Risks and Challenges of Using Publicly Available Data
In today’s digital age, with countless publicly available sources containing all types of personal data, one can have no second thoughts about using them to run the background checks of potential employees. The data contained on LinkedIn profiles, Instagram and TikTok posts, public reviews, comments and interactions – may be tempting for employers, as, naturally, they may provide additional insight into the personality and values of potential employees. Moreover, the digital era brought the possibility to scrutinize various official records within minutes – an activity that in the past could take days or even months.
All of this seems like a goldmine for employers trying to learn more about potential employees. Although accessing these data is easy, it does not imply that they can be used freely – especially if you are in Serbia or the EU, where data protection is heavily regulated.
In this article, we analyze what Serbian employers can and can not do with publicly available personal data, why criminal record checks are mostly off-limits, and how the system differs from the way it works in the US.
What Counts as “Publicly Available Personal Data”?
This includes any personal info that has been made available to the public in a legal way. Examples include:
- LinkedIn or other professional profiles
- Public social media posts (Instagram, Facebook, X, TikTok, etc.)
- Data from public records or registers (like company or professional licensing databases)
Crucially, the fact that data is “publicly available” does not strip it of its status as “personal data” under the Serbian Data Protection Law (DPL) and General Data Protection Regulation (GDPR). It simply means the initial accessibility is broader and simpler. An employer’s subsequent processing (collection, storage, analysis, use) of this data must still comply with data protection requirements specified in applicable laws and regulations.
Can Employers in Serbia Use Public Info When Hiring?
Using publicly available information is pretty standard when running the employee background check, as it is not per se prohibited. However, it must be carried out in line with the rules laid out in DPL, which is materially harmonized with EU’s GDPR.
The key points the employers must keep in mind are as follows:
Lawful Basis to Process the Personal Data
Employers must have a valid reason to collect and use public information, such as:
- Legitimate Interest: An employer might argue a legitimate interest in verifying a candidate’s qualifications or professional experience published online. However, this requires a balancing act: the employer’s interest must not override the individual’s fundamental rights and freedoms. The scope must be reasonable and proportionate – simply “checking someone out” out of curiosity is unlikely to qualify as having a legitimate interest.
- Consent: While it is possible to obtain explicit consent for processing from the candidates, relying on the individual’s consent to process publicly available data can complicate the process (as, in the worst case, it may result in explicit dissent). Therefore, trying to identify appropriate legitimate interests usually represents the more effective yet more risky path that the employers take.
- Performance of a Contract / Pre-contractual Measures: Relevant if the data directly relates to assessing suitability for fulfilling the specific job requirements outlined.
Purpose Limitation
If you are gathering information to check someone’s job qualifications, do not use it later for unrelated reasons. Keep the purpose clear and specific. Complete understanding and balancing between employer’s needs and individual’s rights is crucial to reach maximum compliance with the applicable laws.
Data Minimization
Only collect the information necessary to decide whether to hire someone. In today’s world, a massive amount of data is available, but when it comes to hiring/employing, a focused, limited approach is a must if you wish to stay compliant.
This is also important because you must inform the candidates—within a reasonable timeframe after gathering data—about where the data came from, why you are processing it, and what rights they have, like accessing, correcting, or objecting to the processing, etc.
Labour Law Limitations
Serbian Labour Law restricts employers from requesting only information directly related to job tasks and employment relationships. This principle also applies to data available from public sources. If the information found online (e.g., personal opinions, holiday photos) is not directly relevant to the candidate’s ability to perform the job – processing it is likely unlawful under both Labour Law and DPL.
What About Criminal Records?
This is where Serbian law draws a hard line. Under DPL, processing criminal history is off the limits, unless:
- Carried out under the control of an official authority; or
- Authorized by Serbian law providing for appropriate safeguards for the rights and freedoms of data subjects.
What does that mean for employers?
- Do not go looking for it: You shall not inspect whether someone has a criminal past by searching public records or online sources.
- Do not ask unless the law provides you can: Unless a job is legally required to include a criminal background check (like working with kids, in the security sector, or at certain public service positions), you cannot even ask the candidate about their potential convictions.
- Severe consequences: Unlawful processing of personal data, especially sensitive data like criminal records, can lead to significant fines imposed by the Serbian Commissioner for Information of Public Importance and Personal Data Protection, as well as potential criminal liability under the Serbian Criminal Code.
How Does This Compare to the US?
While US law has certain personal data-related strict rules (like FCRA), the default level of protection and the requirement for a proactive legal basis is looser than in Serbia and the EU. Here is a brief comparative look:
Serbia/EU (DPL/GDPR) | United States |
There are strict rules, applicable both on their territories and in certain cases for international data collection and processing. A specific legal basis to process any personal data is a must. | More relaxed. Data use is generally allowed unless a law says otherwise. |
Covers all personal data, not just certain categories. | Laws vary by type of data (health, financial, kids) and by state. |
Special protection for sensitive info (like criminal records). | Criminal checks are common and legal in many situations, but there are some federal and state-level rules that may limit the scope of the permitted background checks. |
Strong enforcement and severe fines are possible. | Enforcement depends on the applicable law; some states have weaker oversight. |
The digital footprint of individuals offers tempting insights for employers, but navigating the use of publicly available personal data requires careful adherence to Serbia’s robust data protection framework. The DPL (which is generally aligned with GDPR principles) and specific requirements arising out of the Labour Law contain a broad set of rules and boundaries for personal data collection and processing. Furthermore, the generally applicable strict prohibition on processing criminal records under Serbian law demands extreme caution. By understanding and respecting these rules, businesses can build trust, mitigate legal risks, and foster fair and compliant recruitment practices in Serbia.
Disclaimer: This article provides general information and does not constitute legal advice. Specific situations should be discussed with qualified legal counsel.
Similar Stories
