How and whether to use a legitimate interest as a legal basis for processing of personal data
Due to the coronavirus epidemic (COVID-19), the state of emergency was introduced in the Republic of Serbia on March 15, 2020 in accordance with the Decree of the Government.
In accordance with the emergency decision, a number of other decisions and recommendations have been rendered that address the work of companies in this situation. The Government of the Republic of Serbia has adopted and enacted a large number of acts, on daily basis, that can significantly affect businesses, and so it is prescribed that companies should allow their employees to perform work outside the premises of the employer (remote working and working from home) in all workplaces where it is possible to organize such work in accordance with the general act and the employment contract. In order to ensure the protection and health of employees who are unable to work from home, it is necessary for each company to provide all general, special and emergency measures relating to the hygienic safety of facilities and persons.
However, certain companies that are unable to organize their work in accordance with the recommendations of the competent authorities are beginning to question the type of measures they have taken in accordance with the decisions and recommendations of the competent authorities and whether they can achieve the purpose of the protection of health and safety of employees. Due to difficult or impossible realization of the purpose by already taken measures, the question of introducing new ones arises, which imply processing of personal data of employees of the company.
Namely, on the one hand, there are companies that, as employers, are responsible for ensuring the conditions for safety at work in an environment where the health of employees is not endangered, and on the other, the question of how and by what measures to ensure the achievement of this purpose in a situation of rapid spread of the virus. Frequently, the only measure mentioned is the processing of employees' personal data relating to their health, that is, that the purpose of processing can be achieved by processing personal data of potentially infected persons that can endanger the health of others (even before the doctors make the diagnoses of the disease and propose their treatment).
Conditions necessary for the collection of personal data
The Law on Personal Data Protection prohibits the processing of personal data that disclose personal data relating to the health. In exceptional situations, this law stipulates that the processing of this sensitive data is permitted only in exceptional cases, which cannot and are not applicable in the specific case. In addition, the Law on Safety and Health at Work, as well as the Labor Law, prescribe the obligations of the employer to provide employees with a healthy and safe working environment. The employer is obliged, when organizing work and work process, to provide preventive measures to protect the life and health of its employees, and preventive measures under this law are provided by the employer starting from the following principles: risk avoidance and risk assessments that cannot be avoided at the place of work.
What should be done?
In accordance with the Law on Personal Data Protection of the Republic of Serbia, the planning of personal data processing, including the transfer of such data and the use of sensitive data, must be organized in such a way that all principles of personal data protection are taken into account. Primarily, accountability and respect of the principles of legality, fairness and transparency must be secured, which require from the controller not to abuse its disproportionately stronger position with respect to the data subject, and to treat those persons in acceptable manner.
The first thing companies should do to achieve the purpose, and protect the health of the employees, is to introduce measures that do not require processing of personal data (measures mentioned above), such as basic hygiene measures, cleaning offices, requiring more frequent use of hygiene products, and other.
If a company concludes that the undertaken measures cannot fulfill the purpose of data processing and that processing of personal data in order to achieve the purpose related to the protection of employees' health is absolutely necessary, the company / data controller must primarily once again specify the exact purpose and legal basis for the processing of personal data, with continuous compliance with the basic principles of personal data processing throughout the entire process.
Pursuant to the Law on Personal Data Protection, the available legal bases for personal data processing area follows: consent of data subject, conclusion and execution of contracts, compliance with legal obligations, protection of vital interests, performance of public interest tasks and legitimate interests of a controller.
Consent, as a legal basis for processing personal data, could not be used in this case. Employees are fully subordinated to the employer. That is why the free consent of employees (in these and in other cases) can only be discussed when employees can revoke it without any adverse consequences, which in the case of employer-employee relations is almost never possible.
The legitimate interest of the controller may be the legal basis for the collection of personal data, provided that the interests or rights and freedoms of the data subjects do not take precedence, taking into account the reasonable expectations of the subjects based on their relationship with the controller. In any case, the existence of a legitimate interest requires a careful assessment, inter alia, whether the data subjects can reasonably expect, at the time and in the context of personal data collection, for their personal data to be used solely for the initial purpose. Furthermore, a legitimate interest is used as a legal basis for personal data processing under the Law on Personal Data Protection only after the employer has passed a test proving that its legitimate interests outweigh the interests of the persons whose personal data are being processed, or that the data processing does not threaten the interests and freedoms of the data subjects.
The test that the controller performs can and should refer to the situation and practice that exists and / or does not exist in a specific situation, the recommendations of the competent authorities, and the like. However, the nature of the data to be processed by the company should also be taken into account. If these are particularly sensitive data, such as a person's health, then this test can and should be explained in more detail. Certainly, the data subject must be informed and must be able to exercise his/her rights regarding personal data protection.
Thus, legitimate interest as the legal basis for personal data processing may be the only solution for companies in such cases, but, again, caution must be exercised when considering this legal basis, and the above-mentioned balance test must be thorough and consist of several important parts : it is necessary to determine whether the legitimate interest is related to the purpose achieved by personal data processing, then it should be determined that the legitimate interest is lawful, as well as whether the processing is necessary for the pursuit of interest and whether a temporary balance could be established by assessing that whether the interest of the controller is more important than the interest of the data subject and whose data are processed. It is also necessary to take into account additional personal data protection safeguards, and to prove that data subjects are informed and have all the rights related to personal data protection.
However, it is still necessary to remain cautious with the use of this legal basis.
However, now more than ever, the question arises as to whether and to what extent each company, each employer, or personal data controller in Serbia has aligned its business with the Law on Personal Data Protection. This raises the question of whether a company has adopted appropriate safety and confidentiality policies, whether it has considered personal data processing based on a legitimate interest, and whether it has arranged a way to conduct assessment tests, all in accordance with the documents regulating work in emergency situations, preventative measures to be taken in these circumstances, so that a controller could more easily identify and reduce the risks that the personal data processing has, all in relation to the rights and freedom of the data subjects.
Article provided by: Ljiljana Urzikic Stankovic (Stankovic & Partners, Republic of Serbia)