Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship. Serbia’s Data Protection Law allows personal data to be processed in a number of circumstances, without an employee’s consent. The circumstances that are most relevant for employers include:
- when performing a contract (such as an employment contract) to which the employee (or data subject) is a party in order to take steps at the request of the employee prior to entering a contract;
- to meet a legal obligation of the employer;
- for the vital interests of the employee or other natural person;
- for the legitimate interests of the employer or third-party, except when the employee’s interests or fundamental rights/freedoms are overriding.
When consent is used as the valid legal basis for processing personal employee data, the consent must be given freely by the employee, be specific, be informed and be a clear indication of the individual’s wishes. Explicit consent should be obtained when:
- processing special categories of data (i.e., information relating to racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data used for uniquely identifying a natural person, health-related data, sexual life, or sexual orientation);
- conducting automated decision making; or,
- profiling (such as when using personal data to make predictions as to how well a job applicant would perform in a given role).
Explicit consent can be indicated by a signature, confirmatory email, checking a checkbox, or other method which confirms that the employee proactively consented to the processing.
Explicit consent may not be required when processing special categories of personal data in certain circumstances. The circumstances most relevant for employers include:
- when processing is necessary to carry out obligations and exercise specific employer rights relating to employment, social security and social protection law (when authorized by law or collective agreement pursuant to law, provided that appropriate safeguards have been taken to protect individuals’ fundamental rights and interests);
- when necessary to establish, exercise or defend legal claims or when courts are acting in their judicial capacity;
- when necessary for the assessment of an employee’s working capacity; or,
- when the personal data that’s being processed has been manifestly made public by the employee.
Automated decision-making and profiling without explicit consent is permitted in certain circumstances when:
- necessary for entering into or for the performance of a contract between the individual and the employer; or,
- authorized by a law to which the employer is subject and when there are suitable measures in-place to safeguard individuals’ rights, freedoms and legitimate interests.
Employees and other data subjects should be notified in advance of any personal data processing by the employer. Notice should include:
- the employer’s identity and contact information and, if applicable, the employer’s representative;
- the data protection officer’s contact information (when one exists);
- the purpose(s) and legal basis for the processing;
- the specific, legitimate interests that are being pursued, if the reason for processing is based on the employer’s legitimate interests;
- the recipients or categories of recipients of the data (if applicable);
- the employer’s intention to transfer personal data to a country outside of Serbia or an international organization (if applicable);
- the period the personal data will be stored (or, when that’s not possible, the criteria that will be used to determine the retention period);
- the rights of the employee, including the right to: (a) request access/rectification/erasure, to restrict processing, to data portability, to object to the processing; (b) lodge a complaint with Serbia’s Commissioner; (c) withdraw consent at any time (if consent was used as the legal reason for processing);
- whether the employee is required to provide the personal data and potential consequences for failing to provide data;
- the existence of automated decision-making (such as profiling), and, at minimum, meaningful information about the logic involved in decision-making and the significance/potential consequences to the employee.