Author: Jelena Blagojević Lukić

Regulation and control of personal data that is being collected by the subjects known as controllers or processors, has a really important role, having in mind that processing of such data controllers, that is processors are going into the private sphere of every individual whose data is being processed. In addition to the above, we must notice that in this case there would be an encroachment on human rights, keeping in mind that the category of personal data and the rights for their protection in the European union are aimed high as well as basic human rights, as it is proclaimed by the EU regulations. By now we’ve all heard of the well known GDPR (General Data Protection Regulation), that has changed the way of processing and collecting personal data in the EU, and also beyond the borders of the EU, in Serbia that is by the Law on processing personal data[1]  that has been implemented in August 2019 (hereinafter referred to as “The Law”), and which has been written based on, and in accordance with the General Data Protection Regulation.

To get to know the subject of this text better, in the beginning we need to explain that the GDPR and The Law, in their articles state the direct use of principles, that is lawfulness on which they relay, and all that for the purposes of better protection of the people whose personal data is being processed, as a prior a weaker side in the legal relations in which they are considered as so because of the processing of their personal data.

The first principle that The Law states is the one which concerns the lawfulness of processing, that is states in which situations will the processing be considered in accordance with The Law, and also exhaustively enumerates six bases of processing, which differ both in terms of content and form, namely: 1) consent of the person to whom the processes personal data refer, 2) execution of contractual obligations; 3) fulfillment of the controller’s legal obligations; 4) protection of vital interests of persons  to whom the data refer; 5) performance of work in the public interest or execution of the operators legally prescribed powers and 6) legitimate interest of the controller or a third party.

The most common base of processing, in the case of processing data form the employees form the employer is fulfillment of the controller’s legal obligations that the employer has as a controller, for example, when he processes the personal data of his employees in order to register them on the mandatory social insurance, that is pay the taxes and fees in order to act as he is obligated by law.

With the mentioned base, the employer processed the personal data of his employees and on the base of execution of contractual obligations, so the personal data that is consisted in the work contracts would be processed whit this base, for example, the data of employees that refers to their pay, like their bank accounts. Having the above in mind, the Employer’s needs this data form their Employees in order to fulfill his legal obligations by which the employer is the controller of data in accordance with principle of lawfulness of processing.

The most questions and doubt surely appears in the processing of personal data when the base of processing is consent of the employee. With the mentioned base of processing, we must say that there is a lot of uncertainty whit the legitimate interest as one of the basis of processing as well, but in this article the focus will be on the consent as the lawfulness of processing.


The Law states that processing personal data is lawful if the person to whom the data refers to has given consent to the processing of personal data for one or more specific purposes.[2]

It is important to mention that consent as a base of processing personal data is to be used just if there is no other base so that the processing could be lawful, and the controller, that is processor wants to process the data. So,  just after the controller goes through all the other bases of processing and determines that no other base could be used, then he must ask the person to whom the data refers to for consent, that is the base for that kind of processing would be consent of course in accordance with The Law.

The Law also states some characteristics of the consent, that is that it must be given as a clear confirmation that consists of a voluntary, concrete, informed and unambiguous  consent of the person whose data is being processed, this means a written consent, that can be given electronically, but also a consent given in oral form. Although The Law includes the oral form as a consent it is strongly advised against it because of the problem with the potential proving of it.

The Law states situations where if the consent is given, it will not be considered as lawful, that is:

  • if the person is passive or restrained;
  • if the check box for giving consent in electronic form is already ticked;
  • if there is a clear inequality between the parties, which is especially seen in the relationship between employer-employee, also if the one side is a state entity;
  • if there is no true and free choice;
  • if it is impossible to reject or to withdraw the consent without consequences.


When we talk about the specific situations were the employer considers consent as a base for processing his employees personal data, in most cases those are the situations were the employer wants to promote himself, for example, on a website where he posts photos of his employees, as well as various photos from events, manifestations, visits and other, and of course posts of the employees achievements, biographies, studies, all kind of positions, and other personal data that can’t be used by other bases then consent. Beside consent, the employer often uses the legitimate interest as a base for processing the above mentioned data.

Keeping in mind what has been previously said about the relationship between employer and the employee in the sense of giving consent, consent would be the weakest base for processing personal data for many reasons.

First of all, once given consent can always be withdrawn, in that case the employer cannot continue with the collecting and processing of the data. Further more, consent can be used just in specific situations that are not necessary for the work contract, that is why another base for processing can be used. Consent cannot be given in general for every form of processing, it can only be used for a specific and clear data processing. Lastly, the most important thing is that consent cannot be given as a base for processing if the data refers to the weaker party, that is the party that is considered to be in a subordinate position in regard to the controller, which is in fact the situation between the employer and the employee, this is the stand of the European Data Protection Board (hereinafter referred to as “EDPB”) in their Guidelines regarding consent as a basis for processing[3] (hereinafter referred to as Guidelines), as well as the Work body of EDPB in their Opinion on data processing at work[4] and Opinion on the processing of personal data in the employment context[5] (hereinafter referred to as” Opinions”).

Having the above in mind, EDPB in their Guidelines highlights the “power imbalance” in the concept of employment. Because of the dependency, that is the subordinate position that exists in the relationship between the employer and the employee, the employer would hardly prove the consent of the employee for the date processing without the fear and risks of the damaging consequences of the consent not being given. There is a small chance that the employee would have the freedom to respond to the employers request for giving the consent for the processing of personal data without any pressure from the employer. That being said, EDPB, referencing to the Opinions of their Working body, thinks that the employer is risky and problematic to process personal data of their employees based on their consent, because it is likely that the consent is given freely. That is why, for the processing of most data regarding labor, lawful base of processing cannot be consent, because of the relationship between the employer and the employee. However, that doesn’t mean that the employer cannot ever process the personal data of his employees based on consent, just that the employer is then obligated to prove that the consent is given freely, which is not that easy because of the mentioned  “power imbalance” and limiting on the specific situations when the employee wouldn’t have any consequences if the consent is given or not.

The Working body of EDPB in their Opinions state that the employees are almost never able to give their consent freely, refuse or withdraw it, because of the dependence relationship they have with the employer. Even in cases were it seems like the consent could be given like a fair base for processing (that is if it could undoubtedly seem like the consent is given freely), it must be explicit and explained, that is, that it is an unquestionable expression of his free will.

Exclusively, personal data of the employees as their name and last name, occupation, work place, education, photos and other, can be published exclusively by initiative, that is on an explicit request of the employee on which the data refers, that can be the case when the employee wants to promote himself, show his knowledge and abilities, in that case the consent can be considered as lawful. However, when the business of the employer allows the publication of such data for the purpose of business development and success, that is when the initiative to publish the employee’s photo and name, comes form the employer himself, legitimate interest can  be an adequate legal basis for processing.

Having all the above in mind, the conclusion is that consent as a potential base for personal data processing isn’t adequate for the employer in processing data of his employees, that is were the employer is in a dominant position against the person whose data is being processed, because it would be difficult to determine if the consent given by the employee is freely given, without any influence and pressure from the employer. It is then advised not to use consent as a base for processing of personal data that refers to the employees, if it can be avoided, because of the possible violations of The Law and sanctions that The Law states in case of an unlawful processing of personal data.


[1] Law on processing personal data

[2] The Law article 12, paragraph 1, dot 1.

[3] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679

[4] Opinion 2/2017 on data processing at work (WP 249)

[5] Opinion 8/2001 on the processing of personal data in the employment context (WP 48)