Data Protection Self-assessment Checklists

If you have not yet complied your business with the Law on Personal Data Protection, the recent activities by the Commissioner for the Protection of Information of Public Importance and Personal Data Protection (hereinafter: the “Commissioner“) might change your mind and make you take the necessary steps.

If your company has not yet received an e-mail from the Commissioner requesting you to self-assess compliance with the Law on Personal Data Protection (hereinafter: the “Law”), there is a high chance you will receive the e-mail soon. To prevent possible adverse effects, it is important to understand the new practice of the Commissioner.

The Commissioner is authorized to perform inspection supervision over the implementation of the provisions of the Law. One of the activities within the scope of the Commissioner’s work is to email self-assessment checklists, which allows personal data controllers to self-assess their activities regarding compliance with the Law and the lawful collection of personal data.

As previously mentioned, the Commissioner has established a practice in the previous period to email the Self-assessment Checklist to data controllers, requiring them to independently analyze their business and data protection activities, assess whether and to what degree they comply with the obligations under the Law. Each question (the checklist has a total of 16 questions) has two possible answers – YES and NO. This checklist model is for data controllers who are not authorities (only in Serbian).

The checklist is a publicly available and clearly drafted document, is also used by other authorities when conducting inspections. The Checklist contains direct questions and, to some extent, offers guidance to the controlled entities on how to run the business and conduct personal data processing in accordance with the Law.

The concept of the Checklist is as follows – each data controller’s answer is scored with a certain number of points. If the data controller scores a total of 100 points, they fall into the category of insignificant-risk subjects. Of course, this still does not mean that the Commissioner will not decide to conduct the inspection supervision and check whether you are de facto compliant with the Law and whether your answers are correct.

In accordance with the issues within the Checklist, the personal data controller (who is the supervised entity in this situation) compiles a self-assessment report within 7 days from the date of receipt of the Checklist and submits it to the Commissioner.

To achieve as many points on the Checklist as possible, you need to comply with the obligations prescribed by the Law.

In the previous blog posts on the topic of data protection, we stressed the need for business entities to comply with the new obligations introduced by the Law. Similarly, we provided a summary of the obligations that data controllers must respect and the negative adverse effects to the contrary.

One of the first issues is compliance with the Law regarding the internal acts of the data controller. Implementing internal acts is one of the basic obligations of personal data controllers. Therefore, it is important that all companies adopt appropriate internal acts that will regulate the procedures for collecting and processing personal data, retention periods, protection measures, to ensure compliance with the Law.

Also, personal data controllers should pay special attention to the potential obligation to appoint a Data Protection Officer (DPO), as well as the fact that they must register a DPO in accordance with the Law. The Commissioner can very easily check whether the controller who has the obligation to appoint a DPO did so, as data processors who appoint a DPO are required to register that person with the Commissioner.

Last but not least, if data controllers appoint data processors, the mutual relationship should be regulated by a written agreement, specifying their mutual obligations, the subject, and duration of personal data processing, nature and purpose of processing, type of personal data and data subjects, as well as the rights and obligations of the controller.

Supervised entities are classified into pre-determined risk categories based on the number of collected points, which are then divided on a scale from insignificant to critical risk category.

If you do not collect enough points based on your answers, you can easily be classified as a controller with a high or critical risk level for personal data protection.

Also, each answer requires you to explain and state how did you comply with the Law and possibly provide the necessary evidence, as part of the report you compiled in accordance with the answers to the questions.

The Commissioner’s next step is to make an inspection plan for the future period, based on your submitted report in accordance with your personal data risk category.

If the total number of points on the Checklist indicates that you are in the category of risky or even critical subjects, it is advised to know what the next steps should be are and how to improve your position.

Specifically, if data controllers do not actually comply with the Law, the Commissioner has the authority to perform inspection and determine which obligations were not fulfilled by the supervised entity, and consequently, which provisions of the Law were violated. Per single violation, the fines prescribed by the Law are in the range from 50,000 dinars up to 2 million dinars for a legal entity. Certainly, the consequences of such high fines can be critical for the company’s financial operations, as well as for its reputation.

Clearly, compliance with the obligations of the Law can no longer be avoided, and as soon as you take the necessary steps and fulfill your obligations, there will be no reason to await the email from the Commissioner with the Checklist with trepidation. In order not to rank under the category of critical subjects again, it is recommended you adopt internal acts, introduce protective measures required by the Law, and regulate relationships with data processors (if any) through detailed agreements, and prevent potential adverse consequences.

One of the questions within the Checklist is whether the supervised entity has hired a personal data processor and if the answer is YES, it is scored with negative points. The logical question is why does the Commissioner “penalize” the supervised entities for hiring external service providers, i.e., data processors if they are required? Every company needs, for example, a bookkeeping agency, which takes the role of the employees’ data processor. It is unclear why operators would be rated 0 points if they hired processors, whose services are necessary for the normal and regular functioning of the business.

The following contradiction arises when examining whether a supervised entity has appointed a Personal Data Protection Officer (DPO). We remind you that not all personal data controllers have this legal obligation, but only in precisely defined legal cases. One of the cases when the controller must appoint a DPO is when its basic activities consist of processing operations which by their nature, scope or purposes require regular and systematic supervision of a large number of data subjects. Imagine a hypothetical situation – a company has four employees who are not being monitored, they do not process personal data of third parties, and then, that company, as the data controller is obliged to appoint a DPO? That seems to be the interpretation of the Commissioner, aw he decided to score the question with 0 points, if the supervised entity did not appoint a DPO, without thinking that the supervised entity does not even have to appoint a DPO, except in situations specified by the Law.

From the abovementioned, it can be concluded that the total number of points and categorization on the Checklist does not necessarily imply that the supervised entity has not complied with the Law in each individual case.

A helpful feature of the Checklist is that those personal data controllers who have complied with the obligations of the Law, do not have to worry that negative consequences will affect them. However, for those who have not yet complied with the Law, the Checklist is the final call to take personal data protection more seriously and avoid financial and reputational consequences. The importance and seriousness of personal data protection are also indicated by the penalties being imposed on international companies that have circumvented the rules and neglected to pay proper attention to personal data protection.

The European Union has taken the topic of personal data protection very seriously within the scope of GDPR, and no one is exempt from sanctions for non-compliance with personal data protection. As the Serbian law is essentially the translation of the GDPR into Serbian, it can be concluded that the Commissioner’s practice is a step in the right direction and shows a tendency that the competent authorities of the Republic of Serbia have decided to raise personal data protection to a new level.

The very idea of ​​supervising personal data controllers and providing an opportunity for self-assessment before the competent authority shows a new level of awareness of the importance to respect the provisions of the Personal Data Protection Law.

In addition to being useful for the personal data controller, who gets the chance to regulate their behavior, the self-assessment checklist is a great form of prevention as it offers the opportunity for entities to self-assess before the Commissioner starts inspection.