Tic-Toc, the Clock is Ticking… Is Your Company Compliant With the New Law on Personal Data Protection?

PART I

All companies are obliged to implement numerous procedures and adopt a significant number of documents by August 21, 2019, by the new Law on personal data protection. In a series of blog posts, we will clarify the crucial novelties introduced by the new Law.

16
July 2019

A rock star among legal documents, the General Data Protection Regulation (hereinafter: GDPR), which attracted enormous media interest and an unprecedented level of lobbying, started with implementation on May 25, 2018. GDPR introduced complete transformation of understanding the importance of processing and protection of personal data in the digital age.

Although it is an EU regulation, under certain conditions, Serbian companies must comply with the GDPR as well. If you are not certain if you should be worried about the application of GDPR’s provisions, you can ascertain that based on instructions in our blog Territorial Scope of GDPR in Serbia.

Unfortunately for you, if you believe you got away with the application of this lengthy regulation consisting of unbelievable 88 pages, which stipulates numerous obligations for companies along with enormous penalties amounting up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher, such happiness will be short-lived.

Under the influence of GDPR, for the purpose of harmonization with the EU law, Serbia enacted the new Law on personal data protection in November 2018, through which it adopted the majority of principles and standards of GDPR. Even though the new Law on personal data protection is subject to significant criticism (which we have already covered in our blog Ministry of justice got lost in translation – again?), it is certain that it introduced an incomparably higher standard of personal data protection. The higher protection standard, however, implies more obligations for everyone who processes personal data.

Just like GDPR, which was adopted in 2016, which started with implementation two years later, the new Law on personal data protection (hereinafter: the new Law) provided all legal subjects with a period of 9 months to harmonize their activities and business with its provisions.

That period expires on August 21, 2019, which is when the new Law will start to implement.

Some of the novelties, which you may be interested in, will be further explained in the blog. Nevertheless, even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with the emphasis on companies.

Does the New Law on Personal Data Protection Affect My Company?

The Law on personal data protection applies to everyone who processes personal data. Processing means any automated or non-automated action related to personal data, such as collection, recording, organization, consultation, erasure, storage, as well as all other actions relating to personal data.

For example, it is sufficient that you just store personal data on a server, without having insight into that database, for you to be processing personal data, thus being subject to the new Law’s application.

We frequently come across statements of our clients who claim they do not process personal data. This misinterpretation is incredibly widespread. In fact, almost every company processes personal data.

 If it does not process personal data of third parties in the course of the main (basic) business activity of the company (for example, processing of consumers’ personal data), certainly every company processes personal data concerning its employees and job candidates.

If you are an employer and would like to find out what you should pay attention to, please see our blog 9 Most Common Misconceptions of Employers on Personal Data Protection.

The provisions of the Law apply to processing of personal data performed by a controller, or a processor whose seat (in case of a legal entity) or residence is in the territory of Serbia, in the course of activities which are performed on the territory of Serbia, whether or not the action of processing is performed on the territory of Serbia.

Does the Law on Personal Data Protection Affect Foreign Companies Whose Seat is Not in Serbia?

Just like it is possible, under certain conditions, to apply the GDPR provisions to companies that do not have any business presence within the EU, the new Law can be also applied to the processing of personal data of data subjects by a controller or a processor without a seat in Serbia. For the extra-territorial application, one of the following two requirements has to be fulfilled:

1. If an action of processing is related to an offer of goods or services to a data subject in the territory of Serbia, whether or not that person is required to pay compensation for those goods, or a service;

Therefore, if your company engages in electronic commerce and offers goods and/or services in the territory of Serbia, as well, with an option of shopping to Serbia and marketing activities directed towards buyers from Serbia, you have to harmonize with the new Law, despite not having your seat in Serbia.

2. If a processing action is related to monitoring activities of a data subject, and the activities are conducted in the territory of the Republic of Serbia.

Therefore, foreign companies, which monitor the behavior of citizens in the territory of Serbia (for example, through cookies “trackers”), will have to act in accordance with the new Law, even if their seat is not in Serbia.

In Which Cases the New Law on Personal Data Protection Does Not Apply?

  • The new Law does not apply when natural persons perform processing for their own needs. For instance, a person who has personal names and phone numbers in their phone’s memory, which they use for private purposes, has no obligations under the new Law.
  • The new Law also does not apply to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly).
  • The application of the Law can also be avoided in a case when there is no personal data database, i.e., data is neither systematized nor structured.

In all other instances, the new Law on Personal Data Protection should be complied with.

What is the First Step in Complying With the New Law on Personal Data Protection?

As the first step, the companies will have to perform the so-called “data mapping”. That process implies that they need to ascertain which personal data they collect, in which manner, from whom, in which form and for which purpose. Moreover, the companies should ascertain, through analysis, the legal grounds, for how long are personal data being kept, what protection measures are applicable, with whom can that data be shared, are personal data transferred outside of Serbia, etc.

Companies should make or revise complete sets of internal documents and implement appropriate procedures, in order to harmonize their activities with the Law.

The Notion of Personal Data Has Been Extended

In order to adequately perform data mapping, you need to understand that the new Law extends the concept of personal data to every information which relates to a certain natural person, based on which the identity of that natural person is indirectly or directly:

  • identified

or

  • identifiable.

Therefore, we are not just talking about the first name and last name, personal identification number, an address and everything that directly identifies us. We are also talking about a multitude of information based on which a certain person can be indirectly identified.

Among the personal data based on which a certain person can be indirectly identified there is a large number of our data on the Internet (IP address, IMEI number of a device through which we access the Internet, location via GPS, passwords, e-mail user accounts and accounts on social networks, etc.). It is now clear that this information is included among personal data and that they are entitled to special protection.

The Six Commandments of Personal Data Processing

During the procedure of complying with the new Law, as well as when processing personal data after that, companies will constantly need to take care of six grounds of personal data processing. We named them “six commandments”, as all procedures and rules a company implements have to be compliant with all six grounds at all times. Just violating the grounds, without breaching any other provision in the Law, can result in responsibility for misdemeanor and monetary fines up to RSD 2,000,000.00.

LAWFULNESS, FAIRNESS AND TRANSPARENCYOBLIGATION OF PERSONAL DATA PROCESSING IN ACCORDANCE WITH THE NEW LAW OR OTHER LAW WHICH REGULATES PROCESSING OF PERSONAL DATA, IN A FAIR AND TRANSPARENT MANNER.
EXAMPLEEvery company with a website through which it collects personal data will need to publish a Privacy policy. Privacy policy now needs to include a whole set of compulsory elements. If one or more of those elements are absent, there is a violation of the transparency principle.

LIMITATIONPERSONAL DATA COLLECTION NEEDS TO BE CONDUCTED SOLELY FOR THE PURPOSE SPECIFICALLY DEFINED, EXPLICIT, JUSTIFIED AND LAWFUL.
EXAMPLEOn your website, a buyer provided you with their e-mail address on their own, which is necessary to register the account. Therefore, the purpose of providing personal data is the account registration. By doing that, the buyer did not consent to receive your company’s or your partners’ promotional offers. If you were to use the e-mail address for this purpose, in the absence of another legal ground for processing, your actions would be illegal..
DATA MINIMIZATION
PERSONAL DATA THAT IS BEING PROCESSED HAS TO BE ADEQUATE, RELEVANT AND LIMITED TO WHAT IS NECESSARY FOR THE PURPOSE FOR WHICH IT IS BEING PROCESSED.
EXAMPLEIf you engage in electronic commerce and would like to perform a sale and purchase agreement by delivering a product to a customer to their address, you need neither their personal identification number nor their date of birth for that purpose. However, if you collect this data, such processing would be illegal, since you collected more than needed for the abovementioned purpose.

ACCURACYPERSONAL DATA HAS TO BE ACCURATE AND, WHERE NECESSARY, KEPT UP TO DATE.
EXAMPLE
If a person subscribed for the delivery of a magazine on a weekly basis and then changes their address in comparison to the one designated in the contract at the time of its conclusion, a controller is obliged to update that data in order for the contract to be adequately performed.
STORAGE LIMITATION
PERSONAL DATA NEEDS TO BE KEPT IN A FORM THAT ALLOWS IDENTIFICATION OF DATA SUBJECTS FOR NO LONGER THAN IS NECESSARY FOR THE PURPOSES FOR WHICH THE PERSONAL DATA ARE PROCESSED.
EXAMPLEIf a company uses video surveillance for securing the safety of property and people, it is highly important for it to adopt adequate legal documents through which it would prescribe for how long will the data, which are collected through that video surveillance, be kept, who will take care about the period of storage, how will the video records be destroyed, etc.

INTEGRITY AND CONFIDENTIALITYPERSONAL DATA HAS TO BE PROCESSED IN A MANNER THAT ENSURES ITS APPROPRIATE SECURITY.
EXAMPLE
If a company uses software for the processing of personal data of its employees, it is very important to clearly determine which persons will be authorized to access the data in the database. Moreover, it is needed for those data subjects to sign confidentiality agreements/statements.

When Can I Process Personal Data?

We have previously mentioned that each case of processing must have a clearly determined, explicit and justified purpose. Furthermore, the purpose needs to be lawful.

What does that mean?

For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds. Therefore, while there can be an unlimited number of processing purposes, each of them needs to be subsumed under one of six legal grounds.

Does the New Law Relieve Companies of Any Obligations?

The new Law terminated the compulsory registration to the Central register of personal data databases. There is no longer an obligation to notify the Commissioner on the intent to establish a personal data database, and there is also no obligation of registration of personal data databases.

In the future, the record of personal data databases will be maintained by controllers or processors, while the one who processes the data will take care of the lawfulness of the processing.

Nevertheless, the cessation of this obligation does not mean that the position of companies has improved, or that it will be easier for either controllers or processors in the future. In fact, a heavy burden of responsibility has been transferred to companies. In the procedure registering a personal data database, the Commissioner’s office has given instructions and advice to companies, and their processing of data acquired some kind of formal approval of legality and legitimacy. That was done with the purpose to prevent potential problems. Now, companies no longer have that “luxury” and they have, on their own, to assess if the processing is lawful. That means that companies now bear the incomparably more significant risk.

Is this Everything that My Company Should Know?

Unfortunately, there are more important questions that need to be kept in mind until August 21, 2019.

In the next blog in the data protection series, we will particularly deal with questions such as Data Protection Officer (DPO), technical measures for the protection of personal data, pseudonymization, and data subject rights.

NEWSLETTER

NEWSLETTER