The Law on Personal Data protection started to apply on August 21, 2019. However, we are sure that you will anyhow find these guidelines on how to get compliant useful.
In our previous blog post, Basic Concepts of The Law on Personal Data Protection In Serbia, we explained when the new Law applies, what is personal data and what are the principles and legal grounds for personal data processing. In this blog, we will cover the technical measures of personal data protection, the Data Protection Officer, and the rights of the data subject.
The security of personal data is one of the key founding principles of the Law. In light of that, the Law obliges the controller to take adequate technical, organizational, and personnel measures to ensure that the personal data processing is carried out in accordance with the Law, while the controller should pay attention to the nature, scope, circumstances, the purpose of processing, the risk assessment for the rights and freedoms of natural persons.
If needed, the controller has to be able to demonstrate to have acted in compliance with this legal requirement.
Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach of the General Data Protection Regulation (GDPR) which takes into account the more and more rapid technological progress as well as various areas in which the personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the “technical, organizational and personnel measures” that the controller should implement.
Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.
The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational, and personnel measures, to ensure the adequate level of security of the personal data in relation to the specific risk threatening their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances, and the purpose of processing, as well as the chances of the risk occurring and the degree of risk for the rights and freedoms of natural persons.
The significance of the implementation of the above-mentioned measures is best reflected in the fact that a great number of penalties for the violations of the GDPR has been imposed due to the lack of technical security. For example, the penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers’ attack, as we talked about in our news British Airways and Marriott International Violated GDPR – What Consequences Could They Face?.
In order to choose the adequate measures for your company, you will first need to identify which risks threaten the security of the personal data which you process, as well as the probability for those risks and possibilities to become reality.
An example:
If you process the personal data in the electronic form, the risks which threaten their security might include unauthorized access to the databases, alteration or deleting the personal data, physical damage to servers and other hardware which stores the data, or which are used for other processing operations, due to fire, flood etc.
Pseudonymization is personal data processing that disables the connection of personal data with a particular data subject, without using the additional information. In other words, pseudonymization “hides” the data subject, but it is still possible to ascertain the identity of that person by using additional information. It is very important to keep such additional information separate, as well as to take technical, organizational, and personnel measures to prevent the attribution of personal data to an identified or identifiable data subject.
Anonymization is data processing that causes the permanent inability to ascertain the identity of the data subject. Starting from the moment when the personal data are anonymized, you are no longer in the field of the Law on Personal Data Protection i.e. you are no longer obliged to treat that data in accordance with the Law.
Encryption of data is a protection method which encrypts information and enables the access solely to a person which has the encryption key. The encrypted data are shown in unreadable form to whomever wishes to access them without the encryption key.
Filing systems have to be kept far from the persons who are not authorized to have insight into the filing systems within the company. The compliance process with the Law on Personal Data Protection means that the rights, obligations, and responsibilities of employees in terms of storing and using the filing systems need to be clearly determined. Some data may be available to all employees of the company (for instance, business email addresses), while other data can be available solely to the employees with special authorizations (for example, specific persons within the HR department).
In the event that a personal data breach occurs, regardless of the implementation of the protection measures, which can cause a risk to the rights and freedoms of natural persons, the controller has must notify the Commissioner about the breach as soon as possible but within 72 hours as of the date of being aware of the breach
On the other hand, the processor must notify the controller about every data breach, regardless of the degree of risk to rights and freedoms of natural persons, without undue delay.
The controller needs to keep a record of all data breaches, which contains details of a breach, the consequences of a breach, and the actions taken for their removal.
If the data breach can cause a high risk to the rights and freedoms of natural persons, the controller needs to notify the data subject, without the undue delay, unless the controller has taken adequate measures as its reaction to the breach.
Therefore, we can see that only a high risk for rights and freedoms of natural persons produces the obligation of notification of the data subjects, while the Commissioner has to be notified in case of less significant risk.
In general, the controller and the processor may designate a DPO but are not obliged to do that. However, when it comes to business entities, the Law on Personal Data Protection stipulates when the assignment of a DPO is mandatory:
If a controller, or a processor, which are legal entities, do not designate a DPO in the above-mentioned cases, they will be sentenced with a fine for a misdemeanor in the range of RSD 50,000 – RSD 2,000,000.
A controller or a processor is obliged to publish the contact information of a DPO and to deliver them to the Commissioner.
DPO is available to data subjects, who can turn to the DPO concerning all matters related to the processing of their data, as well as concerning the realization of their rights.
DPO directly responds to the manager of the controller or the processor for the fulfillment of the DPO’s legal obligations.
The Law allows for DPO, besides the activities relating to the personal data protection at the controller or the processor, to perform other activities and fulfill other obligations. The controller or the processor is obliged to ensure that the performance of other activities and the fulfillment of other obligations do not lead the DPO into a conflict of interest.
If the data are collected from a person to whom that data is related, the controller has to provide that person with the information which the Law prescribes at the moment of collecting the data, such as identity and the contact information of the controller, the contact information of the DPO, the purpose of the intended processing and legal basis for processing, the recipients, the period of storage of the personal data, the rights of the data subject in relation to their data, as well as other information.
The data subject is entitled to request information from the controller whether the controller processes their personal data, to request access to that data, as well as information about the purpose of processing, about the types of data which are processed, about the period of storage of personal data, about the rights of the data subject in terms of processing of their data, and other information.
The controller is obliged to, after the request of the data subject, deliver a copy of the personal data which it processes, which are related to that data subject.
If the personal data are inaccurate, the data subject is entitled to ask the controller to correct the datawithout undue delay.
If the personal data is incomplete, taking into account the processing purpose, the data subject is entitled to supplement their personal data.
The data subject is entitled to file a request to the controller for the erasure of their personal data by the controller.
The controller is obliged to erase the personal data if:
If the controller had publicly published the personal data, their obligation to erase the data includes taking all reasonable measures for notification of other controllers which process that data that the data subject filed the request for the erasure of all copies of this data and referrals, i.e. electronic links towards these data.
The data subject is entitled to have their personal data processing restricted by the controller in the following cases:
The data subject is entitled to transfer their personal data, which it had previously delivered to the controller, to another controller without interference by the controller to whom that data had been initially delivered, if:
1) the processing is based on the consent of the data subject or it is based on the contract;
2) the processing is performed automatically.
The right to data portability also includes direct transfer from the previous to the new controller.
The data subject is entitled to, at any time, file an objection against the processing of their personal data to the controller, which is performed in accordance with the public interest or the fulfillment of the legal authorizations of the controller, or the legitimate interests of the controller or the third party, as the legal grounds of the processing.
The controller is obliged to stop the processing of the data of the person who filed the objection, unless if it can prove that there are legal reasons for the processing which outweigh the interests, the rights, or the freedoms of the data subjects or which are related to the filing of, the realization of or the legal claim defense.
Finally, in the third and the final text in our series of texts about the Law on Personal Data Protection the penalty provisions of the new Law.
Don’t Let Legal Issues Prevent You From Raising Venture Capital. Know What VC Investors Look For in Advance.May 11, 2023 - 7:26 amStartups must prioritize legal compliance as they seek funding from VC funds. Let’s see what you can do to prepare for the legal due diligence process.
Your Company Is Facing Redundancy? Build Proper Strategy And Avoid Costly MistakesMay 10, 2023 - 2:11 pmIn light of the global trend of mass layoffs, we focus on implementing an appropriate redundancy strategy…
Zunic Law Firm Recognized Among the Leading Firms for Intellectual Property and Employment by Legal500 in 2023April 13, 2023 - 9:43 amZunic Law has been ranked among the top leading Serbian law firms in the EMEA guide by Legal500 for 2023 in two practice areas – Intellectual Property and Employment…
Your Software Development Agreement is Heading for the Rocks…What’s Your Exit Strategy?April 4, 2023 - 8:01 amIt is challenging to plan the exit strategy from a Software Development Agreement with as little harm as possible to the contracting parties…
3 Game Changing Laws Regarding E-Commerce