STAY TUNED
Stay in the loop with the most important updates
13
Jan 2022
The issue of personal data protection has recently been raised again in the Serbian public. The Law on Personal Data Protection (hereinafter, the Law), whose key novelties we previously discussed, was modeled after the GDPR in 2018. However, it was only during 2020 that the Commissioner started sending requests to companies to deliver filled self-assessment checklists, and recently, the Commissioner started with the mass inspection supervision!
If you have not complied with the Law until now, do not wait for the Commissioner’s announcement.
The Commissioner’s statement implies that some of the companies that are labeled as a priority for the inspection supervision are furniture stores, sports equipment shops, grocery stores, liquor stores, clothing retails, footwear shops, bookstores, but also online stores (as explained further in the text).
As nearly all companies process personal data, the obligation to comply with the Law exists with everyone. We have already explained in great detail what is personal data, what responsibilities do companies have with respect to personal data protection, and the most common errors made by companies while complying with the Law on Personal Data Protection.
The Law stipulates certain principles for companies to follow, which we named, due to their importance, six “commandments” of personal data processing.
During the inspection supervision, the Commissioner is authorized to demand and get access to all personal data from a Controller or Processor, as well as necessary information for exercising his authority; to demand and get access to all premises of the Controller and Processor, including the access to all funds and equipment.
Acting contrary to the Law may result in the imposition of one or more corrective measures by the Commissioner. If you have not complied with the legal norms related to the protection of personal data, these are the corrective measures that the Commissioner may issue:
The most rigorous corrective measure that the Commissioner may issue is certainly a fine that can be imposed in the amount of up to RSD 100,000 in the form of a misdemeanor charge. However, fines that can be imposed on a legal entity in court dispute can be in the amount of RSD 2,000,000 for each violation. Furthermore, the Commissioner can impose the following penalties:
According to the Law on Inspection Supervision, each authority responsible for inspection supervision is obliged to have a Plan of Inspection Supervision for every year, in which it stipulates which actions are going to be executed during the year, and every three months, each authority makes the Operation Plan of Inspection Supervision with specified action plans for the following period.
Before the inspection supervision, the Commissioner may send self-assessment checklists to companies to independently complete all questions related to personal data protection, based on which the Commissioner assesses the degree of risk and forms a plan for conducting inspections.
By analyzing the Plan of regular Inspection Supervision of the Commissioner for 2021, we can see various types of inspection supervision which are directed to different Controllers.
For example, the regular supervision conducted by the Commissioner in accordance with the Plan of Inspection Supervision may further be classified into:
a) Ministries, cities, and provinces;
b) E-commerce stores.
a) You have been identified as a critical or high-risk level, based on the analyzed self-assessment checklist ;
b) You have not filed the necessary self-assessment checklist.
In addition to the regular supervision, the Commissioner may conduct special inspection supervision based on both the official authority and proposals and complaints by third parties.
In the Commissioner’s statement made on November 12, 2021, the government authority sent the self-assessment checklists to over 1007 companies during 2021, after which he set that regular supervision will be conducted in 186 companies.
The Plan of Inspection Supervision in 2021 further states that the Commissioner conclusion based on the analysis of responses from the completed self-assessment checklists is that supervised entities do not fully understand the asked questions and do not know the legal terminology, even though the questions from the self-assessment checklists refer to the specific legal provisions.
The Commissioner further states in the Plan that from the responses of supervised entities, it can be concluded that a vast number of people do not have specific professional qualifications, nor professional knowledge and experience in the field of personal data protection.
E-commerce stores are typical places where you come into contact with a large amount of information on a daily basis, which is personal data according to the Law. This information may vary from basic personal data such as name, phone number, to some that do not seem as such: IP address, IMEI number, GPS location, and various passwords and account data on social media.
This is one of the possible reasons why the Commissioner stipulated in the Plan of Inspection Supervision for 2021 that Department II (which is within the Supervision Sector) will execute the targeted supervision of E-commerce stores.
Since the Commissioner set that E-commerce stores will be subjects of regular inspection supervision by the Plan of Inspection Supervision, it is obvious that this is not new, but the action is in accordance with previously set acts.
Even though E-commerce stores are places where you are in contact with a vast number of information which convey personal data according to the Law, that should not be a problem to companies if they comply with clear rules enforced in this area. In our previous blogs, we discussed key things necessary for legal compliance, which all companies that process personal data must take.
Firstly, it should be emphasized that E-commerce stores, as well as any other company that is obliged to act according to the Law on Personal Data Protection, must follow these principles:
The consequences of negligence can be severe, not only in financial terms but also in terms of reputation, which can cause serious consequences to the business and the very existence of the company.
By running business conscientiously, companies, including E-commerce stores may stop possible adverse consequences, which we mentioned in our blog, and improve their business.
What needs to be paid special attention to is actually the most common subject of the Commissioner’s inspection, and that is inspecting the:
Lately, E-commerce stores have been the Commissioner’s focus and it is highly likely that it will remain so in the following period, but it is still possible that the Commissioner will direct his activities to other groups of Controllers as well.