Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Employees and applicants in Serbia have the right to request, obtain and copy data relating to their personal information. In addition, individuals have the right to require employers (and other data controllers) to correct, modify, update or delete their data.
In some cases, individuals may be legally restricted from accessing and copying their data. One example of this is when the employer would be prevented from performing duties within their area of competence.
Individuals can require the deletion of their personal data when:
- the purpose of the data collection isn’t clearly specified;
- the purpose of the processing has changed, but the requirements to meet the changed purpose has not been met;
- the purpose has been achieved or is no longer needed;
- the data is being collecting in a way that is illegal;
- the amount of personal data collected is disproportionate to the purpose;
- the data is incorrect and is unable to be corrected; or,
- the data is processed without proper consent or without legal authorization based on the law.
Individuals can request the interruption and temporary suspension of their data from being processed if challenging the correctness, completeness or accuracy of the information. In the event that personal data is suspended from processing based on an individual’s request, the individual will not have the right to access their data during the interruption.
Employers (and other data controllers) are responsible for responding to requests relating to an individual’s data. If the employer does not respond to an employee’s request relating to their personal information within 15 days of submission, and does not allow access and deliver the copy of data within 30 days, or if the employer rejects or dismisses the request, the individual whose data was collected has the right to appeal to Serbia’s data protection Commissioner.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Employers should establish official procedures and contacts for employee requests.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.