Personal Data Protection in Employment – Employers’ Obligations Under Serbian Law and the GDPR

Why Personal Data Protection Is Critical in Employment Relations

In modern business, the protection of personal data has become one of the most significant legal and compliance issues-particularly in the context of employment. Employers process employee data on a daily basis: employment contracts, payroll information, health certificates, access control logs, and even video surveillance footage.

Yet many companies continue to underestimate the importance of proper data processing practices, exposing themselves to regulatory penalties and erosion of employee trust.

Common mistakes include collecting excessive data, failing to adopt internal privacy policies, or assuming that an employee’s consent automatically resolves all compliance obligations.

This guide explains how Serbian law and the GDPR regulate employee data, what obligations employers must fulfill, and how to achieve full compliance.

Legal Framework in Serbia – Personal Data Protection Act and the GDPR

In the Republic of Serbia, the key regulation governing this area is the Personal Data Protection Act , which is largely harmonized with the EU General Data Protection Regulation (GDPR).

The Act applies to all employers-legal entities and individuals alike-who process employee data, regardless of company size. It regulates:

• principles of data processing (lawfulness, purpose limitation, data minimization, accuracy, integrity, confidentiality),

• the rights of data subjects,

• obligations of data controllers and processors,

• the competence of the Commissioner for Information of Public Importance and Personal Data Protection.

Although the GDPR is not directly applicable in Serbia, the national law mirrors its core concepts. Therefore, an employer who complies with the GDPR will, in most cases, comply with Serbian regulations as well.

What Counts as Employee Personal Data?

Personal data includes any information relating to an identified or identifiable natural person. In employment, this extends far beyond basic HR records.

Examples of employee personal data:

• Basic identification data: name, surname, national ID number (JMBG), address, ID card number, phone, email

• Employment-related data: employment contract, salary, bonuses, working hours, leave records

• Special categories of data (sensitive data): medical records, disability status, trade union membership

• Technical and metadata: IP addresses, geolocation of company devices, system access logs

• Video and audio recordings: CCTV footage or audio logs from the workplace

In practice, almost any information that can identify an employee qualifies as personal data and must be processed lawfully, transparently, and proportionally.

Employer Obligations Under Serbian Law and the GDPR

Every employer who processes employee data is considered a data controller and must ensure compliance with the following obligations:

1. Transparency and Employee Notification

The employer must clearly and openly inform employees about:

• the purpose and legal basis for processing,

• categories of data collected,

• employees’ rights,

• the contact details of the Data Protection Officer (if appointed),

• retention periods and potential data recipients.

2. Records of Processing Activities

Employers must maintain an internal record of all processing activities, including:

• categories of data subjects,

• types of data processed,

• purposes of processing,

• legal grounds,

• technical and organizational security measures.

3. Data Security Measures

Employers are required to implement appropriate technical and organizational measures, such as:

• access control,

• encryption,

• regular backups,

• incident response procedures,

• monitoring of access logs.

4. Appointment of a Data Protection Officer (DPO)

A DPO must be appointed when data processing is extensive, systematic, or when required by sector-specific regulations (e.g., banking, healthcare, public bodies).

Common Misconceptions Among Employers

“My company does not process personal data.”

Any employer that maintains employee records, issues pay slips, or uses video surveillance processes personal data and must comply with the law.

“Employee consent is enough.”

Consent is not the preferred or most reliable legal basis in employment due to the imbalance of power. Employers should rely primarily on:

• legal obligations,

• contractual necessity,

• legitimate interests.

“I can monitor employee emails and social media.”

Monitoring must be proportional, necessary, and clearly communicated to employees in advance. Secret monitoring of private messages or personal social media accounts is unlawful.

“Video surveillance is always allowed.”

Video surveillance is lawful only when justified-such as for security of people and property. Employees must be informed, and cameras are strictly prohibited in changing rooms, restrooms, and similar areas.

“BYOD gives the employer full access to the device.”

Under BYOD (Bring Your Own Device), employers may not access private data or install monitoring software without explicit, valid consent.

Employee Rights Under Serbian Law and the GDPR

Employees have the right to:

• access information about how their data is processed,

• request correction of inaccurate data,

• request erasure (“right to be forgotten”) in specific cases,

• restrict processing or file an objection,

• receive a copy of their data in a portable format.

Employers must respond to requests within 30 days, with a possible extension of an additional 60 days, accompanied by a written explanation.

Penalties and Consequences of Non-Compliance

Serbian law provides monetary penalties of:

• up to 2,000,000 RSD for legal entities,

• up to 50,000 RSD for responsible persons within the company.

Under the GDPR, penalties are significantly higher:

• up to EUR 20 million,

• or 4% of global annual turnover-whichever is higher.

Example:
In 2020, H&M was fined EUR 35 million for unlawful monitoring of employees’ private lives and improper handling of sensitive data.

Beyond monetary penalties, non-compliance results in:

• loss of employee trust,

• reputational harm,

• operational and HR disruptions,

• reduced productivity due to weakened workplace culture.

How Employers Can Achieve Compliance

1. Drafting Internal Policies and Privacy Documentation

Employers should adopt:

• Employee Personal Data Protection Policy,

• CCTV and monitoring policy,

• BYOD policy,

• policies governing the use of company devices and system access.

2. Training Employees and HR Personnel

Regular training ensures that HR teams and managers understand their responsibilities and avoid unintentional violations.

3. Risk Assessment and Process Audit

Legal and IT professionals can perform data mapping, identify high-risk processing activities, and recommend corrective measures.

4. Implementation of Security Measures

These include:

• encryption,

• antivirus protection,

• controlled access to sensitive documents,

• monitoring of system logs and access rights.

The Role of an Attorney in Data Protection Compliance

A lawyer specializing in data protection can help employers:

• draft or revise internal policies,

• conduct compliance audits,

• represent the company before the Commissioner,

• train employees and management,

• implement GDPR-aligned standards within business processes.

In practice, cooperation with a legal expert often determines whether a company avoids accidental violations and maintains fully compliant, secure operations.

Conclusion

Personal data protection is not merely a legal requirement-it is the foundation of trust between employers and employees. Companies that manage employee data responsibly not only avoid penalties but also strengthen organizational culture and long-term reputation.

Frequently Asked Questions (FAQ)