On the occasion of International Data Privacy Day (January 28), as in previous years, the Commissioner for Information of Public Importance and Personal Data Protection (“the Commissioner”) issued a publication “Personal Data Protection: Stances, Opinions and Practice of the Commissioner”.
In the upcoming text, we will present several stances, i.e., opinions of the Commissioner published in this book with regards to the application of the Law on Personal Data Protection (“the Law”).
1.Processing the employees’ biometric data with face recognition device for the purpose of controlling and registering their working hours
While supervising the activities of personal data controller, the Commissioner established that the controller acted against the provisions of the Law and it was therefore prohibited to process the face images of employees for the purpose of their identification through the face recognition device aimed at controlling and registering their working hours. Namely, the processing of such biometric data of employees was done:
- against the provisions of Article 17 of the Law (which regulate the processing of special types of personal data);
- without legal basis;
- against the principle of data minimization; and
- without previous impact assessment of the envisaged processing activities on personal data protection and without obtaining the Commissioner’s opinion.
The controller was therefore ordered to ensure that the commission deletes all employees’ personal data collected for further processing through this face recognition device, i.e., for controlling and registering employees’ working hours, and to notify all employees whose data were collected about such deletion.
2.Personal data processing during online purchase of products
During the supervision over the activities of personal data controller, the Commissioner prohibited the controller to process certain personal data of natural persons during online
purchase of products on certain websites, notably the personal document number (ID card/passport), considering that the requirements from Article 12, paragraph 1, item 3 of the Law were not met during collection of the respective information (that processing is necessary for the purpose of adhering to the legal obligations of the controller). Namely, the purpose
of processing in this particular case was to refund money to the customer for purchased goods/services and/or quitting purchase in case of a previously paid advance, while this legal obligation of the controller arises only at the moment of refunding money to the buyer.
Therefore, the controller in this case acted against the principles of lawfulness, fairness and transparency, as well as data minimization.
3.Consent to data processing through video surveillance
In form of reply to the question (which may be addressed to the Commissioner by citizens, legal entities, associations and state authorities with regard to ambiguities in application of the Law) regarding the processing of personal data by use of video surveillance, the Commissioner assumed the position that such processing is not individually regulated by the Law, however it is necessary to observe the principles of processing and enforcement of legally established obligations.
In this sense, consent of the data subject is one of possible legal grounds for processing, which implies voluntary, established, informed and undeniable expression of will of such person, whereby the person consents to the processing of his/her personal data by statement or clear affirmative action. The person shall be authorised to withdraw consent at any moment, which right he/she shall be informed of before giving consent. While estimating whether the consent for personal data processing was given freely, one must particularly pay attention to whether the execution of contracts, including service rendering, is conditioned by giving consent that is not necessary for its execution.
Consent can therefore be a proper legal basis for processing only if the statement of will of the data subject meets all requirements prescribed by the Law.
4.Transfer of data to the US
According to the clarification given in form of answer of the Commissioner to the question posed, standard contractual clauses established by the Commissioner in accordance with the Law represent one of the possible ways of ensuring appropriate measures for data protection during their transfer to another state, to a part of its territory or one or more industrial sectors in that state and/or international organisation, but only when it refers to relationship between controller and processor.
In other words, they are not applicable to transfer by controller to another controller, considering that the domestic law, unlike the GDPR, does not recognise this type of standard contractual clauses.
5.Processing data from criminal records
Finally, the Commissioner took the position – again as the answer to the question – that legal basis for personal data processing that is necessary for the purpose of adhering to the controller’s legal obligations (in terms of Article 12, paragraph 1, item 3 of the Law) needs to be specified in law, wherefore processing of personal data referring to criminal judgments and offences and safety measures (including insight into such data) would be lawful provided that it is necessary for execution of special legally envisaged obligations of the controller.
Namely, Article 19, paragraph 1 of the Law prescribes that processing of personal data that refer to criminal judgments and offences and safety measures shall be done on basis of Article 12, paragraph 1 of the Law (i) only under the supervision of competent authority or (ii) if the processing is permitted by law, with application of appropriate special measures for protection of rights and freedoms of the data subjects. According to Article 12, paragraph 1, item 3 of the Law, processing shall be lawful if it is necessary for the purpose of observing the controller’s legal obligations.
By Ivana Ruzicic, Partner, and Lara Maksimovic, Senior Associate, PR Legal