Generally speaking, the Law on Personal Data Protection in the Republic of Serbia stipulates that processing in connection with criminal convictions and punishable offenses and security measures may be performed only if there is some valid legal bases for data processing, and only under the supervision of the competent authority.
Furthermore, the processing of personal data related to criminal convictions, criminal offenses and security measures, i.e. criminal records of persons, is defined by Article 102 of the Criminal Code of the Republic of Serbia. The Criminal Code stipulates that no one has the right to ask a citizen to submit proof of his conviction or non-conviction, and that data from criminal records may only be given to certain state bodies, such as courts, public prosecutors and others.
In addition, this law states that the data from the criminal records may be given to a legal entity upon a reasoned request if the legal consequences of a conviction or security measure are still ongoing and if there is a justified interest based on the law.
Article 99 of the Court Rules of Procedure of the Republic of Serbia stipulates that when third parties have a justified interest and when it is determined by regulations, the court shall issue a certificate of the facts kept in the official records.
I would also like to emphasize at the outset, that a consent as a legal basis for the processing of personal data could not be used in this case. In respect of their employer, the employees are in a relationship of complete subordination. Therefore, the free consent of employees (in these, but also other cases) could be considered only when the employees can revoke it without any harmful consequences, which in the case of employer-employee relations is almost never possible.
Employer/personal data controller
First of all, I would like to address at this point the question that often arises in my practice and is often related to the issue of data collection of employees, those that I deal with in this article, but also the others ones: who is the data controller in a situation when a foreign legal entity established a representative office or branch office in Serbia?
According to the Law on Personal Data Protection, the controller is a natural or legal person, i.e. a state authority that independently or together with others determines the purpose and manner of processing. Article 574 of the Company Law stipulates that a representative office of a foreign company, as its separate organizational part, does not have the status of a legal entity. A representative office can only conclude legal transactions related to its current business. In addition, Article 567 of the Company Law prescribes that a branch office, as a separate organizational part of a company, does not have the status of a legal entity, and in legal transactions, it acts in the name and on behalf of the company.
Based on the above-cited provisions of the Company Law, it could be concluded that the representative office and branch office do not have the status of a legal entity, which further means that they cannot be personal data controllers in the sense of the Law on Personal Data Protection. That means that in this specific case, the obligations during the collection/processing of personal data of employees, keeping records on data processing, and all other obligations prescribed by the Law on Personal Data Protection are performed by a representative office or branch office in Serbia, on behalf of the data controller. Pursuant to the Law on Personal Data Protection, the controller and its representative (representative office or branch office) are obliged to cooperate with the Commissioner for Personal Data Protection in the exercising of his powers.
Collection of the data from the employees
Having in mind all above described, employer/controller could request information from criminal records for its employees from the competent state authority based on a reasoned request and if it has a justified interest based on the law. However, if the employer required from the employee to provide proof of his or her conviction or non-conviction, such processing would be inadmissible.
(I would explain the definition of legitimate interest as the prevailing interest of the employer, which is based on the law, and based on which the employer could request the data from the criminal records for employees. The employer would have to prove that is legal interest would be seriously threatened if he did not have the data about its employees’ criminal records).
How and how many times can an employer request the data from the criminal records for the employees?
Article 26 of the Labor Law stipulates that when establishing an employment relationship, the candidate is obliged to submit to the employer the documents and other evidence of fulfillment of the conditions for work on the jobs established by the employment relationship, which are determined by the rulebook. Furthermore, the same Article stipulates that the employer may not require from the candidate to present evidence that is not of direct importance for the performance of the work for which he is employed, even when prescribed by the rulebook.
However, if the employer has a justified interest in knowing for certain jobs whether the candidate, a future employee, has been convicted of a criminal offense, the employer can provide in its rulebook on organization and systematization of work positions, as one of the conditions for performing certain jobs, that the person has not been convicted for a crime at work and in connection with work. Thus, the employer could have a legitimate interest in requesting the data from criminal records from the competent authority.
In addition, when it comes to proof that criminal proceedings are being conducted against an individual, Article 165 of the Labor Law stipulates that an employee may be temporarily removed from work if criminal proceedings have been initiated against him in accordance with the law for criminal offenses committed at work or in connection with work. This further means that the employer may have an interest in finding out whether criminal proceedings are being conducted against the person with whom it intends to conclude an employment contract or who is already working for it. The Labor Law does not stipulate the obligation of a candidate for employment to provide the employer with the proof whether criminal proceedings are being conducted against him, so it could be concluded that if the employer needs this information to achieve some purpose (as described above or similar), it may request this information about the employee from the competent court.
Thus, only the employer/controller (or its representative) may request the data from the criminal records (as described above) from the competent authorities, on behalf of the controller, based on prepared and reasoned acts of the employer/controller, all based on the law. This all refers to the period of employment or later if necessary, i.e. if the employer proves its justified interest in it. The employer is not allowed to require from the employees to personally submit evidence of their conviction or non-conviction.
Transfer of collected personal data of the employees
Regarding the transfer of data collected from the employees outside the territory of Serbia to Canada and the United States, it is possible to do so by applying the Law on Personal Data Protection of the Republic of Serbia.
The Law on Personal Data Protection allows the export of personal data to all EU countries and all other countries that are signatories to the Council of Europe Convention, but also to countries to which the export of the data from the EU is allowed in accordance with European Commission adequacy decisions: Canada (commercial organizations) and the US (limited to the EU-US Privacy Shield Agreement).
Finally, the export of personal data from Serbia is possible in another way: if the employer adopts binding business rules for the purpose of regulating the transfer of personal data to the controller or processor in one or more countries within a multinational company or group of commercial entities. Thus, binding business rules apply to the transfer of data within a multinational company. Binding business rules are approved by the Commissioner for Personal Data Protection of Serbia and need to meet the requirements prescribed by the Law on Personal Data Protection (they define the structure, contact details of a multinational company or group of commercial entities, transfer of personal data, type of personal data, cooperation processing, purpose of the data subjects and the name of the state to which they are transferred, prescribe the obligation to apply, determine the application of general principles of personal data protection and the rights of data subjects, as well as the manner of exercising those rights, define acceptance of responsibilities of data controllers and/or data processors on the territory of the Republic of Serbia and others).
Another important note in the end:
When collecting/processing data from criminal records of employees, the employer must strictly comply with the Law on Personal Data Protection, which primarily implies the application of basic principles that data must be appropriate and limited to what is necessary in relation to the purpose of processing, and that they may be collected for a purpose that is specifically determined, not for any other purpose. Also, employees must be clearly informed about everything related to the collection of their personal data and know who they can contact regarding the protection of personal data related to them (in Serbia and abroad). The data that are collected and entered in the records must be deleted after the expiration of the retention period determined by the law, or when it is determined that the reasons for which the personal data were collected have ceased to exist.
Article provided by: Ljiljana Urzikić Stanković (Stanković and Partners, Serbia)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)