All entities that, in the course of their business operations, collect and process personal data of employees, clients, service users, or other natural persons are required to align their practices with the obligations set out in the Law on Personal Data Protection (hereinafter: “the Law”).
In modern business, there is virtually no industry in which personal data is not processed to some degree. Whether it involves the provision of healthcare services, the carrying out of financial transactions, the organization of sporting and cultural activities, real estate management, or the delivery of various services to citizens, data controllers encounter the processing of large volumes of personal data on a daily basis – often including data that falls under the category of special types of data.
It is precisely for this reason that the legislator has established rules in the field of personal data protection, while oversight of their implementation has been entrusted to the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: “the Commissioner”).
Why Is 2026 Particularly Significant for Certain Data Controllers?
At the end of 2025, acting in accordance with the Law on Personal Data Protection as well as the Law on Inspection Oversight, the Commissioner adopted the Inspection Oversight Plan for 2026.
The Inspection Oversight Plan is an official document through which the Commissioner, on the basis of a prior risk assessment, defines its priorities, the types of oversight they will conduct, and the categories of data controllers subject to regular inspection. In other words, the Plan provides a clear picture of which sectors are in the Commissioner’s focus in 2026, as well as the criteria that will be used to determine whether and when an inspection will be carried out.
Which Categories of Data Controllers Are Covered by the 2026 Inspection Oversight Plan?
In accordance with the 2026 Inspection Oversight Plan, regular inspection oversight will be carried out in respect of certain categories of personal data controllers – primarily those entities for whom, for objective reasons, the regular inspection oversight planned for 2025 was not completed.
The Plan covers data controllers operating in sectors that, by their very nature, involve intensive processing of personal data, and frequently the processing of special categories of personal data. These include, among others, privately owned healthcare institutions (including private practices), private medical laboratories and pharmacy institutions, gambling operators, sports associations, cultural institutions, libraries and theatres, professional property managers, vehicle rental agencies, banks, as well as insurance companies and insurance intermediaries for whom oversight was not carried out during 2025.
What these sectors have in common is an elevated risk to the rights and freedoms of natural persons, which was the key criterion for their inclusion in the Oversight Plan.
If you are among them and have not yet aligned your operations with the Law, the Commissioner’s forthcoming activities may prompt you to reconsider and take the necessary steps.
What Is the Purpose of the Commissioner’s Inspection Oversight?
Under the Law on Inspection Oversight, inspection oversight represents a function of state administration carried out with the aim of ensuring the lawfulness and safety of the conduct of supervised entities, as well as acting preventively to avert or remedy harmful consequences to the rights and interests of citizens.
In practice, this means that inspection oversight should not be viewed purely as a punitive measure. Its primary purpose is to establish the actual state of affairs, identify potential and existing risks, order measures for their remediation, and improve the overall level of personal data protection among data controllers.
How Does the Commissioner Assess Risk and Plan Oversight?
The Inspection Oversight Plan is based on a risk assessment. Risk is evaluated according to the degree of threat posed to the rights of the individuals to whom the data relates, and may be classified into categories ranging from negligible to critical.
In the risk assessment process, the Commissioner draws on a variety of information sources, with compliance checklists being one of the most important instruments in that process.
What Is the Compliance Checklist and Why Does It Carry Such Weight?
The Compliance Checklist is a standardised questionnaire through which the Commissioner collects data on the degree to which data controllers are compliant with the Law. It consists of a total of 14 questions, each offering two or three possible answers. Certain answers require additional clarification, as well as the submission of supporting evidence.
Each answer is scored, and the maximum number of points a data controller can achieve is 100. Based on the total score, the data controller is assigned to the appropriate risk category. The completed Compliance Checklist has the character of a self-assessment report and must be submitted to the Commissioner within seven days of receiving the request.
It is important to emphasise that the Compliance Checklist is not a mere administrative formality. The answers provided by the data controller constitute official statements regarding their state of compliance with the Law, serve as the basis for planning regular inspection oversight, and may be subject to subsequent verification in the course of inspection proceedings. Providing inaccurate or incomplete information, as well as concealing relevant facts, may have serious legal consequences.
How to Properly Prepare for Completing the Compliance Checklist?
In order for a data controller to be able to answer the questions in the Compliance Checklist correctly, they must first have a clear and complete overview of all personal data processing activities within their business operations. This means the data controller must know what data they process, whose data they process, for what purposes the data is processed, what the legal basis is for each individual processing activity, how long the data is retained, where the data is stored, and with whom it is potentially shared.
Without such an overview, completing the Compliance Checklist amounts to guesswork, which represents a serious risk in any communication with a supervisory authority.
In our previous articles, we have highlighted to businesses the necessity of aligning with the obligations under the Law on Personal Data Protection and have prepared a short guide on how to achieve compliance.
Is It Enough to Read the Law?
Although familiarity with the Law is essential, it is not sufficient on its own. The Compliance Checklists do not contain explanations of key terms — in fact, certain questions make direct reference to specific statutory provisions.
To answer such questions correctly, a substantive understanding of concepts such as controller, processor, recipient, records of processing activities, personal data breach, and other legal constructs set out in the Law, as well as how they apply in practice, is required.
What If the Compliance Checklist Indicates a High or Critical Risk?
Being classified in the high or critical risk category does not automatically result in sanctions. However, failure to submit the Compliance Checklist within the given deadline may be interpreted by the Commissioner as an increased likelihood of risk, which significantly raises the probability of inspection proceedings being initiated and a multi-million dinar fine being imposed for a regulatory offence.
Furthermore, such a classification serves as a clear signal that there are serious shortcomings in the personal data protection system and that urgent compliance measures must be taken. In practice, such measures may include the adoption or updating of internal policies, the establishment of records of processing activities, the introduction of appropriate technical and organisational security measures, the designation of a Data Protection Officer where required, the regulation of relationships with processors through appropriate contracts, as well as the establishment of clear procedures for responding to personal data breaches.
What Does Regular and Extraordinary Inspection Oversight Look Like?
Regular inspection oversight is carried out on the basis of an Operational Plan, on a quarterly basis, and may take the form of an office-based review, an on-site inspection, or a combination of both. The subject of oversight is the verification of compliance with the obligations prescribed by the Law, with particular attention paid to those obligations that the data controller has themselves declared in the Compliance Checklist.
In addition to regular oversight, the Commissioner may also conduct extraordinary inspection oversight, which may be initiated ex officio, on the basis of complaints and grievances submitted by citizens, media and internet content, or other information suggesting a possible violation of the Law.
Why Is Now the Right Time to Achieve Compliance?
The 2026 Inspection Oversight Plan makes it clear that the Commissioner’s focus is on risk assessment, preventive action, and the consistent enforcement of the Law. Data controllers covered by the Plan are advised to review their compliance without delay, make use of the publicly available Compliance Checklists, and take all necessary steps in a timely manner in order to mitigate risks and avoid potential consequences in inspection proceedings.
Although the Commissioner has until now focused primarily on education and prevention, and has not strictly sanctioned those who fail to comply with the Law, it appears that this approach is changing and that the Commissioner is beginning to follow the practice of colleagues across the European Union – as evidenced by the first fines and misdemeanour charges that the Commissioner has already issued.
