AZOP (Croatia) - Decision 04-08-2022

From GDPRhub
Revision as of 14:47, 30 August 2022 by Ea (talk | contribs)
AZOP - Opinion on processing of personal data of workers - scanning of identity cards, bank card
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 6 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Opinion on processing of personal data of workers - scanning of identity cards, bank card
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Presido Croatia

The Croatian DPA issued an advisory opinion in which it stated that the scanning of workers' identity and bank cards constitutes excessive collection of personal data.

English Summary

Facts

In Croatia, many employers ask for identity cards and bank cards of their employees in order to scan them and store them in their records. The Croatian DPA issued an opinion on such processing of workers' personal data.

Holding

The DPA pointed out that for such processing of personal data to be necessary for compliance with a legal obligation under Article 6(1)(c) GDPR, this legal basis needs to be laid down by Member State or Union law. Since Croatian labour law does not impose a legal obligation on the employer to copy or scan an identity document or a bank card, the mentioned legal regulation does not represent a legal basis for copying or scanning said documents.

It is important to note that copying or scanning an identity document or bank card is not a legal obligation of the employer based on the aforementioned regulation, which means that the aforementioned legal regulation does not constitute a legal basis for copying or scanning the aforementioned documents.

Croatian DPA additionally notes that the bank account card contains, among other things, the card verification number (CSC, CVV or HVS) which serves as proof of physical possession of the card at the time of online purchase and reduces the possibility of fraud.

AZOP does not see a clear legal basis for the processing of the mentioned personal data by the employer.

As for consent, in opinion no. 249 on the processing of data in the workplace, the Working Group for Data Protection from Article 29 of Directive 95/46/EC (currently the European Data Protection Board) expresses the opinion that, most likely, consent cannot be considered as a legitimate legal basis for the processing of personal data of workers or potential workers, unless they can refuse processing without adverse consequences.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

Further to your inquiry, in which you essentially ask about the processing of personal data of employees, scanning of identity cards, bank cards, etc., the Agency for the Protection of Personal Data expresses itself as follows:

Primarily, we point out that any collection and processing of personal data in accordance with the General Data Protection Regulation requires the existence of a legal basis from Article 6 of the General Data Protection Regulation, which stipulates that the processing is legal only if and to the extent that at least one of of the following:

(a) the subject has given his consent for the processing of his personal data for one or more specific purposes;

(b) the processing is necessary for the execution of a contract to which the respondent is a party or in order to take actions at the request of the respondent before concluding the contract;

(c) the processing is necessary to comply with the legal obligations of the controller;

(d) processing is necessary to protect vital interests of the data subject or other natural person;

(e) the processing is necessary for the performance of a task of public interest or in the exercise of the official authority of the data controller;

(f) processing is necessary for the purposes of the legitimate interests of the controller or a third party, except when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

If the legal basis for the processing of personal data is a legal obligation of the controller, then that legal basis must be established in the law of the Union or the law of the member state to which the controller is subject, and the purpose of the processing must also be determined by that legal basis.

Article 29, paragraph 1 of the Labor Law (Official Gazette 93/14, 127/17, 98/19) stipulates that the personal data of workers may be collected, processed, used and delivered to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations from the employment relationship, i.e. in connection with the employment relationship.

Furthermore, Article 29, Paragraph 2 of the aforementioned Act stipulates that if personal data from Paragraph 1 of this Article needs to be collected, processed, used or delivered to third parties in order to exercise rights and obligations from the employment relationship, i.e. in connection with the employment relationship, the employer must determine in advance by the work regulations which data will be collected, processed, used or delivered to third parties for this purpose.

Article 5, paragraph 1 of the Labor Law (Official Gazette 93/14, 127/17, 98/19) stipulates that the employer is obliged to keep records of the workers employed by him.

Paragraph 2 of the same article and law stipulates that the records must contain data on workers and working hours.

However, in the context of your inquiry, it is important to note that copying or scanning an identity document or bank card is not a legal obligation of the employer based on the aforementioned regulation, which means that the aforementioned legal regulation does not constitute a legal legal basis for copying or scanning the aforementioned documents.

Additionally, please note that the bank account card contains, among other things, the card verification number (CSC, CVV or HVS), which is a unique 3- or 4-digit number printed on the card next to the account number and serves as proof of physical possession of the card at the time of online purchase and reduces the possibility of fraud. The Agency has no clear legal basis for the processing of the mentioned personal data by the employer.

As for the identity card or driver's license, it also contains certain personal data of the respondent for which the legal basis of the legality of the processing is also questionable (for example, a photograph of the employee).

As for consent, in opinion no. 249 on the processing of data in the workplace, the Working Group for Data Protection from Article 29 of Directive 95/46/EC (currently the European Data Protection Board) expresses the opinion that, most likely, consent cannot be considered as a legitimate legal basis for the processing of personal data of workers or potential workers, unless they can refuse processing without adverse consequences.

Since workers are rarely in a situation to freely give, refuse or withdraw consent given the dependence arising from the relationship between employer and worker, consent is often not an adequate legal basis for the processing of personal data in the employment relationship.

Except in exceptional situations, employers will have to rely on some other legal basis that is not consent, for example the proven legitimate interest of the controller.

However, even with an adequate legal basis, the controller must take into account the principles of personal data processing from Article 5 of the General Data Protection Regulation, including the "principle of reducing the amount of data" which requires that personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

It is not clear, for example, that the verification number of the card would be necessary data for the purpose of paying the employee's salary, therefore if a legitimate interest in copying or scanning the employee's bank card was proven, appropriate technical protection measures should be implemented over data that is not necessary (for example, blacking out data).

In conclusion, you can try to prove a legitimate interest by conducting a proportionality test to determine whether the legitimate interest of the controller outweighs the interests of the worker, in which case you should opt out of processing. You can find the proportionality test form at the link: https://azop.hr/obrasci-predlosci/.