Serbia: Personal Data Processing during the State of Emergency Caused by COVID-19 Pandemic
In the state of emergency, measures taken by the state certainly affect the exercise of some human rights. Thus, in the Republic of Serbia the right to freedom of movement has been limited during the state of emergency declared due to COVID-19 pandemic. However, the exercise of the right to protection of personal data has in no way been limited.
Therefore, even in these new circumstances, data controllers and data processors are obliged to ensure that each processing of personal data is legally grounded and for permitted purpose, i.e. that such processing is carried out in a manner and in accordance with the principles of processing set out in the Law on Personal Data Protection (“Law”).
However, notwithstanding the obligation of data controller and processor to carry out their activities in accordance with the Law and other relevant regulations even during the state of emergency, it seems that in this period full realization of individuals’ right to protect personal data is still challenging.
Processing and Publishing Data on Persons Infected with the Corona Virus.
As a reminder, personal data are all those data by which the identity of an individual is identified or identifiable.
Data on health condition, that causes the greatest interest during the pandemic, represent a special type of personal data, whose processing is generally prohibited, except under very restrictive requirements determined by the Law.
As an example, processing of data on individual’s health condition would be permitted if:
- “the data subject gave his/her explicit consent for processing”;
- such processing “is necessary for the protection of vital interest of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent”;
- “the data subject has manifestly made public his/her personal data”;
- such processing “is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medical products or medical devices…”.
Given the unrestricted exercise of the right to protection of personal data during the state of emergency, processing of data on individuals’ health condition would be allowed if carried out within the limits of given authority as well as based on applicable regulations, including the acts issued during the state of emergency.
Therefore, when making publicly available the data on infected persons, it is particularly necessary to take care not to publish the data identifying or making identifiable the identity of such persons, except when necessary under the conditions from the Law and by applying the principle of data minimization.
On the other hand, processing the personal data on persons infected by corona virus for scientific research is not contrary to the Law, whereby the controller may only be the organization which, in accordance with the law, is registered for scientific research activity and is responsible to comply with the Law.
Processing of Personal Data while “Working from Home”.
After the state of emergency has been declared, the need for the employers to organize the work of their employees from home arose. Thus, in order to simplify the procedure related to assignment the employees to work from home, the Decree on Organizing the Work of the Employers during the State of Emergency was issued. However, organizing the work from home represents a particular challenge when it comes to the personal data security (and data in general) that employees process while performing their work duties. This due to the fact that the business was transferred from the employers’ work premises to the employees’ homes.
The controllers and processors who, during the state of emergency, organize work of their employees remotely, if such work includes the personal data processing, are obliged to ensure appropriate measures for protection of such data, in accordance with principle of integrity and confidentiality. This includes taking measures such as checking the security of web connections and correspondence via official e-mails etc. aiming to protect the personal data of both employees and employers’ clients.
Finally, employees acting as processors of personal data are not authorized to independently make decisions about the manner of personal data processing under the changed circumstances but have to comply with the instructions of their employers as controllers.
Processing of Employees’ Personal Data by the Employer.
During the pandemic, the employers will probably be in a position to process some employees’ personal data which they normally do not process (such as health data that are sensitive data requiring the special treatment).
In this regard, the employers should process only those personal data necessary for identification of potentially infected employees, with full respect of principle of necessity, proportionality and responsibility. All this in order to protect the personal data as much as possible as well as to reduce the possible violation of the right to privacy. Related to that, personal data protection authority has informed the public that employees in the companies should be informed that “some of their colleagues are infected by the COVID-19” but the employers are not allowed to identity of those persons.
On the other hand, in order to disclose some data on health condition of their employees to certain state authorities, the employers must have a valid legal ground. Certainly, upon termination of the state of emergency, employers shall be obliged to return to a regular data processing regime, including the permanent deletion of collected employees’ health data.
Considering the implementation of certain measures during the COVID-19 pandemic, it is very important that business entities, that are data controllers or data processors, adjust their business to the new circumstances in such a manner to carry out the personal data processing in accordance with the Law even during the state of emergency. All this since, due to the unlawful processing of their personal data, individuals would, inter alia, be entitled to demand damage compensation from the controller or processor.