Serbia - readiness/lack of readiness of controllers and processors and knowledge of individuals regarding application of the new Law on Personal Data Protection
Compliance with new legal solutions and correct application of the new Law on Personal Data Protection requires a substantial amount of time. This due to the fact that the new law incorporates both the practice of the EU and of the international law, primarily the EU Regulations and Directives, leading to completely new procedures and terms which need to be introduced. Compliance with the new law means that it could be fully applied in practice, but primarily to serve its primary purpose, i.e. to protect the right to privacy and personal data protection.
In that respect, all the entities in Serbia should have already complied with new legal solutions in the field of personal data protection, and predicted the costs and complied their business and work with this law.
What should be (should have been) done?
So far, more than 12,000 public bodies, ministries and units of local self-government should have appointed personal data protection officers. Since the Law on Personal Data Protection defines the criteria which should be met by these individuals, the new law allows for the opportunity for these individuals to perform additional activities along with this role, but they can also open specialized legal entities since personal data protection officers may be hired based on a contract, as well as that there is an option to found certification body which would issue certificates for personal data protection. One week before initiation of application of the Law on Personal Data Protection, out of dozens of thousands of controllers, only 192 had submitted mandatory data on the personal data protection officer1 to the Commissioner for Personal Data Protection.
In addition, the law stipulates that the associations and other entities presenting the groups of controllers or processors may (thus, they do not have to) adopt the code of procedure regarding personal data protection. New law presents new requests that refer to the measures which need to be undertaken for the purpose of personal data protection. That further means significant investments of the companies in information technologies required to achieve the level adequate for personal data protection. It is necessary to establish, adapt and maintain the system that would protection personal data collected/processed within the company of any size. The law, i.e. the need to protect personal data, requires technology of high operational ability and that is why the companies should have established security measures for personal data protection by now. What should have been done is a risk assessment or determining the measures that need to be undertaken to protect personal data, without disturbing of the business. In addition, in respect of the equipment, i.e. mapping of the existing resources, it is required to know which equipment is owned, and what else should be done in order to raise the measures of protection to a suitable level, and all in regards to personal data collected/processed by that company.
In smaller commercial entities, which constitute majority in Serbia and which (if we assume) perform business activities not related with processing of higher number of personal data or processing of special, sensitive types of data, application of the new law should have been done more smoothly and these subjects should not have had higher expenses during implementation. Small and medium size enterprises, as controllers and processors of personal data have general obligations as other controllers and processes, but do not have the obligation of keeping records on data processing. In accordance with the new law, that obligation does not exist in commercial entities and organization employing less than 250 persons. However, if a small or medium size enterprise performs business that includes processing of high number of personal data, and especially if it transfers that data to other states, they must keep records on data processing and that should have already been complied with the new law, and they (probably) have higher expenses due to application of the law.
With initiation of application of the GDPR, bigger commercial entities and multinational companies in Serbia (not all of them) have done a lot in order to organize and protect the field of personal data. Namely, due to application of the GDPR first, and of the new Serbian Law on Personal Data Protection later, multinational companies doing business in Serbia have already changed what is necessary in the field of personal data protection and have already had additional expenses in that respect. These subjects should have undertaken relevant technical, organizational and personnel measures of protection so far in order to organize and maintain the records of processing activities, and in cooperation with the Commissioner, perform prior risk assessment, and prepare everything needed in order to follow the procedures in case of violation of personal data, transfer of data to other countries, as well as to impose the measures or decrease costs in case of damages. In addition, it is assumed that these entities have agreed and adopted codes of procedure, binding business rules and appointed personal data protection officers, etc.
In addition, big commercial entities and multinational companies not seated on the territory of the Republic of Serbia, which process personal data of the individuals with temporary or permanent place of residence on the territory of the Republic of Serbia should have appointed the representative which must an individual or legal entity with the place of residence or the seat on the territory of the Republic of Serbia. The representative is authorized to represent the controller or processor in respect of their obligations defined by the new law.
In respect of individuals and level of their knowledge of the new law and rights that belong to them in that respect, we will probably have more information on that after some time of the application of the new law. It is assumed that the companies which had prepared and had complied their work with the new law even before its adoption, organized training of the employees on their rights (and obligations) defined by the law and the acts of these companies which should have been adopted.
At this point, we would like to point briefly to the rights of individuals based on the new Law on Personal Data Protection, which are more clearly described and expanded compared to the old law, and along with the rights defined by the previous law (the right to copy and correct, right to information and deletion), the new right to data transfer has been introduced. This right means that the person to which the data refer shall be entitled to receive his/her personal data previously delivered to the controller in regularly used and electronically readable form, and to transfer these data to another controller without interference by the controller processing his data. The most significant novelty for the person to which the data refer is related to submission of new legal means if his personal data are processed. Now, there are many different possibilities for protection of rights, where it is possible to submit many legal means, regardless whether any of the means have already been filed. Primarily, a complaint may be submitted to data controller regarding processing of data. New law explicitly stipulates the right to compensation of damages, which means that the person suffering tangible or intangible damage due to breach of the provisions of the Law shall be entitled to financial compensation of this damage from the controller or processor inflicting this damage.
However, readiness of the subjects in Serbia to apply new solutions in the field of personal data protection and their knowledge of their rights and obligations in accordance with the new law shall largely depend on their compliance, that is, work and knowledge of the personal data protection from previous years and implementation and compliance with the previous Law on Personal Data Protection.
Finally, I present the brief overview of adopted new bylaws in the area of personal data protection that started to apply with application of the new Law on Personal Data Protection:
1. Rulebook on the form and method of keeping records of personal data protection officers
This Rulebook stipulates the form and method of keeping records of personal data protection officers. The records are kept by the Commissioner and it shall contain the data on:
- controller or processor (first name, last name, or the name and seat) and
- personal data protection officer (first name, last name, e-mail and telephone number).
Controller or processor shall deliver the data from the records to the Commissioner, in writing and directly, via mail or to e-mail address. These records are uniform and are kept in electronic format attached to the Rulebook.
2. Rulebook on the form and method of keeping internal records on violations of the Law on Personal Data Protection and the measures undertaken during inspection supervision.
This Rulebook stipulates the form and the method for keeping internal records on violations of the Law on Personal Data Protection and the measures undertaken during inspection supervision. The records on the violation of the law and measures undertaken during inspection supervision shall be kept by the Commissioner.
3. Rulebook on the form of notice on violation of the personal data protection and method of informing of the Commissioner for Information of Public Importance and Personal Data Protection on violations of personal data.
This Rulebook stipulates the form of the notice on violation of personal data (“Form of the notice”) and the method for informing of the Commissioner on violations of personal data.
The form of the notice shall contain:
- Data on the controller,
- Data on violation of data,
- Description of possible consequences of the violation,
- Description of the measures undertaken by the controller or which have been proposed,
- Other data of significate for notice on violation of data.
Controller shall be obligated to deliver the Commissioner the notice on violation of personal data on the Form of the notice within 72 hours as of becoming aware of the violation. In case, at the time of delivery to of the notice to the Commissioner, the controller cannot enter all the data, he shall submit missing data subsequently in the same manner the notice was delivered. The controller who does not act within defined deadline shall be under obligation to elaborate the reasons as to why he failed to act within that deadline.
The controller shall deliver the Commissioner the notice on violation of data in writing, directly or via mail, and may deliver a scanned copy of the notice to the e-mail address.
4. Rulebook on the form of complaint
This Rulebook stipulates the form of the complaint that may be submitted by an individual to the Commissioner if it considers that the processing of his personal data was done contrary to the provisions of the Law.
The complaint shall be delivered to the Commissioner in writing, directly or via mail, and a scanned copy of the complaint may be delivered to e-mail address.
The form of the complaint shall contain the following data:
- Data on the complainant,
- Data on the personal data controller against which the complaint is filed,
- Right which has been violated,
- Reasons for complaint.
5. Decision on the list of types of actions of personal data processing for which impact assessment on personal data protection must be done and opinion must be obtained from the Commissioner for Information of Public Importance and Personal Data Protection.
This Decision stipulates the list of activities of personal data processing for which the controller, before initiation of processing, must perform impact assessment and require the opinion from the Commissioner.
Assessment of the impact on personal data protection shall be done in case of:
- systematic and comprehensive assessment of impact and characteristics of an individual, done through automated personal data processing including profiling, based on which the decisions of significance for legal position of individual or which have significant impact on him/her are rendered;
- processing of all types of personal data or the data which disclose racial and ethnic origin, political opinion, religious or philosophical beliefs or membership in the unions, as well as processing of genetic data, biometric data for the purpose of uniform identification of persons, data in healthcare charts or data on sexual life or sexual orientation of individuals or personal data regarding criminal judgments and punishable offences and security measures, in the great scope;
- systematic supervision of publicly available surfaces, to the great extent;
- processing of personal data of children and minors for the purpose of profiling, automated deciding or for marketing purposes;
- use of new technologies or technological solutions for personal data protection or with possibility to process personal data use for analysis or prediction of economic situation, health, tendencies or behavior, location or movement of individuals;
- processing of personal data so it includes monitoring of location or actions of in individual in case of systematic processing of data on communication obtained through use of telephone, Internet and other means of communication;
- processing of biometric data for the purpose of uniform identification of employees by the employer and in other cases of processing of personal data of employees by the employer through use of applications or system for monitoring of their work, movements, communication, etc.;
- personal data processing through cross referencing, linking or compatibility matching from several sources;
- processing of special types of personal data for the purpose of profiling or automated deciding.
Upon completed assessment of impact on personal data protection, controller shall, before instating personal data processing, submit the request to the Commissioner for the opinion and pay relevant amount of administrative tax.
6. Decision on the list of countries, parts of their territories or one or more sectors of certain business activities in those countries and international organization where it is considered that adequate level of personal data protection has been provided.
This Decision establishes the list of countries, parts of their territories or one or more sectors of certain businesses in those countries and international organization considered to have provided adequate level of personal data protection.
7. Rulebook on the form of ID of person authorized to perform inspection supervision in accordance with the Law on Personal Data Protection with the forms of IDs
This Rulebook closely describes the from and contents of ID of a person authorized to perform inspection supervision over implementation and application of the Law on Personal Data Protection (authorized person) and method for keeping records on issued IDs od authorized persons.
Article provided by: Ljiljana Urzikic Stankovic (Stankovic and Partners, Serbia)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org