Violation of the Law on Personal Data Protection in Serbia – 5 Consequences

PART III

The new Law on Personal Data Protection in Serbia started to apply on August 21, 2019. In a series of blog posts, we outline the key novelties the new Law has introduced.

16
Sep 2019

data protection violation, data protection act violation

You are surely interested to know what consequences could your company face in the light of failing to comply with the Law on Personal Data Protection in Serbia. Who is held responsible for violating the Law, what are the potential penalties, to what extent it may impact the company’s business activities, who controls whether you are collecting and processing personal data in line with the Law, are the fines any similar to those provided by the GDPR?

If you believe that the Law on Personal Data Protection is nothing but a heap of rules without any purpose, i.e., nothing but a dead letter, you might wish to think twice.

Since the GDPR took effect in the European Union in May 2018 and was followed by the Law on Personal Data Protection in Serbia (hereinafter: the Law), people’s awareness has radically increased when it comes to their rights, which is surely another indication of how seriously should the Serbian companies take the implementation of the Law. What reaffirms the importance of the rights to personal data protection is the fact that the Constitution of the Republic of Serbia guarantees it in the section on human and minority rights and liberties.

We have already seen how seriously the European Union has taken this task by enforcing the GDPR, so we can conclude that in the event of similar personal data leakage in our country, the future of the company that made the offense does not look bright.

What dangers could your company potentially face?

data protection breach, data protection act breach, personal data protection breach, personal data breach policy,

We will start with those dangers which people frequently fear the most, which is the penal liability.

1. Administrative Liability

The Law lists as many as 32 offenses under which the data controller, i.e. the processor may be punished, and among the listed offenses are: personal data processing that is not in accordance with the key principles of data processing, data processing for purposes contrary to the Law, if personal data are not deleted in accordance with the Law, if the Commissioner is not notified on the breach of data breach.

The Misdemeanor Court may impose a fine on the data controller, or the processor acting as a legal person due to the stated offenses within a range from RSD 50,000 to RSD 2,000,000. If it is established that the data controller, or the processor simultaneously committed several offenses, they may be fined up to RSD 4,000,000.

Moreover, a natural person who does not keep personal data confidential, which they acquired through employment, may be fined from RSD 5,000 to RSD 150,000 for the committed offense.

In addition to the stated fines, if the data controller, or processor as a legal person violates the obligations provided by the Law, the Commissioner may fine them with a misdemeanor report with a fine amounting to RSD 100,000. The stated obligations entail, among other things, the following:

  • to proceed with the processing for the purpose of direct marketing, and the data subject filed an objection to such processing;
  • not to appoint a representative in the Republic of Serbia;
  • not to announce the contact data of the DPO (Data Protection Officer) and not deliver them to the Commissioner, etc.
GDPR f policy in the European Union regarding penalty and fines

How to Determine the Fine in Each Individual Case?

Please, note that when determining the exact amount of the fine, the following is taken into account: the gravity and the consequences of the committed offense, nature of the offense, more precisely the number of data subjects affected by the offense, damage suffered, duration of offense, type of violated personal data, measures taken to mitigate the damage, whether the offense was reported etc.

These are the circumstances that the Misdemeanor Court considers when determining the amount of the fine. Therefore, if you violate the regulations protecting personal data, you are advised to take all steps in order to minimize the consequences of the offense.

The GDPR Fines Policy in the European Union

If you believe fines prescribed for violating the Law on Personal Data Protection in Serbia are high, again, think twice.

Namely, the GDPR predicts that the companies that violate the personal data may face robust fines reaching up to 4% of their entire global yearly turnover, or up to 20 million euros, depending which of the two amounts is higher. This means that the companies to which GDPR applies may easily face catastrophic consequences and face sky-high penalties!

When we look at these astronomical figures, we get the impression that the companies always face fines amounting to millions if they violate the GDPR, as we have already established from the examples of British Airways and Marriott International. However, the reality is actually different. From our current practice, we concluded that smaller companies were also fined for GDPR breaches in amounts of several hundred or thousands of euros, all in proportion to the above-stated fines criteria. So, we have examples such is a medical facility in Bulgaria that was fined in the amount of EUR 510, a car rental company in the Czech Republic that was fined EUR 1,1650, whereas in Austria, a betting place was fined in the amount of EUR 4,800.

legal services due to liability arising from breaches of data protection laws

2. Criminal Liability

The fact the Criminal Code foresees imprisonments as a penalty for breach of personal data protection states how seriously personal data protection is taken. In addition, it is important to note that only natural persons may be criminally liable.

The Criminal Code provides that persons who collect, process and use personal data about a person under the Law obtains, communicates to another person or uses for a purpose for which they are not intended, and who, contrary to the law, collects personal data of data subjects or uses such data, may be fined or imprisoned for up to one year. Also, if this act is done by an official person on official duty, they are threatened with imprisonment for up to 3 years.

As discussed, the Criminal Code entails a wide range of actions that can be considered a criminal act of unauthorized collection of personal data, more precisely, it refers to any data processing contrary to the principles of processing, which we discussed in detail in our previous blog post on the new Law on Personal Data Protection in Serbia.

The future will certainly tell to what extent the courts will sanction those who commit this criminal offense.

3. Reputational Risk

Dangers that companies face when breaching data protection laws are not only monetary. The loss of trust in the company on part of clients whose data have been breached may have far greater consequences.

While penalties have a one-time effect on the financial state of companies, from which, frequently, those companies that successfully do business may recover, on the other hand, stained reputation due to compromising the clients’ personal data may bring long-term catastrophic financial consequences. These consequences may reflect in the loss of existing or prospective clients, decreased business activities, loss of potential investments, company market value plunge…

Start-up companies must pay special attention to personal data protection, so that their future business activities would not be questioned. In addition, if they wish to find partners who would invest in their company, or if they want to sell their company, the due diligence procedure will certainly lead to loss of some important investments if it is discovered that they have violated their clients’ personal data, which may also lead to the closing of a company which would otherwise have a bright future.

In addition to monetary liability, a data breach also carries a reputational risk

4. Non-Monetary Liability

The Commissioner for Information of Public Importance and Data Protection is entitled, as the authority responsible for supervising the law enforcement, among other things, to inform the data controller, or the processor on potential breaches of the Law, to request and be granted access from the data controller and processor to all personal data, as well as to information required for the exertion of its authorities, request and be granted access to all premises of the data controller and the processor, including  access to all assets and equipment.

In addition, the Commissioner is authorized to take corrective measures, which means they are authorized to order the data controller and the processor to act upon the request of the relevant person regarding the exertion of their rights, to align processing activities with the provisions of the Law, to order the data controller to inform the relevant person on the breach of personal data, to impose temporary or permanent restrictions to personal data processing activities, including prohibition of data processing, etc.

This way, the Commissioner takes an active role in the personal data protection procedure and the removal of the committed breaches.

What Can Data Subjects Whose Data Were Breached Do?

The data subject is entitled to file a complaint to the Commissioner if they believe that the processing of their personal data was executed contrary to the Law. If so, the Commissioner is obliged to inform the applicant on the course of the procedure, the results of the procedure, as well as on the right of the applicant to initiate a court proceeding. The Commissioner can perform one of the above-stated actions within this procedure, as well as all other actions he is authorized to perform under the Law. The person has the right to initiate an administrative lawsuit against the Commissioner’s decision.

In addition, data subjects whose data were breached are entitled to initiate litigation against the data controller or the processor by means of which they will, among other things, request correction, or deletion of the data, as well as the termination of data processing. It is important to note that filing this lawsuit does not affect the entitlement of the data subject to initiate other procedures of administrative or court protection.

Our Law fully adhered to the provisions of the GDPR in this area of personal data protection as well.

the data subject who suffered material or non-material damages due to unlawful processing of their data is entitled to demand compensation by means of a lawsuit against the data controller or the processor who caused it

5. Compensation

Although compensation due to personal data breach has not drawn greater attention so far, it may cause greater financial consequences than the penalties foreseen by the Law.

Namely, the data subject who suffered material or non-material damages due to unlawful processing of their data is entitled to demand compensation by means of a lawsuit against the data controller or the processor who caused it. The court will decide within litigation whether the data subject has actually suffered damages and if so, what will the fair compensation for the suffered damages amount to.

The data controller, i.e., processor is held harmless from damages only if they prove they are not responsible for incurring the damages in any way.

The incurred damages may be both material and non-material. Therefore, apart from financial losses, the data subject can suffer damages due to unlawful processing (e.g. if data on their credit card are hacked), unlawful data processing may violate their reputation, honor, freedom and personal rights…

What Are the Compensation Amounts?

The court shall determine the amount of suffered damages in relation to each specific case. As the implementation of the Law has only just begun in our country, it is still unfamiliar what the court stance will be on this matter, when will the court adopt the data subject’s requests for compensation and in what amounts. The current practice of the courts of the European Union has demonstrated that these amounts may range from several hundred euros to several hundred thousands euros, as was ruled to the prosecutors in the case Gulati versus MGN Ltd due to hacking phone numbers of celebrities by well-known magazines Daily Mirror, the Sunday Mirror and the People.

NEWSLETTER

NEWSLETTER

CONTACT

CONTACT