of attention. The law stipulates that processing of special categories of personal data is prohibited, except in exceptional cases, which are specified by the Law. The intention of the legislator is to establish as a general rule a ban on the processing of special categories of personal data, but at the same time to provide exceptions in which cases their processing is allowed.
The question is whether the decisions passed by competent authorities during the state of emergency represent a valid legal ground for the Employer to collect and process this category of data.
Accordingly, we emphasize that the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: the Commissioner) has issued an official notice (hereinafter: the Notice) on 1st of April 2020, stating that there are no barriers to processing of data on a person's health condition, when it is based on applicable regulations, including acts passed by the competent state bodies during the state of emergency, with a condition that the processing be carried out in compliance with all principles prescribed by the Law.
Therefore, the Employer may also process data relating to symptoms of potential corona virus infection with employees, however, the processing of these data can only be carried out in accordance with the acts of competent authorities related to combating current pandemics while adhering to principles of processing set out in Article 5 of the Law. Also, Employers should only process personal data necessary to comply with mandatory measures and regulations, i.e. to meet the interests of adequate employee health care.
Since health data is a particular category of personal data, processing of this category of data entails other obligations for controllers, as provided for by the Law, such as appointment of a person for protection of personal data and assessment of the impact on the protection of personal data.
When processing personal health data as particularly sensitive information, the principle of data minimization should be applied, that is, minimizing the processing necessary to achieve the purpose of the processing. For example, if an employee is confirmed to have corona virus, the Employer may notify those employees who have been in contact with the infected employee in order to effectively ensure safe working conditions, however, the Employer should, in accordance with Article 5 of the Law which prescribes basic processing principles, avoid disclosure of employee information, unless it is necessary for the purpose of processing, i.e. protecting the health of others.
Also, systematic collection of data on symptoms and indications that could potentially signify an employee's illness or such option (constant temperature measurement, daily completion of questionnaires, etc.) would not constitute permissible treatment and compliance with the minimization principle. It is important to find an effective way to achieve the purpose of collecting and processing data, without compromising employees' rights.
It should be taken into account that certain personal data do not constitute personal health data that is categorized as special category of personal data, although they relate to general health care and protection of a particular circle of persons, in accordance with measures and recommendations of the State.
Thus, the Employer can collect and process data from employees concerning contacts with persons infected with corona virus, as well as concerning travel and residence of employees in areas considered by the competent health institutions as the hotspot of the pandemic, since these data do not represent special category of data. It is questionable whether or not quarantine data represent health data, since it may create an indication of health status but not a specific information, and according to the interpretations of certain European regulatory authorities, this data is not considered to be special category personal data.
It is important to point out that the Commissioner stated in the Notice that, after the state of emergency, the Employers are obliged to return to the regular data processing regime, which includes permanent deletion of the collected health data of employees.
2. Grounds for processing health and healthcare related data
The controller has the right to process personal data only if it is founded and based on one of the six available legal grounds prescribed by Article 12 of the Law. The question arises as to what legal grounds are available to Employers to process health data and data related to the health care of employees during the state of emergency. Although each case requires a thorough analysis, the Employer has the possibility to base the processing of the said data on the following legal grounds:
- processing is necessary in order to respect the legal obligations of the operator (groudns provided by Article 12 paragraph 2 item 3 of the Law);
- processing is necessary in order to protect important interests of the data subject or of other natural person (grounds provided by Article 12, paragraph 2, item 4 of the Law);
- processing is necessary for achieving the legitimate interests of the operator or a third party (grounds provided by Article 12, paragraph 2, item 6 of the Law).
For processing of special category of data, it is not enough to have only one of the legal grounds prescribed by Article 12 of the Law, but at least one additional condition or exception provided by Article 17, paragraph 2 of the Law that must be fulfilled as well.
In the case of processing of health data during the state of emergency, Employers may use the exemption provided by Article 17, paragraph 2 item 2 of the Law - processing is necessary in order to fulfill the obligations or to exercise the statutory powers of the controller or the data subject in the field of work, social security and social protection.
However, it is doubtful whether the Law, together with the acts of competent authorities issued in a state of emergency, allows Employers to rely on other exceptions provided by Article 17, paragraph 2, item 7 - processing is necessary in order to achieve a significant public interest determined by law and Article 17, paragraph 2, item 9 - processing is necessary for the purpose of pursuing a public interest in the field of public health, since the Commissioner in the Notice did not answer questions regarding legal grounds available to the Employers when processing special category of data.
Given that the Law has taken over all solutions from the General Regulation on Personal Data Protection (hereinafter: GDPR), guidelines for the treatment of health data by employers can be found in the practice of the personal data protection authorities of the Member States of the European Union. For example, the European Union Personal Data Protection Authority did not include a legitimate interest in the grounds that make the processing of health data legal.
3. Processing of other personal data by the Employer
In new circumstances, controllers and processors are still obliged to ensure that for each processing of personal data there must be an appropriate legal ground and purpose, that only relevant, important data and data limited by the purposes of processing must be processed, that the persons whose data is processed must be aware of the processing, as well as that adequate protection measures must be taken against unauthorized and illegal processing with the use of other processing principles set out by Article 5 of the Law.
Pursuant to the above, Employers who have organized remote work or work from home during the state of emergency, in accordance with the Regulation on the organization of work of employers during a state of emergency, are obligated to provide appropriate technical, organizational and personnel measures that ensure the security of personal data, that is more exposed to infringement in conditions of remote work or work from home than usual.
The Irish Agency for the Protection of Personal Data has issued Guidelines for the Protection of Personal Data whilst Working from Home, some of the safeguards include the following:
- for devices: especially to ensure that devices such as phones, laptops or tablets are not lost or misplaced, that the operating system and antivirus software are updated in a timely manner, if the device is lost, steps must be taken immediately to ensure that memory is removed, effective access control is used (setting passwords and passwords);
- for e-mail addresses: before sending an e-mail check that it is sent to the right recipient, especially when e-mails contain a large amount of personal data or sensitive data;
- for network access: use only reliable networks;
- for written information: ensure that this information is kept in locked cabinets or drawers, when these records are no longer needed, so as not to leave them where they may be stolen, and, if possible, keep written records of files transferred home.
Considering all of the above said, Employers, even during the state of emergency, must take into account the protection of personal data of their employees, since personal data is a very sensitive issue, affecting the personal sphere of employees. In addition to Employers, public authorities and the media must refrain from publishing information that may lead to the discovery of the identity of those affected by the corona virus, as well as the disclosure of other personal data of individuals.
Unfortunately, we have witnessed, lately, that both the media, representatives of state bodies and employers have increasingly been acting in contrary to the above restrictions, and thus directly violating the Law, which probably indicates an insufficient development of awareness for private data of individuals, as well as underdeveloped practices in their application, which will certainly be a challenge for which adequate mechanisms must be found, so that it shall not be repeated in every emergency. Notice of the Commissioner with the clarification that a state of emergency does not in any way derogate enforcement of the Law is a clear indication that the system in that part tends to adequately protect personal data. What is particularly important is that it should be borne in mind that all violations of the Law may potentially have to be sanctioned, especially if complaints are filed from individuals whose rights have been compromised.
Given the situation caused by the pandemic of the COVID-19 disease caused by the SARS-CoV-2 virus, we consider informing the general public to be key to achieving continuity of uninterrupted business. In this regard, below...
The Ministry of Labor, Employment, Veterans' and Social Affairs adopted the Rulebook on Preventive Measures for...
Since the introduction of the state of emergency, the Government of the Republic of Serbia has taken a number of measures, many of which result in restrictions on human rights. The right of protection of personal data is one of...