Although the new Law on Personal Data Protection in Serbia started to apply on August 21, 2019, it seems that companies have not taken all the obligations prescribed by the Law that seriously, or they do not understand them (read more about the crucial novelties in our blog The New Law on Personal Data Protection – Key Novelties and Tic-Toc… Is Your Company Compliant With the New Law on Personal Data Protection?).
The fact that many companies that do business in Serbia have not appointed a Personal Data Protection Officer (DPO) or a Representative in the Republic of Serbia, even when the Law requires them to do so, is alarming. Consequentially, Share Foundation filed misdemeanor charges against Facebook and Google for failing to comply with its obligation to appoint Representatives in Serbia to the Commissioner for Information of Public Importance and Personal Data Protection. The gravity of the situation is reaffirmed by the fact that one week after the Law started to apply, out of tens of thousands of controllers, only 192 of them submitted mandatory information on the DPO to the Commissioner.
Luckily, some of the companies complied with the requirements of the new Data Protection Act, such as the global leader in travel organization eSky. For more information please see Tijana Žunić Marić Appointed by eSky as DP Country Representative for Serbia.
It is paramount for all entities who process personal data and who are subject to the Law to understand the difference between a Data Protection Officer (DPO) and a Representative in Serbia (Representative).
At the first glance, it seems like their roles are similar, or even identical. However, the differences between the two are significant, and the failure to appoint them entails different consequences and potential risks of non-compliance with the provisions of the Law (more on the penalties in the blog Violation of the Law on Personal Data Protection in Serbia – 5 Consequences). Moreover, appointing the same person to perform both roles can lead to a serious conflict of interest.
In this blog, we will try to eliminate the confusion and misconceptions that exist regarding these two different institutes, as well as to help you understand if you are obliged to appoint one of these two persons or even both of them.
Data Protection Officer – a DPO is a key player in the new data governance system, appointed by a controller or processor.
DPO is an independent entity that ensures that the company that designated them complies with the applicable Law when processing the data of its customers, employees, users of services and, all other data subjects.
Additionally, the DPO must inform and educate the company and its employees on all aspects of personal data protection, give an opinion on the data protection impact assessment and, act as a contact point for cooperation with the Commissioner, as well as with the data subjects.
Therefore, a DPO is the person who will advise your company and make sure that you have aligned your business with the obligations imposed by the Law.
We wrote extensively about the legal requirements for appointing a DPO in the blog The New Law on Personal Data Protection – Key Novelties. In the text below, we will go through some specific examples.
Whether you are a foreign or a domestic company, you must appoint a DPO if:
1) the core activities of your organization require large-scale, regular, and systematic monitoring of individuals; or
2) the core activities of your organization consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
Any natural or legal person can be designated as a DPO. However, a DPO must be an expert in data protection, independent of the organization, adequately resourced, and capable of complying with the Law.
DPO can be a processor’s or controller’s employee. However, you can also appoint an external DPO.
The DPO must be independent in the performance of its tasks and duties. The controller or processor cannot penalize the DPO or terminate his employment or contract with him for performing its duties imposed on him by the Law. As a matter of fact, the controller and the processor are responsible for data processing as well as compliance with the Law, so the legal claims of the data subject and the Commissioner can only be directed towards them. The DPO cannot be held personally responsible.
Since the provisions of the Law are very general, we will try to clarify when it is mandatory to appoint a DPO in the following examples.
Example 1: E-commerce store ABC (regardless of the company’s headquarters) offers and sells goods online to citizens of the Republic of Serbia. In addition, ABC E-commerce organizes a loyalty program for its customers and processes personal data for these purposes on a large-scale. Also, ABC E-commerce profiles its customers and sends them personalized offers based on that.
In the specific example, the E-shop ABC is required to appoint a DPO who will be responsible for personal data protection issues.
Example 2: Private Clinic M based in Belgrade processes personal data of its patients in its regular course of business. In this example, Clinic M is a controller whose main activity is to process a large number of sensitive data from their patients, such as health data.
Clinic M must appoint a DPO.
If you do not meet the abovementioned conditions, appointing a DPO is optional. However, the European authorities recommend designating a DPO even when it is not mandatory. Moreover, it is considered a good business practice.
You must have been wondering what the role of the Representative is if you already have appointed a DPO.
If you are a foreign company, which does not have a registered office (nor branches or other establishments) in the Republic of Serbia, but are engaged in processing activities related to:
1) offering goods or services to individuals in the Republic of Serbia, whether or not the data subject is required to pay compensation for these goods or services;
2) monitoring the activities of data subjects, if the activities are carried out on the territory of the Republic of Serbia.
Then you must comply with the Law and appoint a Representative in the Republic of Serbia.
However, even if you meet these conditions, you will not be required to appoint a Representative if:
a) you are a public authority;
b) the data processing is occasional; it does not involve large scale processing of special categories of data or data relating to criminal convictions; and is unlikely to result in privacy intrusions. In practice, this exemption rarely applies.
Any natural or legal person who resides in the Republic of Serbia can be appointed as a Representative.
The appointment of a Representative for companies without an office in Serbia must be made in writing. The most common practice is to conclude a written agreement.
In a nutshell, the main job of the representative is to operate as the local liaison i.e. a contact point with the data subjects and the supervisory authorities. Thus, the Representative acts as an intermediary between the business and national data protection authorities or data subjects.
The appointment of the Representative is made without prejudice to legal actions which could be initiated against the controller or processor. They shall, therefore, be responsible to meet the regulatory obligations when processing personal data of Serbian residents. The appointment of a representative does not replace or limit the duties of the company located in a country outside of the Republic of Serbia.
There is no express prohibition on the same person fulfilling both roles. However, in our opinion, assigning one person to do these two jobs could result in a problematic conflict of interest.
Still not in the clear whether you are obliged to appoint a Representative or not? Let’s look through an example:
- XYZ Airlines is a registered and headquartered airline in Turkey offering air transport services to citizens of the Republic of Serbia and enabling them to buy tickets online, collecting information such as first and last name, date of birth, passport number, unique personal ID number, credit/debit card numbers, etc.
- In the aforementioned case, XYZ Airlines is obliged to appoint a Representative in the Republic of Serbia to act as its direct contact for data subjects and supervisory authority.
If the designation of the DPO and/or Representative is mandatory and you have not yet done so, you are potentially facing penal liability.
If you are a controller or a processor who:
It is important to know that the data subject’s awareness of personal data protection has risen to a much higher level, leading to a series of inquiries and reports to both the controllers and the competent institutions.
Additionally, various non-governmental organizations dealing with the data protection have already started filing misdemeanor charges against controllers and processors who have failed to fulfill their obligations to appoint a Representative in the RS.
We believe that for gigantic companies, financial risk i.e. the risk of imposing a fine is minimal, but therefore the reputational risk of non-compliance with the Law is very high.