The issue of personal data protection has recently been raised again in the Serbian public. The Law on Personal Data Protection (hereinafter, the Law), whose key novelties we previously discussed, was modeled after the GDPR in 2018. However, it was only during 2020 that the Commissioner started sending requests to companies to deliver filled self-assessment checklists, and recently, the Commissioner started with the mass inspection supervision!
If you have not complied with the Law until now, do not wait for the Commissioner’s announcement.
The Commissioner’s statement implies that some of the companies that are labeled as a priority for the inspection supervision are furniture stores, sports equipment shops, grocery stores, liquor stores, clothing retails, footwear shops, bookstores, but also online stores (as explained further in the text).
What Steps Should Companies Take?
As nearly all companies process personal data, the obligation to comply with the Law exists with everyone. We have already explained in great detail what is personal data, what responsibilities do companies have with respect to personal data protection, and the most common errors made by companies while complying with the Law on Personal Data Protection.
The Law stipulates certain principles for companies to follow, which we named, due to their importance, six “commandments” of personal data processing.
What Are the Commissioner’s Supervision Powers and the Possible Consequences?
During the inspection supervision, the Commissioner is authorized to demand and get access to all personal data from a Controller or Processor, as well as necessary information for exercising his authority; to demand and get access to all premises of the Controller and Processor, including the access to all funds and equipment.
Acting contrary to the Law may result in the imposition of one or more corrective measures by the Commissioner. If you have not complied with the legal norms related to the protection of personal data, these are the corrective measures that the Commissioner may issue:
The most rigorous corrective measure that the Commissioner may issue is certainly a fine that can be imposed in the amount of up to RSD 100,000 in the form of a misdemeanor charge. However, fines that can be imposed on a legal entity in court dispute can be in the amount of RSD 2,000,000 for each violation. Furthermore, the Commissioner can impose the following penalties:
- Warning in the form of a written opinion addressed at the Controller and the Processor, in the event that the planned actions may violate the legal provisions;
- Notice, if the actions of Controller and Processor violate the Law;
- Ordering to act in accordance with the Data subject’s request;
- Ordering the Controller and the Processor to comply with their actions with the Law in a specific way and schedule;
- Ordering to notify the person whose personal data are violated about the existing personal data violations;
- Ordering a temporary or permanent suspension of processing, or even a ban on personal data processing;
- Requiring correction, i.e., erasure of personal data or restrict data processing, as well as ordering the Controller to notify the other Controller, the Data subject, and the Data recipients with whom the personal data is revealed or shared.
What Is the Inspection Supervision Plan?
According to the Law on Inspection Supervision, each authority responsible for inspection supervision is obliged to have a Plan of Inspection Supervision for every year, in which it stipulates which actions are going to be executed during the year, and every three months, each authority makes the Operation Plan of Inspection Supervision with specified action plans for the following period.
Before the inspection supervision, the Commissioner may send self-assessment checklists to companies to independently complete all questions related to personal data protection, based on which the Commissioner assesses the degree of risk and forms a plan for conducting inspections.
By analyzing the Plan of regular Inspection Supervision of the Commissioner for 2021, we can see various types of inspection supervision which are directed to different Controllers.
For example, the regular supervision conducted by the Commissioner in accordance with the Plan of Inspection Supervision may further be classified into:
- Planned supervision, with a focus on:
a) Ministries, cities, and provinces;
b) E-commerce stores.
- In addition to planned supervision, there are also, so-called, targeted supervisions, and if you belong to any of these categories you may be the first in line as a subject of supervision:
a) You have been identified as a critical or high-risk level, based on the analyzed self-assessment checklist ;
b) You have not filed the necessary self-assessment checklist.
In addition to the regular supervision, the Commissioner may conduct special inspection supervision based on both the official authority and proposals and complaints by third parties.
In the Commissioner’s statement made on November 12, 2021, the government authority sent the self-assessment checklists to over 1007 companies during 2021, after which he set that regular supervision will be conducted in 186 companies.
The Plan of Inspection Supervision in 2021 further states that the Commissioner conclusion based on the analysis of responses from the completed self-assessment checklists is that supervised entities do not fully understand the asked questions and do not know the legal terminology, even though the questions from the self-assessment checklists refer to the specific legal provisions.
The Commissioner further states in the Plan that from the responses of supervised entities, it can be concluded that a vast number of people do not have specific professional qualifications, nor professional knowledge and experience in the field of personal data protection.
Inspection Supervision of E-Commerce Stores
E-commerce stores are typical places where you come into contact with a large amount of information on a daily basis, which is personal data according to the Law. This information may vary from basic personal data such as name, phone number, to some that do not seem as such: IP address, IMEI number, GPS location, and various passwords and account data on social media.
This is one of the possible reasons why the Commissioner stipulated in the Plan of Inspection Supervision for 2021 that Department II (which is within the Supervision Sector) will execute the targeted supervision of E-commerce stores.
Since the Commissioner set that E-commerce stores will be subjects of regular inspection supervision by the Plan of Inspection Supervision, it is obvious that this is not new, but the action is in accordance with previously set acts.
Even though E-commerce stores are places where you are in contact with a vast number of information which convey personal data according to the Law, that should not be a problem to companies if they comply with clear rules enforced in this area. In our previous blogs, we discussed key things necessary for legal compliance, which all companies that process personal data must take.
Firstly, it should be emphasized that E-commerce stores, as well as any other company that is obliged to act according to the Law on Personal Data Protection, must follow these principles:
- Purpose limitation of data collection in relation to the purpose of processing. For example, if a customer provided their email address on your website to register their account, they did not consent to be sent promotional offers by your company or your partners by email;
- The principle of data minimalization. For example, if you have an E-commerce store and you want to execute a sales agreement, the name and address of a customer are sufficient for that purpose, and collecting data on a person’s unique personal ID number or date of birth would not be in accordance with this principle;
- Data storage limitation. For example, if you use video surveillance to protect the safety of property and persons, you must issue an appropriate legal document that will provide for the duration period of data storage of these records, who is the responsible person, how is the data destroyed.
The consequences of negligence can be severe, not only in financial terms but also in terms of reputation, which can cause serious consequences to the business and the very existence of the company.
By running business conscientiously, companies, including E-commerce stores may stop possible adverse consequences, which we mentioned in our blog, and improve their business.
What needs to be paid special attention to is actually the most common subject of the Commissioner’s inspection, and that is inspecting the:
- Data Protection Officer;
- Data processing records;
- Having an internal document on personal data protection as well as conducting measures for personal data protection.
Lately, E-commerce stores have been the Commissioner’s focus and it is highly likely that it will remain so in the following period, but it is still possible that the Commissioner will direct his activities to other groups of Controllers as well.