AZOP (Croatia) - Decision 04-08-2022

From GDPRhub
AZOP - Opinion on processing of personal data of workers - scanning of identity cards, bank card
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6 GDPR
Article 5 GDPR
Zakon o radu (NN 93/14, 127/17, 98/19) (Croatian Labour Act)
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Opinion on processing of personal data of workers - scanning of identity cards, bank card
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA stated in an advisory opinion that the scanning of employees' identity and bank cards may not be based on compliance with a legal obligation under Article 6(1)(c) GDPR since no national law required them to do so. The DPA also excluded the validity of the employee's consent and opined that, whilst employers may use legitimate interests under Article 6(1)(f) GDPR, they must still comply with data protection principles under Article 5 GDPR.

English Summary

Facts

In Croatia, many employers ask for identity cards and bank cards of their employees in order to scan them and store them in their records. The Croatian DPA issued an opinion on such processing of workers' personal data.

Holding

The DPA pointed out that for processing to be lawful, it needs to have a legal basis under Article 6(1) GDPR.

First, the DPA considered whether the processing was necessary for compliance with a legal obligation under Article 6(1)(c) GDPR. It noted that this legal basis needs to be laid down by Member State or Union law. Article 29(1) of the Croatian Labour Act stipulates that the personal data of workers may be collected, processed, used and transmitted to third parties only if it is determined by this or another law or if it is necessary for the purpose of exercising the rights and obligations of the employment relationship. As for the former, the Act only stipulates in Article 5 that the employer is obliged to keep records that must contain information about their workers and working hours. As for the latter, if processing is necessary for the purpose of exercising the rights and obligations of the employment relationship, Article 29(2) of that Act states that the employer must determine this in advance by the Labour Regulations. For this reason, the DPA determined that the Croatian labour law does not impose a legal obligation on employers to copy or scan identity documents or bank cards of their employees. Consequently, Article 6(1)(c) GDPR may not be used as a legal basis for such processing of personal data.

Second, the DPA considered whether consent could serve as a legal basis for the processing under Article 6(1)(a) GDPR. It opined that consent cannot be considered as a legal basis for the processing of personal data of employees or potential employees, unless they can refuse the processing without adverse consequences for them. The DPA pointed out that employees are rarely in a situation to freely give, refuse or withdraw their consent in view of their dependence on their employer. Hence, except under exceptional circumstances, employers have to rely on some other legal basis than consent.

Lastly, the DPA noted that employers could potentially use their legitimate interests as a legal basis for the processing at hand under Article 6(1)(f) GDPR, albeit this would depend on how the balance between their legitimate interests and their employees' interests would be struck in a particular case. However, it warned that even with an adequate legal basis for processing, employers would have to comply with data protection principles under Article 5 GDPR, including the data minimisation principle. This requires that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The DPA doubted, for instance, that the verification number (CSC, CVV or HVS) of a bank card, which serves as proof of physical possession of the card at the time of online purchase, would be necessary information for the purpose of paying the employee's salary. Hence, if a legitimate interest in copying or scanning the employee's bank card was proven, appropriate technical measures should still be implemented in regard to data that is not necessary (for example, some data may need to be redacted).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Further to your inquiry, in which you essentially ask about the processing of personal data of employees, scanning of identity cards, bank cards, etc., the Agency for the Protection of Personal Data expresses itself as follows:

Primarily, we point out that any collection and processing of personal data in accordance with the General Data Protection Regulation requires the existence of a legal basis from Article 6 of the General Data Protection Regulation, which stipulates that the processing is legal only if and to the extent that at least one of of the following:

(a) the subject has given his consent for the processing of his personal data for one or more specific purposes;

(b) the processing is necessary for the execution of a contract to which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract;

(c) the processing is necessary to comply with the legal obligations of the controller;

(d) processing is necessary to protect vital interests of the data subject or other natural person;

(e) the processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the data controller;

(f) processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

If the legal basis for the processing of personal data is a legal obligation of the controller, then that legal basis must be established in the law of the Union or the law of the member state to which the controller is subject, and the purpose of the processing must also be determined by that legal basis.

Article 29, paragraph 1 of the Labor Law (Official Gazette 93/14, 127/17, 98/19) stipulates that the personal data of workers may be collected, processed, used and delivered to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations from the employment relationship, i.e. in connection with the employment relationship.

Furthermore, Article 29, Paragraph 2 of the aforementioned Act stipulates that if personal data from Paragraph 1 of this Article needs to be collected, processed, used or delivered to third parties in order to exercise rights and obligations from the employment relationship, i.e. in connection with the employment relationship, the employer must determine in advance by the work regulations which data will be collected, processed, used or delivered to third parties for this purpose.

Article 5, paragraph 1 of the Labor Law (Official Gazette 93/14, 127/17, 98/19) stipulates that the employer is obliged to keep records of the workers employed by him.

Paragraph 2 of the same article and law stipulates that the records must contain data on workers and working hours.

However, in the context of your inquiry, it is important to note that copying or scanning an identity document or bank card is not a legal obligation of the employer based on the aforementioned regulation, which means that the aforementioned legal regulation does not constitute a legal legal basis for copying or scanning the aforementioned documents.

Additionally, please note that the bank account card contains, among other things, the card verification number (CSC, CVV or HVS), which is a unique 3- or 4-digit number printed on the card next to the account number and serves as proof of physical possession of the card at the time of online purchase and reduces the possibility of fraud. The Agency has no clear legal basis for the processing of the mentioned personal data by the employer.

As for the identity card or driver's license, it also contains certain personal data of the respondent for which the legal basis of the legality of the processing is also questionable (for example, a photograph of the employee).

As for consent, in opinion no. 249 on the processing of data in the workplace, the Working Group for Data Protection from Article 29 of Directive 95/46/EC (currently the European Data Protection Board) expresses the opinion that, most likely, consent cannot be considered as a legitimate legal basis for the processing of personal data of workers or potential workers, unless they can refuse processing without adverse consequences.

Since workers are rarely in a situation to freely give, refuse or withdraw consent given the dependence arising from the relationship between employer and worker, consent is often not an adequate legal basis for the processing of personal data in the employment relationship.

Except in exceptional situations, employers will have to rely on some other legal basis that is not consent, for example the proven legitimate interest of the controller.

However, even with an adequate legal basis, the controller must take into account the principles of personal data processing from Article 5 of the General Data Protection Regulation, including the "principle of reducing the amount of data" which requires that personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

It is not clear, for example, that the verification number of the card would be necessary data for the purpose of paying the employee's salary, therefore if a legitimate interest in copying or scanning the employee's bank card was proven, appropriate technical protection measures should be implemented over data that is not necessary (for example, blacking out data).

In conclusion, you can try to prove a legitimate interest by conducting a proportionality test to determine whether the legitimate interest of the controller outweighs the interests of the worker, in which case you should opt out of processing. You can find the proportionality test form at the link: https://azop.hr/obrasci-predlosci/.