The new Personal Data Protection Act – the application of which commenced on 22 August – regulates the protection of citizens’ personal data, such as home address, e-mail address, personal identification number, medical information, property and other data, and defines rules on personal data processing.

The new Personal Data Protection Act will directly affect various entities, especially citizens whose data is processed, the government authorities as well as commercial entities.

Impact on the citizens

The Act provides for citizens’ data to be processed with the same level of protection enjoyed by citizens of the European Union. In practice, this means that the government authorities, health institutions, banks, schools and universities, commercial business chains and others will process one’s personal data under the same rules followed in Europe.

The Act introduces the right of citizens to familiarise themselves with all aspects of use of their personal data. By exercising the specific rights stemming from the new statute, citizens:

  • may request and receive a notification about the processing of their data which a government authority or another data processor may have;
  • have the right to access the subject data;
  • have the right to receive copies of data held on them, including other rights concerning access to their data;
  • may revoke their consent to data processing;
  • may request transfer of their data to another party, e.g. another mobile phone operator;
  • may request correction, alteration, updating or deletion of their data;
  • may file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection;
  • may file a claim to a court of law.

 

No one may have access to personal data of another person. For that reason, the exercise of the above rights is linked to the identification of the data subject.

Commercial entities may process citizens’ data only with their explicit consent. The most common examples of such data processing would be vehicle casco insurance agreements, opening a bank account or paying for a tourist package, receiving a discount card when purchasing products, etc. Consent to data processing may only be voluntary. To be able to give consent, citizens must be informed about which data would be processed and for what purpose, whether the data would be transferred to another party, and in particular if the data would be exported abroad.

The exception to the rules on voluntary consent is the applicability of other statutes, e.g. in case of a criminal procedure.

 

A person who explicitly objects to receiving a notification to his or her e-mail address or to being subjected to telephone calls has adequate protected under the Act.

Citizens may learn which data, in which manner and for which purpose a given party is using, by checking the Central Registry, i.e. a registry of a personal data collection which is set-up and managed by the Commissioner for Information of Public Importance and Personal Data Protection.

Impact on legal entities

The Personal Data Protection Act introduces an obligation of the government authorities and other data processors (legal entities) to process data in a transparent manner.

The Act also prescribes an obligation of every legal entity using personal data to ensure adequate protection of data against abuse, destruction and loss of data, unauthorised alterations to data, and access or downloading of data, by taking technical, staffing and organisational protection measures.

The Act introduces an obligation to appoint a person responsible for responding to citizens’ requests when:

• a government authority is processing data, unless that authority is a court of law exercising its judicial powers;

• data processing which given the volume, the nature and the purpose requires regular and systematic monitoring of a large number of data subjects;

• a special type of personal data or personal data related to a criminal conviction and punishable offences, is being processed.

In special cases prescribed under the Act, e.g. when one’s medical information or other particularly sensitive personal data is being processed, a personal data protection officer must be appointed. That person would be the first point of contact for anyone believing his or her rights to personal data protection have been violated.

Legal entities (commercial entities or government authorities) may have their own Request Form which they may make available to citizens on their website or in hard copies in their registered offices.

Legal entities’ obligations to apply the Act refer to them taking specific measures for using personal data, including collecting clients’, employees’ and users’ data; job candidates’ security screening; installing video surveillance equipment in a workplace; marketing activities; data transferring to other entities.

To prepare for the implementation of the Act, legal entities need to be adequately informed and, if necessary, additionally trained to adjust their operations and to reduce the chances of personal data breaches. To this end, it is necessary to determine the extent and the type of personal data which is collected and to define the rules on the use of that data. The volume and the type of data collected must be proportionate to their processing purpose.

Equally, the Act introduces the obligation to report data collections to the Central Registry. By law, all data processors are obliged to create and keep a record of data processing, and to submit the data collection records to the Commissioner, i.e. to announce the creation of such records.

Commercial entities may adopt a data processing procedure to allow supervision by certified and authorised persons.

Protection of the Commissioner

The Act prescribes for the protection of citizens in proceedings before the Commissioner for Information of Public Importance and Personal Data Protection and before the courts. If there is a breach of personal data security, involving a name, home address, personal identification number, medical information and such, the Act prescribes the Commissioner’s power to request, through inspection, appropriate security measures (data deletion, alteration, correction or updating).

Sanctions in case of statutory violations

The Act prescribes fines for actions contrary to the Act. The Commissioner or the Misdemeanour Court may impose a fine for a statutory violation. In addition, a person believing his or her rights have been violated may receive civil court protection. This type of protection includes the right to damages suffered as a result of an unlawful processing of personal data.

Training on how to apply the Personal Data Protection Act

In the past nine months since the adoption of the Personal Data Protection Act by the National Assembly of the Republic of Serbia, trainings on the application of the new statute have been conducted for judges and prosecutions as well as commercial entities.

Throughout Serbia, 12 trainings were conducted, involving 324 judges of basic and high courts, and prosecutors of high prosecutors’ offices. These trainings - which focused on the implementation of the Act - marked the completion of the first round of trainings. The second round of trainings is expected after the enforcement of the new Act, and the topic of those trainings will be ‘issues and application of the Act in practice’.

Trainings for commercial entities were held in the premises of the Serbian Chamber of Commerce. They were attended by insurance intermediaries and the textile industry cluster representatives. Two general trainings for representatives of all banks and insurance intermediaries were additionally held in the premises of the Official Gazette. One more general training is to be held in each of the mentioned premises in the upcoming period.