NEW LAW ON PERSONAL DATA PROTECTION
The National Assembly of the Republic of Serbia adopted a new Law on Personal Data Protection at its session held on 13 November 2018.
The Law on Personal Data Protection was published in the Official Gazette of the Republic of Serbia No. 87/2018 on 13 November 2018 (hereinafter: the Law) and came into force on the eighth day from the day of its publication, i.e. on 21 November 2018, provided that the Law has delayed implementation and will be implemented upon expiry of nine months from the date of entry into force which is on 20 August 2019.
The delayed implementation of the Law does not apply only to Article 98 of the Law, which stipulates that as of the date of entry into force of the Law the Central Registry of Databases that was established pursuant to the provisions of the previous Law on Personal Data Protection is not going to be kept any longer, and the data contained in the Central Registry shall be handled in accordance with the regulations governing archival materials.
II LEGAL BASIS AND REASONS FOR THE ADOPTION OF THE LAW
The basis for adoption of the Law is contained in a provision of Article 42 of the Constitution of the Republic of Serbia which stipulates that protection of personal data shall be guaranteed (paragraph 1 of the above-mentioned article), that collecting, keeping, processing and using of personal data shall be regulated by the law (paragraph 2 of the above-mentioned article), as well as that everyone shall have the right to be informed about personal data collected about him/her (paragraph 4 of the above-mentioned article).
The reasons for the adoption of the Law are numerous. On one side, there is a need of supplementing the previous Law on Personal Data Protection from the standpoint of internal law of the Republic of Serbia and introduction of personal data protection in all areas. The other reason is the obligation of the Republic of Serbia, arising from the initiated process of accession to the European Union, to harmonise the national regulations with the effective regulations of the European Union.
The specific regulation of the European Union is the Regulation 2016/679 of the European Parliament and of the Council ("GDPR") on the protection of natural persons regarding processing their personal data by the competent authorities.
III APPLICATION OF THE LAW
The Law applies to the processing of personal data performed by automated means, as well as to manual processing of personal data contained or intended to be contained in a database.
The Law is not applicable to personal data processing performed by natural persons for personal needs or for the needs of their household.
The Law is applicable to processing of the personal data performed by a controller or a processor having a seat, temporary residence or permanent residence on the territory of the Republic of Serbia, within the activities carried out on the territory of the Republic of Serbia.
The Law applies to processing of personal data of natural persons to whom the data relate, having permanent or temporary residence in the territory of the Republic of Serbia, if the processing actions relate to the following:
- offering goods or services to the natural persons to whom the data relate in the territory of the Republic of Serbia;
- monitoring the activities of the natural persons to whom the data relate, if the activities are carried out in the territory of the republic of Serbia.
IV TERMS AND CONCEPTS IN THE LAW
The Law introduces new terms and concepts in relation to the previous Law on Personal data Protection already in the introductory provisions in the part related to definitions of terms.
Basic concepts, defined also by the previous Law on Personal data Protection, are the following:
- Personal data are any data relating to a natural person the identity of whom is determined or determinable, directly or indirectly, especially on the basis of an identity mark, such as name and identification number, etc.;
- The data subject is a natural person whose personal data are processed;
- Personal Data Processing is any action or a set of actions perfomed by automated means or manually upon the personal data or sets of personal data, such as: collecting, recording, classification, grouping, structuring, storing, adaptation, alteration, disclosure, making available for insight, use, revealing by transmission or delivering, copying, dissemination or otherwise making available, comparing, limiting, deleting or destroying;
- Personal data filing system is every structured set of personal data available in accordance with the special criteria;
- Personal data filing system controller is a natural person or legal entity or authority determining, individually or jointly with others, the purpose and the manner of personal data processing.
- The processor is a natural person or legal entity or authority processing the personal data on behalf of the controller.
The newly introduced concepts in the Law are:
- Consent of the natural person to whom the data relate is any freely given, specific, informed and unambiguous indication of that person’s will, by which the person gives consent on personal data processing by means of a statement or an affirmative action
- Profiling is any form of processing by automated means used to evaluate specific personality trait (performance analysis, economic status, health status, personal circumstances, interests, reliability, behavour, location or movement);
- Pseudonymisation is a personal data processing in a way that prevents the attribution of personal data to a specific person without the use of additional data, provided that these data are stored separately and that technical, organisational and personnel measures have been taken which ensure that the personal data cannot be attributed to a specific person;
- Personal data breach is a violation of personal data safety leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data which are transmitted, stored or processed;
- Genetic data are personal data relating to inherited or acquired genetic characteristics of a natural person which provide the unique information on physiology or health of that person, and in particular those obtained by analysis from a sample of biological origin;
- Biometric data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person (facial images or dactyloscopic data);
V PRINCIPLES OF PROCESSING
The Law recognises the basic principles when processing personal data as follows:
- The processing of personal data should be lawful, fair and transparent to the data subject;
- The data are collected for the purposes that are particularly specified, explicit, justified and legitimate and cannot be processed for other purposes;
- The data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- The data should be accurate and, where necessary, kept up to date;
- The data should be kept in a form which permits identification of the natural persons for no longer than is necessary for the purposes for which the personal data are processed;
- The data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical, organisational or personnel measures.
The controller is responsible for compliance with all the above principles and obliged, if necessary, to adduce their application.
VI LAWFULNESS OF PROCESSING
Processing shall be lawful only if and to the extent that the following applies:
- The data subject has given consent to the processing of his or her personal data;
- processing is necessary for the performance of a contract to which the data subject is party;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
VII CONSENT OF DATA SUBJECTS
Where the processing of the personal data is based on consent, and not on another basis of data processing, the controller shall own an evidence of the consent of the data subject.
The consent shall be in simple, intelligible and easily accessible form, and, prior to expressing his or her consent, the data subject shall be informed about having the right to withdraw the consent.
The data subject who has consented to processing of personal data shall have the right to withdraw his or her consent at any time.
VIII INFORMATION AND ACCESS TO THE DATA
The controller shall provide the data subject with information defined by the provisions of the Law, as well as with the access to the information.
The controller shall provide the data subject with all of the following information:
- the identity and the contact details of the controller and, where applicable, of the controller's representative;
- the contact details of the data protection officer;
- the purposes of as well as the legal basis for the processing;
- the existence of the legitimate interests pursued by the controller or by a third party;
- the recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.
In addition to the above information the controller shall provide the data subject with the following further information:
- the period for which the personal data will be stored and the criteria used for their collection;
- the existence of the right to request from the controller access to and rectification or erasure of personal data;
- the existence of the right to request from the controller restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time;
- the right to lodge a complaint with the Commisioner;
- regarding the basis of provision of personal data: whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making.
The data subject has the right to request from the controller the right to access the data, as well as copy of the data that is processed by the controller.
IX RESPONSIBILITY OF THE CONTROLLER
The Law provides general definitions of the controller’s responsibilities only, without details thereof.
Pursuant to a provision of Article 41 of the Law the controller shall implement appropriate technical, organisational and personnel measures to ensure that personal data processing is performed in compliance with the legislation.
The measures shall also include the implementation of appropriate data protection policies by the controller.
X PROTECTION MEASURES
Within technical, organisational and personnel measures of protection the controller and the processor are obliged to carry out all protection measures in order to achieve adequate level of security in relation to risk.
The Law specifically recognises the following protection measures:
- Pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident as soon as possible;
- a process for regularly testing, assessing and evaluating the effectiveness of technical, organisational and personnel measures for ensuring the security of the processing.
Also, the controller is obliged to ensure that the data processed are only the ones necessary for each of the purposes for which they are processed.
XI THE PROCESSOR
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing full guarantees to implement appropriate technical, organisational and personnel measures in such a manner that will meet the requirements of the Law.
The processor shall not engage another processor without prior written authorisation of the controller.
The legal relationship between the controller and the processor shall be governed by a contract or other legal act defining the basic elements of the contractual relationship (the subject and duration of the processing, the nature and purpose of the processing, the type of personal data being processed, rights and obligations of both contracting parties, etc.).
The above-mentioned contract or other legal act shall stipulate that the processor:
- processes the personal data only on the basis of documented instructions from the controller;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality;
- takes all protection measures defined by the Law during the processing;
- respects legally defined conditions for for engaging another processor;
- assists the controller in ensuring compliance with the obligations relating to the rights of the data subject (right to rectification, ammendment, erasure, etc.) by applying adequate technical, organisational and personnel measures;
- assists the controller in ensuring compliance with legal obligations relating to: informing the data subject in case of personal data breach, carrying out an assesment of the impact of the envisaged processing actions to the personal data protection, as well as in requesting prior opinion of the Commisioner in case of occurrence of high level of risk for data processing;
- returns to the controller all the personal data or erases all the data or copies thereof upon termination of the contracted processing actions;
- makes the information which necessary for demonstrating the fulfillment of the obligations of processor available to the controller.
XII RECORDS OF PROCESSING ACTIVITIES
The controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller;
- the purposes of the processing;
- the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been disclosed;
- transfers of personal data to a third country or an international organisation;
- the time limits for erasure of the different categories of data;
- the general description of the security measures.
XIII THE COMMISIONER
The controller, the processor and their representatives shall cooperate with the Commissioner in exercising his powers.
The controller shall without undue delay and not later than 72 hours after having become aware of it, notify the commissioner, on any personal data breach that is likely to result in a risk to the rights and freedoms of natural persons.
The notification for the Commissioner shall contain all information prescribed by the Law (the description of the nature of personal data breach, contact details of the personal data protection officer, description of ther consequences of personal data breach, description of measures taken by the controller).
The commissioner exercises his powers pursuant to provisions of the Law in the territory of the Republic of Serbia.
The most important powers of the Commissioner are, among others, the following:
- performs inspection and ensures the implementation of the Law;
- at the request of the data subject, provides information on their rights which are prescribed by the Law;
- acts on complaints of data subjects and determines whether there has been a violation of the Law;
- provides in writing the opinions regarding the assessment of impact to personal data protection;
- keeps various records in accordance with the Law (the data on person authorised for protection of personal data, violations of the Law);
- encourages issuing of data protection certificates and prescribes and publishes the criteria for accreditation of the certification body.
The Commissioner prescribes the form for complaints, which may also be submitted electronically.
XIV DATA PROTECTION OFFICER
The controller and the processor are not obliged by the Law to designate a data protection officer, except in the following cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- where the core activities of the controller or the processor consist of processing of special categories of data (ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic or biometric data, data on health status or sexual orientation of natural persons).
The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
The controller and the processor shall publish the contact details of the data protection officer and communicate them to the Commissioner. The Commissioner keeps record of data protection officers.
Also, the controller and the processor shall enable the data protection officer to perform his/her duties as follows:
- informing and and advising the controller and the processor of their obligations pursuant to the Law related to personal data protection;
- monitoring compliance with provisions of this Law and other relevant regulations related to personal data protection;
- providing advice with regard to assessment of of processing impact to personal data;
- cooperating with the Commisioner and providing advice to the Commisioner regarding issues relating to personal data processing.
The controller and the processor may obtain a certificate of personal data protection from accredited certification bodies upon conducting the procedure and complying with the requirements relating to personal data protection.
The certification shall be voluntary and available via a process that is transparent.
The certificate is usually issued for a maximum period of three years and may be renewed provided that the relevant requirements and criteria continue to be met by the controller or the processor.
XVI TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Transfers of personal data by the controller or the processor shall take place only if legally prescribed requirements are complied with by the controller and processor such as:
- the transfer is necessary to be performed for special purposes;
- the transfer is performed to the controller from third country or international organization if it represents the competent authority for performing such activities;
- the transfer is performed to a country from the list of countries determined by the Government of the Republic of Serbia, and if this is not the case, special protection measures shall be applied;
- if the transfer from one third country or international organization is performed to another third country or international organization it is necessary to obtain an approval of further transfer from the first transfer authority or another competent body having considered all the circumstances of importance for the further transfer.
XVII LEGAL REMEDIES
As stated above, the data subject has the right to file a complaint to the Commissioner if he/she considers that the processing of his/her personal data is carried out contrary to law.
The Commissioner shall inform the data subject on the course of the conducted procedure, the results of the procedure by means of a decision, as well as of his/her right to initiate court proceedings
The data subject, the controller, the processor or third person to whom the Commissioner’s decision is related has the right to initiate an administrative dispute against the Commissioner’s decision within 30 days from the date of receipt of the decision.
Also, if the Commissioner does not act on the complaint within 60 days from the date of filing of the complaint by the data subject, the data subject has the right to initiate administrative procedure.
The data subject has a right to judicial protection by filing a lawsuit to the competent court if he deems his rights have been violated by the controller or the processor during the processing.
XVIII FINES PRESCRIBED BY THE LAW
In case of failure to act upon or comply with the provisions of the Law legal entity acting as the controller i.e. the processor shall be punished with the fine of RSD 50.000 to RSD 2.000.000 and the authorised person shall be punished by the fine of RSD 5.000 to RSD 150.000.
A natural person who does not keep as confidential information personal data learned while performing his/her job duties shall be punished by the fine of RSD 5.000 to RSD 150.000.
XIX ENTRY INTO FORCE
The Law shall be implemented upon expiry of nine months from the date of its entry into force which is on 20 August 2019.
As of the effective date of this Law, provisions of the Law on Personal Data Protection (Official Gazette of the Republic of Serbia No. 97/08, 104/09 – other Law, 68/12-CC and 107/12) shall become null and void.