The Commissioner for Information of Public Importance and Personal Data Protection said today that all employers who use or intend to use biometric data processing measures to record workplace attendance by employees or to log working hours must take into account that such measures could in most cases be unjustified and contrary to the law.

Emphasizing that such measures, of which processing of employees' finger prints is most frequently used, even when they are used with formal consent constitute, as a rule, inadmissible data processing, Commissioner Rodoljub Sabic also said the following:

"According to the Labour Law and the Law on Records in the Field of Labour, employers surely have the right to process data on working hours log within the records set out by these Laws. Processing of any other data not regulated by the law requires consent from a person to which the data pertain. However, even if employees gave their consent for collection of biometric data (fingerprint scanning), this does not mean that such data processing is allowed.

Namely, one of the main principles of the Law on Personal Data Protection is the principle of proportionality. It implies that only data which are obviously necessary and suitable to achieve the purpose of processing can be processed. Processing of data the number or type of which is disproportionate to the purpose of processing is inadmissible according to Article 8, item 7 of the Law.

Even after several Commissioner's warnings, the legal order in Serbia still does not have a law which would regulate in more detail the general principles established by the Law on Personal Data Protection in the field of biometric data. However, since personal data protection is a human right enshrined in the Constitution, according to Article 18, paragraph 3 of the Constitution, its protection is subject to the applicable international standards and the practice of international institutions which supervise compliance with those standards.

In that regard, I would like to remind you about one of the fundamental documents in this field – the Directive of the European Parliament and the Council 95/46/ЕC on the protection of individuals with regard to the processing of personal data and on the free movement of such data; as well as about the standards and guidelines of the Article 29 – Data Protection Working Party, the institution founded on the basis of Article 29 of this Directive.

Attitudes of this body about processing of biometric data are well-known and are based on the opinion that it constitutes a particularly invasive and risky invasion of an individual's privacy. These attitudes thus imply strict evaluation of proportionality of certain data. Processing of biometric data is allowed only when it is essential and necessary (access to protected premises or areas, keeping of secrets etc.), while introduction of biometric measures only to log working hours is excessive, disproportionate and constitutes unnecessary invasion of an individual's privacy."