New bylaws on the Law on Personal Data Protection

Data Protection

Uroš Popović & Miloš Andrejević

Publisher: Bojović Drašković Popović & Partners

The application of the Law on Personal Data Protection ("Official Gazette of the Republic of Serbia", no. 87/2018) (the “Law”) will start as of 21 August 2019. The transitional and final provisions of the Law stipulate that the bylaws envisaged by the Law will be adopted within nine months from the date of entry into force of this Law. In that respect, the Commissioner for Information of Public Importance and Personal Data Protection (the "Commissioner") has so far adopted 5 bylaws which will apply from the date of application of the Law, i.e. as of 21 August 2019. The Commissioner will continue to work on the adoption of other bylaws in the forthcoming period in accordance with the Law. The text below provides an overview of the bylaws adopted thus far.

1.     Rulebook on the Form and Manner of Keeping Record of the Data Protection Officer ("Official Gazette of the Republic of Serbia", no. 40/2019)

This rulebook defines the form and manner of keeping record of the data protection officers (the "Record"). The Record is kept by the Commissioner, and it contains the data on:

-       the data controller, i.e. the data processor (name, surname and address, i.e. business name and business seat) and

-       the data protection officer (name, surname, address, e-mail and telephone number).

The data controller, i.e. the data processor submits the data from the Record to the Commissioner, in writing, directly, by mail or to an e-mail address: licezazastitu@poverenik.rs. The Record is unique and kept in electronic form on a form which is attached to the Rulebook.

This rulebook entered into force on 15 June 2019, but will apply from 21 August 2019.

2.     Rulebook on the Form and Manner of Keeping Internal Record of Violations of the Law on Personal Data Protection and Measures Undertaken in the Course of Inspection Supervision ("Official Gazette of the Republic of Serbia", no. 40/2019)

This rulebook prescribes the form and manner of keeping internal records of violation of the Law and measures undertaken in the course of inspection supervision.

The record of violations of the Law and measures undertaken in the course of inspection supervision (the "Internal Record") is kept by the Commissioner.

The Internal Record contains information on:

-       the data controller or data processor who has violated the Law (name and surname or business name, place of residence, domicile or business seat),

-       violation of the Law (description of the violation and article of the Law that was violated),

-       measures taken, and

-       actions of the data controller or data processor upon the imposed measures.

The Internal Record is unique and kept in the Commissioner's Professional Service in electronic form. Graphical representation of the Internal record form is given on the form as an attachment to the Rulebook.

This rulebook entered into force on 15 June 2019, but will apply from 21 August 2019.

3.     Rulebook on the Form of Notification on Personal Data Breach and Manner of Notifying the Commissioner for Information of Public Importance and Protection of Personal Data on Personal Data Breach ("Official Gazette of the Republic of Serbia", no. 40/2019)

This rulebook sets out the notification form on personal data breaches (the "Notification Form") and the manner of informing the Commissioner on personal data breaches. The Notification Form is an integral part of the Rulebook.

The Notification Form contains:

-       Data on the data controller,

-       Data on data breach,

-       Description of the possible consequences of the breach,

-       Description of the measures taken or proposed to be taken by the data controller,

-       Other data of importance for communication on data breach.

The data controller delivers to the Commissioner a notification of data breach in writing, either directly or by mail, and may also provide a scanned copy of the notification to the email address: povredapodataka@poverenik.rs.

The data controller is obliged to deliver to the Commissioner a notification on personal data breach in the Notification Form within 72 hours of gaining knowledge of the breach. In case that the data controller cannot provide all the data at the moment of delivering of the notification to the Commissioner, the data controller shall be obliged to submit the missing data afterwards in the same manner in which the notification was delivered. The data controller who fails to act within the prescribed time limit is obliged to explain the reasons why he or she failed to act within that time limit.

Along with the notification, the data controller shall also provide records of the processing operations relating to data that have been the subject of personal data breach, which is kept by the data controller in accordance with Article 47 of the Law.

This rulebook entered into force on 15 June 2019, but will apply from 21 August 2019.

4.     Rulebook on the Complaint Form ("Official Gazette of the Republic of Serbia", no. 40/2019)This rulebook defines the complaint form that a natural person can submit to the Commissioner if he or she considers that the processing of his or her personal data has been carried out contrary to the provisions of the Law.

The complaint is delivered to the Commissioner in writing, either directly or by mail, and a scanned copy of the complaint may be submitted to the e-mail address: prituzba@poverenik.rs. If the complaint is submitted in writing, it is delivered to the following address: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Commissioner for Information of Public Importance and Personal Data Protection), Bulevar kralja Aleksandra Street no. 15, Belgrade.

The complaint form contains the following information:

-       Data on the complainant,

-       Data on the data controller against whom the complaint is filed,

-       The right that was violated,

-       The reasons for the complaint.

if necessary, other useful information may be provided in the complaint, indicating that in the specific case personal data processing was carried out contrary to the provisions of the Law.

If a natural person considers that the processing of his or her personal data is carried out contrary to the provisions of the Law, and does not submit the complaint on the prescribed form, he or she should indicate the data that will enable the taking of action according to the complaint.

This rulebook entered into force on 15 June 2019, but will apply from 21 August 2019.

5.     Decision on the List of Types of Personal Data Processing Operations for Which an Assessment of the Impact on the Personal Data Protection Must be Performed and the Opinion of the Commissioner for Information of Public Importance and Personal Data Protection Must be Sought ("Official Gazette of the Republic of Serbia", no. 45/2019)

This decision is materially the most relevant bylaw enacted thus far as it establishes a list of personal data processing operations for which the data controller, before commencing processing, must perform an impact assessment and must seek the Commissioner’s opinion.

An assessment of the impact on the protection of personal data is carried out in the case of:

1)    systematic and comprehensive assessment of the condition and characteristics of a natural person carried out by automated processing of personal data, including profiling, on the basis of which decisions are made relevant to the legal position of the individual or similarly significantly affect him or her;

2)    processing of specific types of personal data, i.e. data revealing racial or ethnic origin, political opinion, religious or philosophical belief or membership in a trade union, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal judgments and punishable acts and security measures, on a large scale;

3)    systematic monitoring of publicly accessible areas on a large scale;

4)    personal data processing of children and minors for the purpose of profiling, automated decision making or for marketing purposes;

5)    the use of new technologies or technological solutions for the personal data processing or with the possibility of personal data processing that serve to analyze or predict the economic situation, health, inclination or interests, reliability or behavior, location or movement of natural persons;

6)    personal data processing in a manner that includes monitoring the location or behavior of an individual in case of systemic processing of communication data generated by the use of telephone, the Internet or other means of communication;

7)    processing of biometric data for the purpose of uniquely identifying of employees by the employer and in other cases of processing personal data of employees by the employer using applications or systems for monitoring their work, movement, communication, etc.;

8)    processing personal data by cross-referencing, connecting or checking the matching from multiple sources;

9)    processing specific types of personal data for the purpose of profiling or automated decision making.

Besides in the aforementioned cases, the data controller is obliged to assess the impact on the protection of personal data in other cases as well if it is likely that a certain type of processing, especially by using new technologies and taking into account the nature, scope, circumstances and purpose of processing, will cause a high risk for the rights and freedoms of natural persons – data subjects.

After performing an assessment of the impact on the protection of personal data, the data controller is obliged, before starting the processing of personal data, to submit a request for the opinion to the Commissioner and pay the relevant administrative fee.

This decision entered into force on 29 June 2019, but will apply from 21 August 2019.