The termination of the state of emergency in the Republic of Serbia after almost two months has been joyfully welcomed for multiple reasons. Besides the chance to take advantage of sunny spring days by spending them in nature, adult Serbian citizens got an opportunity to obtain one-time financial assistance from the government in the amount of EUR 100: the sole requirement is to submit their personal data, including the unique personal identification number, personal ID number, and the name of the bank where they have a bank account opened.
Although it sounds like a tempting opportunity that should not be wasted, from the data protection point of view, it raises the question of whether this privilege is being implemented in accordance with the law and fundamental principles of personal data protection.
Applying for the one-time financial assistance is performed electronically, by filling out a special form with the necessary information. As an addition to the form itself, some information is provided regarding the processing of collected data, as an attempt to fulfill the principal transparency requirements. Despite that, significant information for the citizens is being overlooked, when it comes to data processing.
(Another) Unsuccessful attempt of the Ministry to Apply the Law on Personal Data Protection
From the beginning, the announced payout of the one-time financial assistance caused intensive reactions of the academic community in the area of personal data protection. Namely, at the end of April 2020, the Ministry of Finance announced that the citizens will be obliged to disclose their personal name and surname, unique personal identification number, personal ID number, and the name of the chosen bank, to apply for the financial assistance.
The suggestions of the academic community, pointing out that collecting and processing of all the mentioned data would not be in accordance with the Law on Personal Data Protection (hereinafter referred to as: the Law), caused the Ministry to try and comply with the recommendations and legal provisions.
However, that attempt remained unsuccessful.
Although the Ministry did exclude the obligation of submitting the citizen’s name and surname, unfortunately, they also failed to provide all the mandatory notices to the citizens – data subjects.
According to the Law, in this case, the Ministry of Finance acts as a personal data controller. Each controller, regardless of whether it is a government authority or not, is under clearly prescribed legal obligations, which have to be fulfilled whenever it comes to personal data processing. Otherwise, some of the fundamental citizens’ rights regarding privacy and personal data protection may be breached.
Article 23 of the Law prescribes the responsibilities of the data controller towards data subjects at the time of data collection. Among other things, the Ministry failed to provide the majority of the following, mandatory information:
The lack of necessary notices in this particular situation raises the question of the legitimacy and safety of personal data processing. Citizens are entitled to the right to be informed clearly and transparently about all the above-mentioned issues, and the fact that they are being held back from exercising that right creates legal insecurity and questions the existence of a lawful state.
In addition to all of the above, this method of providing financial assistance creates many possibilities for violation and raises numerous questions from the aspect of data protection, such as:
- Is it really necessary to collect both the unique personal identification number and personal ID number?
- Which safety measures are being implemented in order to protect the collected data?
- Who are the persons authorized to collect and process data and are they specialized in the area of data management?
The significance of citizens’ privacy and personal data protection cannot be justifiably decreased under any circumstances. It is particularly disturbing that the focus, in this case, is on the executive authority, who should represent a positive rather than negative example for other personal data controllers and processors.
The above-mentioned questions remain unanswered, and the duty of competent authorities to eliminate existing dilemmas is undoubtful. That includes, primarily, the highly necessary intervention of the Commissioner for Information of Public Importance and Personal Data Protection, and afterwards, the adequate following reaction of the Government of Serbia and the competent Ministry.
