You are surely interested to know what consequences your company could face in the light of non-complying with the Law on Personal Data Protection (hereinafter: Law). Who is held responsible for violating the Law, what are the potential penalties, to what extent they may impact the company’s business activities, who controls whether you are collecting and processing personal data in line with the Law, and are the fines any similar to those provided by the GDPR?
If you believe that the Law on Personal Data Protection is nothing but a heap of rules without any purpose, i.e., nothing but a dead letter, you might wish to think twice.
Since the implementation of the GDPR in the European Union in May 2018, as well as the adoption of the Law in Serbia in 2019, people’s awareness with respect to their privacy rights has radically increased.
This undoubtedly signals the importance of Serbian companies taking the implementation of the Law seriously. Further emphasizing the significance of personal data protection rights is the fact that the Constitution of the Republic of Serbia guarantees them in the section on human and minority rights and liberties.
We have already seen, many times, how seriously the European Union has taken this task by enforcing the GDPR, so we can conclude that in the event of similar personal data leakage in our country, the future of the company that made the offense will not look bright.
So, what are the dangers that your company could potentially face?
We will start with those dangers that people frequently fear the most, which is the penal liability.
1. Administrative Liability
The Law lists as many as 32 offenses under which the data controller, i.e. the processor may be punished. Among the listed offenses are conducting the data processing in a manner that is not compliant with the key principles of data processing, conducting data processing for purposes contrary to the Law, not delete the personal data in accordance with the Law, and not notifying the Commissioner on the breach of a data breach, etc.
Due to the stated offenses, the Misdemeanor Court may impose a fine on the legal entity, which is a data controller, or the data processor, in the amount of RSD 50,000 to RSD 2,000,000. If it is determined that the data controller or the processor simultaneously committed several offenses, they may be fined up to RSD 4,000,000.
Moreover, a fine in the range of RSD 5,000 to RSD 150,000 may be imposed on a natural person who does not keep as a professional secret personal data that they acquired through employment.
In addition to the stated fines, if the data controller, or processor as a legal person violates the obligations provided by the Law, the Commissioner may fine them with a misdemeanor report with a fine amounting to RSD 100,000. Precisely, the following actions are in question:
- proceeding with the processing for the purpose of direct marketing when the data subject filed an objection to such processing;
- not appointing a representative in the Republic of Serbia;
- not publishing the contact information of the DPO (Data Protection Officer)and not submitting it to the Commissioner, etc.
How to Determine the Fine?
When determining the exact amount of the fine, the following is taken into account: the gravity and the consequences of the committed offense, nature of the offense, the number of data subjects affected by the offense, damage suffered, duration of offense, type of violated personal data, measures taken to mitigate the damage, whether the offense was reported, etc.
So, all of these circumstances will be taken into account once the Misdemeanor Court will be considering the amount of the fine. Hence, if you violate the regulations on the protection of personal data, you should still take all the possible actions in order to minimize the consequences of the breach.
The GDPR Fines Policy in the European Union
If you believe fines prescribed for violating the Law on Personal Data Protection in Serbia are high, again, think twice.
Namely, the GDPR predicts that the companies that violate the personal data may face robust fines reaching up to 4% of their entire global yearly turnover, or up to 20 million euros, depending on which of the two amounts is higher. This means that the companies to which GDPR applies may easily face catastrophic consequences and face sky-high penalties!
When we look at these astronomical figures, we get the impression that the companies always face fines amounting to millions if they violate the GDPR, as we have already established from the examples of British Airways and Marriott International. However, the reality is actually different. From our current practice, we concluded that smaller companies were also fined for GDPR breaches in amounts of several hundred or thousands of euros, all in proportion to the above-stated fines criteria. So, for example, a medical facility in Bulgaria was fined in the amount of EUR 510, a car rental company in the Czech Republic was fined EUR 1,1650, whereas, in Austria, a betting place was fined in the amount of EUR 4,800.
2. Criminal Liability
How seriously one should take the protection of personal data, becomes clear when we take into account the fact that the Criminal Code foresees imprisonments as a penalty for the breach. In addition, it is important to note that only natural persons may be criminally liable.
The Criminal Code provides that, in the case when the personal data is collected, processed, and used based on the law, and an unauthorized person obtains it, discloses it, or uses it for an intended purpose, they may be fined or imprisoned for a year. The same applies to those who, contrary to the law, collect data on the identity of citizens or use such collected data. Also, if this act is done by an official person on official duty, they are threatened with imprisonment for up to 3 years.
As discussed, the Criminal Code entails a wide range of actions that can be considered a criminal act of unauthorized collection of personal data, more precisely, it refers to any data processing contrary to the principles of processing, which we discussed in detail in our previous blog post on the new Law on Personal Data Protection in Serbia.
Given that there is still no case law regarding the commission of this crime, it remains to be seen to what extent the courts will sanction the perpetrators.
3. Reputational Risk
The dangers that companies face when breaching data protection laws are not only monetary. The loss of trust in the company on part of clients whose data have been breached may have far greater consequences.
In contrast to fines, which typically have a single impact on a company’s financial status and can be overcome by successful companies relatively easily, a damaged reputation stemming from compromising clients’ personal data can result in numerous adverse repercussions over time. In addition to financial losses, these consequences can be reflected in the loss of existing or potential customers, reduced business, loss of potential investments, and falling market value of the company.
Startups should pay special attention to personal data protection so that their future business activities would not be questioned. Also, if they want to find partners who would invest in their company, or they want to sell the company, they will certainly be asked about this during the due diligence procedure. Learning that a company has violated the personal data of its clients can result in the loss of important investments, which can eventually lead to the closing of the company, which would otherwise have a bright future.
4. Non-Monetary Liability
The Commissioner for Information of Public Importance and Data Protection as the authority responsible for supervising the law enforcement is entitled to, among other things:
- inform the data controller or the processor on potential breaches of the Law,
- request and be granted access from the data controller and processor to all personal data, as well as to information required for the exertion of its authorities,
- request and be granted access to all premises of the data controller and the processor, including access to all assets and equipment.
In addition, the Commissioner is authorized to take corrective measures, which means they are authorized to order the data controller and the processor to act upon the request of the relevant person regarding the exertion of their rights, to align processing activities with the provisions of the Law, to order the data controller to inform the relevant person on the breach of personal data, to impose temporary or permanent restrictions to personal data processing activities, including the prohibition of data processing, etc.
In this manner, the Commissioner occupies an active role in the personal data protection procedure and the removal of the committed breaches.
What Can Data Subjects Whose Data Was Breached Do?
The data subject is entitled to file a complaint to the Commissioner if they believe that the processing of their personal data was executed contrary to the Law. In that case, the Commissioner is obliged to inform the data subject on the course of the procedure, and the results, as well as on the right of the data subject to initiate a court proceeding. The Commissioner can perform one of the above-stated actions within this procedure, as well as all other actions authorized under the Law. If the data subject is unsatisfied with the Commissioner’s decision, the proceedings before the administrative court can be initiated.
In addition, data subjects whose data were breached are entitled to initiate litigation against the data controller or the processor by means of which they will, among other things, request correction, or deletion of the data, as well as the termination of data processing. It is important to note that filing this lawsuit does not affect the entitlement of the data subject to initiating other procedures of administrative or court protection.
Our Law fully adhered to the provisions of the GDPR in this area of personal data protection as well.
5. Compensation
Although compensation due to personal data breaches has not drawn greater attention so far, it may cause greater financial consequences than the penalties foreseen by the Law.
Specifically, individuals whose personal data has been unlawfully processed and as a result have incurred material or non-material damages have the right to seek compensation through legal action against the data controller or processor responsible. During the litigation process, the court will determine whether the data subject has indeed suffered damages and, if so, what constitutes fair compensation for those damages.
The data controller, i.e., the processor is held harmless from damages only if they prove they are not responsible for incurring the damages in any way.
However, it should be noted that the incurred damages may be both material and non-material. Therefore, apart from financial losses, the data subject can suffer damages due to unlawful processing (e.g. if data on their credit card are hacked), unlawful data processing may violate their reputation, honor, freedom, and personal rights…
The compensation will be determined by the court in relation to each specific case. As the Law on Personal Data Protection has come into force relatively recently, there is still no case law on the basis of which any conclusions could be drawn.
The current practice of the courts of the European Union has demonstrated that these amounts may range from several hundred euros to several hundred thousand euros, as was ruled by the prosecutors in the case Gulati versus MGN Ltd due to hacking phone numbers of celebrities by well-known magazines Daily Mirror, the Sunday Mirror, and the People.