News and developments
Serbia: Tracking of Employees – Case Study
Electronic measurement of working hours based on processing of location data is permitted under data protection and labour regulations under the following conditions:
i) intended business goals and purposes of processing are permissible under applicable regulations;
ii) intended processing of personal data is absolutely necessary for controller and/or for third party to achieve intended business goal(s);
iii) intended business goals and purpose(s) of processing cannot be achieved by less intrusive measures;
iv) rights and freedoms of data subjects are not to be overridden by legitimate interest of the controller and/or third party.
To verify whether the said conditions are met, controller must carry out Data Protection Impact Assessment (DPIA) and afterwards, inform the employees on intended processing, following mandatory requirements prescribed by Law on Personal Data Protection (LPDP).
I Case - facts
Controlling company – a company which controls businesses of the group of companies, intends to install application on companies’ mobile phones used by terrain employees, to enable electronic measurement of working hours of employees and record their planned and performed activities (optional). The intended business goal is to provide proper calculation of salaries in the group companies by the controlling company. The purpose of intended processing is electronic measurement of working hours to enable control of calculation of salaries.
Working hours are recorded by purposed application with unique code, installed in each facility of the respective company group that is available to the manager of the facility, as well as in company vehicles used by terrain employees. Location data are processed to locate the employees in real time. The following personal data are recorded: contact data, location of the employee when the application is in use, mobile phone number, date and time (start and completion of work in the facility), time and date of entering and leaving the company vehicle and planned and performed activities inserted by employees (optionally). Location data are only processed when employee activates installed purposed application.
Prior to intended processing, employees enter personal data on paper forms manually.
Legal ground for the intended processing is consent of the employee.
II Analysis
a) Are intended business goals and purposes of processing legitimate under applicable labour regulations?
The employer can render internal rules by which it defines manner and conditions under which controls fulfillment of obligations in terms of agreed working hours, assigned tasks and defined schedule. On the other side, the right of the employer to regulate the said manner and condition is limited by other regulations, including data protection regulations.
b) Is intended processing of personal data absolutely necessary and proportional to achieving intended business goals?
If the answer to question under a) is affirmative, the question to be analysed and answered is whether intended processing of personal data is really necessary and proportional to achieve intended purposes and business goals – control of working hours and proper calculation of employees’ salaries in the respective companies group. In other words, is processing of employees’ location data and data of start and completion of work in facility, as well as date and time of entering and leaving company vehicle necessary and proportional to the intended purposes of processing data and achieving business goals - electronic measurement of working hours and enabling control and proper calculation of employees’ salaries?
i) Location data
The controlling company would not have been in a position to have a clear picture of the level of the work performed if it had not processed location data. The processing of location data is necessary to confirm which facilities employees have visited and the scope of the work performed. The information is limited to number of facilities visited (without information on location of facilities) and would not enable the controlling company to determine the factual scope of employees’ work. The same is applied to location of the company vehicles – the factual time spent in them, between business facilities and different locations, would not be possible without processing of location data.
ii) Time and date of start and completion of work in the business facilities and entering and leaving the company vehicle
Processing of these employees’ personal data is necessary and proportional to the intended business goal – these personal data are integral elements for calculation of salaries.
c) Could intended business goals and purpose(s) of processing be achieved by less intrusive measures?
Less intrusive measure such as control of work, performed by the senior staff or designated employee as preventive measure (sudden checks), could be taken into consideration. On the other side, the question to be considered and clarified is whether the controlling company could justify its legitimate interest to control proper calculation of the salaries by processing the location data, stating an argument that engagement of senior staff or designated employee would create additional costs.
The purpose of DPIA and key matter in this case is to evaluate whether the intended legitimate interest of the controlling company to process employees’ location data overrides the rights and freedoms of employees – whether controlling company, by justification that imposing the said preventive measure increases the business costs, can be considered as overriding the rights and freedoms of employees.
In simple words, is processing of location data really necessary for optimisation of procedures for salary control or, this optimisation can be achieved by less intrusive measures, such as sudden checks by senior staff or designated employee. In our opinion, the fact that terrain employees are aware of the possibility of sudden checks could be a proportionate measure and meet the expected business goal of the controlling company. Further, it is considered as work duty of the superiors to control the work and fulfilment of obligations of the team members they are responsible for. As per processing of location of the company vehicle, the less intrusive measure, which may be considered, is to require the employees to submit proofs of payments or invoices for petrol and toll paid, as well as detailed daily report on the scope of conducted work, including the timeframe in which it was conducted.
d) Whether rights and freedoms of data subjects are overridden by legitimate interest of the controller and/or third party?
The risk which shall be evaluated is related to automated processing of personal data, i.e., whether automated processing may case bias – affect proper calculation of salaries and, accordingly, discriminate the employees or hamper their right to adequate salary for the work performed. The other matters which shall be taken into account are security of application and communication between user’s application and server, location of server (whether the server is located in the EU or third country and whether adequate transfer mechanism is applied), possibility for employees to exercise their data subjects’ rights. Depending on the risks identified, adequate technical and organisational measures, proportional to the risks identified, shall be defined and implemented to mitigate identified risks to acceptable level.
e) Legal ground for processing and privacy notice
According to the opinion of the Serbian SA, consent, as legal ground for processing of personal data in employment, can be applied only in cases when employees are provided with benefits such as gifts for children, voluntary health or pension insurance, discounts for buying certain product or using services. In other cases, other available legal grounds for processing shall be considered, due to subordination of employees in employment relations – it may be questionable whether consent in employment relations can be freely given.
Once DPIA is carried out, employees shall be notified on intended processing – provided with privacy notice containing all mandatory elements prescribed by the LPDP.