Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In Serbia, employers can collect personal data on the basis of legal requirements or on explicit written consent (or implied consent by implicit action). When employees sign an employment agreement, they implicitly agree to allow the employer to collect all legally required employee data. However, if the employer wants to transfer the data outside of Serbia, employees must give written consent before their personal data can be transferred, unless:
- the data is being transferred to a country which is a signatory of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or
- the data is being transferred with formal approval from Serbia’s Commissioner.
When implicit approval is not set by the law, explicit approval by the employee is required. Employees must also receive notice regarding the collection and processing of their personal data in advance. The notice should include information relating to:
- the data controller (i.e. the employer);
- data users (HR teams, government authorities, etc.);
- a list of the personal data being processed;
- the purpose of collection/processing;
- how the data will be used; and,
- measures that will be taken to protect the data, etc.
In addition, sensitive personal information may only be processed with written consent from the employee (except when the law does not allow processing even with the individual’s consent). In these cases, the information must be specially labeled and protected by safety measures. Sensitive personal information that relates to HR, includes:
- ethnicity and race;
- political party affiliations;
- trade union membership;
- health status;
- receipt of social support;
- victims of violence;
- criminal records; and,
- sexual life.
HR Best Practices: When collecting personal information in the context of HR, commit to properly informing employees, documenting legal rationales for data collection and making corrections/deletions when requested. Where consent is needed, build consent forms into the new hire process, before collecting any personal information and before transferring data outside of Serbia.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.