In our previous blog post, Basic Concepts of The Law on Personal Data Protection In Serbia, we explained when the new Law applies, what is personal data and what are the principles and legal grounds for personal data processing. In this blog, we will cover the technical measures of personal data protection, the Data Protection Officer, and the rights of the data subject.
The security of personal data is one of the key founding principles of the Law. In light of that, the Law obliges the controller to take adequate technical, organizational, and personnel measures to ensure that the personal data processing is carried out in accordance with the Law, while the controller should pay attention to the nature, scope, circumstances, the purpose of processing, the risk assessment for the rights and freedoms of natural persons.
If needed, the controller has to be able to demonstrate to have acted in compliance with this legal requirement.
Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach of the General Data Protection Regulation (GDPR) which takes into account the more and more rapid technological progress as well as various areas in which the personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the “technical, organizational and personnel measures” that the controller should implement.
Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.
The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational, and personnel measures, to ensure the adequate level of security of the personal data in relation to the specific risk threatening their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances, and the purpose of processing, as well as the chances of the risk occurring and the degree of risk for the rights and freedoms of natural persons.
The significance of the implementation of the above-mentioned measures is best reflected in the fact that a great number of penalties for the violations of the GDPR has been imposed due to the lack of technical security. For example, the penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers’ attack, as we talked about in our news British Airways and Marriott International Violated GDPR – What Consequences Could They Face?.
In order to choose the adequate measures for your company, you will first need to identify which risks threaten the security of the personal data which you process, as well as the probability for those risks and possibilities to become reality.
If you process the personal data in the electronic form, the risks which threaten their security might include unauthorized access to the databases, alteration or deleting the personal data, physical damage to servers and other hardware which stores the data, or which are used for other processing operations, due to fire, flood etc.
Pseudonymization is personal data processing that disables the connection of personal data with a particular data subject, without using the additional information. In other words, pseudonymization “hides” the data subject, but it is still possible to ascertain the identity of that person by using additional information. It is very important to keep such additional information separate, as well as to take technical, organizational, and personnel measures to prevent the attribution of personal data to an identified or identifiable data subject.
Anonymization is data processing that causes the permanent inability to ascertain the identity of the data subject. Starting from the moment when the personal data are anonymized, you are no longer in the field of the Law on Personal Data Protection i.e. you are no longer obliged to treat that data in accordance with the Law.
Encryption of data is a protection method which encrypts information and enables the access solely to a person which has the encryption key. The encrypted data are shown in unreadable form to whomever wishes to access them without the encryption key.
Filing systems have to be kept far from the persons who are not authorized to have insight into the filing systems within the company. The compliance process with the Law on Personal Data Protection means that the rights, obligations, and responsibilities of employees in terms of storing and using the filing systems need to be clearly determined. Some data may be available to all employees of the company (for instance, business email addresses), while other data can be available solely to the employees with special authorizations (for example, specific persons within the HR department).
In the event that a personal data breach occurs, regardless of the implementation of the protection measures, which can cause a risk to the rights and freedoms of natural persons, the controller has must notify the Commissioner about the breach as soon as possible but within 72 hours as of the date of being aware of the breach
On the other hand, the processor must notify the controller about every data breach, regardless of the degree of risk to rights and freedoms of natural persons, without undue delay.
The controller needs to keep a record of all data breaches, which contains details of a breach, the consequences of a breach, and the actions taken for their removal.
If the data breach can cause a high risk to the rights and freedoms of natural persons, the controller needs to notify the data subject, without the undue delay, unless the controller has taken adequate measures as its reaction to the breach.
Therefore, we can see that only a high risk for rights and freedoms of natural persons produces the obligation of notification of the data subjects, while the Commissioner has to be notified in case of less significant risk.
In general, the controller and the processor may designate a DPO but are not obliged to do that. However, when it comes to business entities, the Law on Personal Data Protection stipulates when the assignment of a DPO is mandatory:
- The main roles of a controller or a processor consist of the processing activities which, due to their nature, scope, or purposes require regular and systematic supervision of a great number of data subjects;
- The main activities of a controller or a processor consist of the processing of special categories of personal data (relating to the racial or ethnical origin, political opinion, religious belief, etc.), on a large scale.
If a controller, or a processor, which are legal entities, do not designate a DPO in the above-mentioned cases, they will be sentenced with a fine for a misdemeanor in the range of RSD 50,000 – RSD 2,000,000.
A controller or a processor is obliged to publish the contact information of a DPO and to deliver them to the Commissioner.
- Based on employment.
- Based on another contract.
DPO is available to data subjects, who can turn to the DPO concerning all matters related to the processing of their data, as well as concerning the realization of their rights.
DPO directly responds to the manager of the controller or the processor for the fulfillment of the DPO’s legal obligations.
The Law allows for DPO, besides the activities relating to the personal data protection at the controller or the processor, to perform other activities and fulfill other obligations. The controller or the processor is obliged to ensure that the performance of other activities and the fulfillment of other obligations do not lead the DPO into a conflict of interest.
- To inform and provide an opinion to the controller or the processor, as well as to the employees which conduct the processing activities, about their legal obligations concerning the personal data protection;
- To supervise the enforcement of the provisions of the Law on Personal Data Protection and other laws, as well as internal regulations of the controller or the processor which are related to the personal data protection, including the matters of division of responsibility, raising awareness and training of the employees which take part in the processing activities, as well as of control;
- To provide an opinion, when asked, about the estimation of the impact of processing on the personal data protection and to follow the actions taken in relation to that estimation;
- To be a contact point for cooperation with the Commissioner and to consult with the Commissioner concerning the matters which relate to the processing of personal data.
If the data are collected from a person to whom that data is related, the controller has to provide that person with the information which the Law prescribes at the moment of collecting the data, such as identity and the contact information of the controller, the contact information of the DPO, the purpose of the intended processing and legal basis for processing, the recipients, the period of storage of the personal data, the rights of the data subject in relation to their data, as well as other information.
The data subject is entitled to request information from the controller whether the controller processes their personal data, to request access to that data, as well as information about the purpose of processing, about the types of data which are processed, about the period of storage of personal data, about the rights of the data subject in terms of processing of their data, and other information.
The controller is obliged to, after the request of the data subject, deliver a copy of the personal data which it processes, which are related to that data subject.
If the personal data are inaccurate, the data subject is entitled to ask the controller to correct the datawithout undue delay.
If the personal data is incomplete, taking into account the processing purpose, the data subject is entitled to supplement their personal data.
The data subject is entitled to file a request to the controller for the erasure of their personal data by the controller.
The controller is obliged to erase the personal data if:
- the personal data are no longer necessary for the fulfillment of the purpose for which they have been collected or otherwise processed;
- the data subject revoked their consent based on which the processing has been conducted, and there is no other legal ground for the processing;
- the data subject filed their objection on the processing of their personal data;
- the personal data have been unlawfully processed;
- the personal data have to be erased for the fulfillment of the controller’s legal obligations.
If the controller had publicly published the personal data, their obligation to erase the data includes taking all reasonable measures for notification of other controllers which process that data that the data subject filed the request for the erasure of all copies of this data and referrals, i.e. electronic links towards these data.
The data subject is entitled to have their personal data processing restricted by the controller in the following cases:
- When the data subject disputes the accuracy of the personal data, in the period which enables the controller to check the accuracy of this data;
- When the processing is unlawful and the data subject is against the erasure of data and, instead of erasure, requests the restriction of the use of the data;
- When the controller no longer needs the personal data for the fulfillment of the processing purpose, but the data subject asked for them the filing, the realization or the legal request defense;
- When the data subject filed the objection on the data processing, and while the estimation of whether the legal ground for the processing by the controller outweighs the interests of the data subject is taking place.
The data subject is entitled to transfer their personal data, which it had previously delivered to the controller, to another controller without interference by the controller to whom that data had been initially delivered, if:
1) the processing is based on the consent of the data subject or it is based on the contract;
2) the processing is performed automatically.
The right to data portability also includes direct transfer from the previous to the new controller.
The data subject is entitled to, at any time, file an objection against the processing of their personal data to the controller, which is performed in accordance with the public interest or the fulfillment of the legal authorizations of the controller, or the legitimate interests of the controller or the third party, as the legal grounds of the processing.
The controller is obliged to stop the processing of the data of the person who filed the objection, unless if it can prove that there are legal reasons for the processing which outweigh the interests, the rights, or the freedoms of the data subjects or which are related to the filing of, the realization of or the legal claim defense.
Finally, in the third and the final text in our series of texts about the Law on Personal Data Protection the penalty provisions of the new Law.