A rock star among legal documents, the General Data Protection Regulation (hereinafter: GDPR), which attracted enormous media interest and an unprecedented level of lobbying, started with implementation on May 25, 2018. GDPR introduced a complete transformation of understanding of the importance of processing and protection of personal data in the digital age.
Although it is an EU regulation, under certain conditions, Serbian companies must comply with the GDPR as well. If you are not certain if you should be worried about the application of GDPR’s provisions, you can ascertain that based on instructions in our blog Territorial Scope of GDPR in Serbia.
Unfortunately for you, if you were convinced that you got away with the application of this lengthy regulation consisting of unbelievable 88 pages, which stipulates numerous obligations for companies along with enormous penalties amounting up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher, well, you were wrong.
Under the influence of GDPR, for the purpose of harmonization with the EU law, Serbia enacted the Law on personal data protection in November 2018, through which it adopted the majority of principles and standards of GDPR. Even though the new Law on personal data protection is subject to significant criticism (which we have already covered in our blog Ministry of justice got lost in translation – again?), it is certain that it introduced an incomparably higher standard of personal data protection. The higher protection standard, however, implies more obligations for everyone who processes personal data.
Just like GDPR, which was adopted in 2016, which started with implementation two years later, the new Law on Personal Data Protection (hereinafter: the new Law) provided all legal subjects with a period of 9 months to harmonize their activities and business with its provisions.
That period expired on August 21, 2019, which is when the Law started to implement.
But, better late than newer. It is useful to get introduced to the obligations that this Law imposes, so you can get your company compliant. Even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with an emphasis on companies.
That period expires on August 21, 2019, which is when the new Law will start to implement.
Some of the novelties, which you may be interested in, will be further explained in the blog. Nevertheless, even though the new Law also regulates the processing of personal data concerning state organs and institutions, this text will focus solely on the private sector with the emphasis on companies.
The Law on Personal Data Protection applies to everyone who processes personal data. Processing means any automated or non-automated action related to personal data, such as collection, recording, organization, consultation, erasure, storage, as well as all other actions relating to personal data.
For example, it is sufficient that you just store personal data on a server, without having insight into that database, for you to be processing personal data, thus being subject to the Law’s application.
We frequently come across statements of our clients who claim they do not process personal data. This misinterpretation is incredibly widespread. In fact, almost every company processes personal data.
If it does not process personal data of third parties in the course of the main (basic) business activity of the company (for example, processing of consumers’ personal data), certainly every company processes personal data concerning its employees and job candidates.
If you are an employer and would like to find out what you should pay attention to, please see our blog 9 Most Common Misconceptions of Employers on Personal Data Protection.
The provisions of the Law apply to the processing of personal data performed by a controller, or a processor whose seat (in case of a legal entity) or residence is in the territory of Serbia, in the course of activities that are performed on the territory of Serbia, whether or not the action of processing is performed on the territory of Serbia.
Just like it is possible, under certain conditions, to apply the GDPR provisions to companies that do not have any business presence within the EU, the new Law can be also applied to the processing of personal data of data subjects by a controller or a processor without a seat in Serbia. For the extra-territorial application, one of the following two requirements has to be fulfilled:
- The action of processing is related to an offer of goods or services to a data subject in the territory of Serbia, regardless of whether that person is paying compensation for such goods or services;
Hence, if your company engages in electronic commerce and offers goods and/or services in the territory of Serbia, as well, with an option of shopping to Serbia and marketing activities directed towards buyers from Serbia, you are obliged to harmonize with the Law, despite the fact that your seat is not in Serbia.
- The processing action is related to monitoring the activities of a data subject, and the activities are conducted in the territory of the Republic of Serbia.
Therefore, foreign companies, that monitor the behavior of citizens in the territory of Serbia (for example, through cookies “trackers”), will have to act in accordance with the Law, even if their seat is not in Serbia.
There are several cases in which the Law does not apply:
- The Law does not apply when natural persons perform processing for their own needs. For instance, a person who has personal names and phone numbers in their phone’s memory, which they use for private purposes, has no obligations under the Law.
- The Law also does not apply to anonymous data, i.e. data based on which it is impossible to identify a person (neither indirectly nor directly).
- The application of the Law can also be avoided in a case when there is no personal data database, i.e., data is neither systematized nor structured.
In all other instances, the Law on Personal Data Protection should be complied with.
As the first step, the companies have to perform the so-called “data mapping”. That process implies that companies need to ascertain which personal data they collect, in which manner, from whom, in which form, and for which purpose. Moreover, the companies should ascertain, through analysis, the legal grounds, for how long are personal data being kept, what protection measures are applicable, with whom can that data be shared, are personal data transferred outside of Serbia, etc.
Companies should make or revise complete sets of internal documents and implement appropriate procedures, in order to harmonize their activities with the Law.
In order to adequately perform data mapping, you need to understand that the Law extends the concept of personal data to every information which relates to a certain natural person, based on which the identity of that natural person is indirectly or directly:
Therefore, we are not just talking about the first name and last name, personal identification number, address, and everything that directly identifies us. We are also talking about a multitude of information based on which a certain person can be indirectly identified.
Among the personal data based on which a certain person can be indirectly identified there is a large number of our data on the Internet (IP address, IMEI number of a device through which we access the Internet, location via GPS, passwords, e-mail user accounts and accounts on social networks, etc.). It is now clear that this information is included in personal data and that they are entitled to special protection.
During the procedure of complying with the Law, as well as when processing personal data after that, companies need to take care of six grounds of personal data processing constantly. We named them “six commandments”, as all procedures and rules a company implements have to be compliant with all six grounds at all times. Just violating the grounds, without breaching any other provision in the Law, can result in responsibility for misdemeanor and monetary fines up to RSD 2,000,000.00.
|LAWFULNESS, FAIRNESS AND TRANSPARENCY||OBLIGATION OF PERSONAL DATA PROCESSING IN ACCORDANCE WITH THE NEW LAW OR OTHER LAW WHICH REGULATES PROCESSING OF PERSONAL DATA, IN A FAIR AND TRANSPARENT MANNER.|
|LIMITATION||PERSONAL DATA COLLECTION NEEDS TO BE CONDUCTED SOLELY FOR THE PURPOSE SPECIFICALLY DEFINED, EXPLICIT, JUSTIFIED AND LAWFUL.|
|EXAMPLE||On your website, a buyer provided you with their e-mail address on their own, which is necessary to register the account. Therefore, the purpose of providing personal data is the account registration. By doing that, the buyer did not consent to receive your company’s or your partners’ promotional offers. If you were to use the e-mail address for this purpose, in the absence of another legal ground for processing, your actions would be illegal..|
|DATA MINIMIZATION||PERSONAL DATA THAT IS BEING PROCESSED HAS TO BE ADEQUATE, RELEVANT AND LIMITED TO WHAT IS NECESSARY FOR THE PURPOSE FOR WHICH IT IS BEING PROCESSED.|
|EXAMPLE||If you engage in electronic commerce and would like to perform a sale and purchase agreement by delivering a product to a customer to their address, you need neither their personal identification number nor their date of birth for that purpose. However, if you collect this data, such processing would be illegal, since you collected more than needed for the abovementioned purpose.|
|ACCURACY||PERSONAL DATA HAS TO BE ACCURATE AND, WHERE NECESSARY, KEPT UP TO DATE.|
|EXAMPLE||If a person subscribed for the delivery of a magazine on a weekly basis and then changes their address in comparison to the one designated in the contract at the time of its conclusion, a controller is obliged to update that data in order for the contract to be adequately performed.|
|STORAGE LIMITATION||PERSONAL DATA NEEDS TO BE KEPT IN A FORM THAT ALLOWS IDENTIFICATION OF DATA SUBJECTS FOR NO LONGER THAN IS NECESSARY FOR THE PURPOSES FOR WHICH THE PERSONAL DATA ARE PROCESSED.|
|EXAMPLE||If a company uses video surveillance for securing the safety of property and people, it is highly important for it to adopt adequate legal documents through which it would prescribe for how long will the data, which are collected through that video surveillance, be kept, who will take care about the period of storage, how will the video records be destroyed, etc.|
|INTEGRITY AND CONFIDENTIALITY||PERSONAL DATA HAS TO BE PROCESSED IN A MANNER THAT ENSURES ITS APPROPRIATE SECURITY.|
|EXAMPLE||If a company uses software for the processing of personal data of its employees, it is very important to clearly determine which persons will be authorized to access the data in the database. Moreover, it is needed for those data subjects to sign confidentiality agreements/statements.|
We have previously mentioned that each case of processing must have a clearly determined, explicit and justified purpose. Furthermore, the purpose needs to be lawful.
What does that mean?
For the processing to be lawful, it is required for the processing purpose to be one of six legal grounds. Therefore, while there can be an unlimited number of processing purposes, each of them needs to be subsumed under one of six legal grounds.
The Law terminated the compulsory registration to the Central register of personal data databases. There is no longer an obligation to notify the Commissioner of the intent to establish a personal data database, and there is also no obligation to register personal data databases.
The record of personal data databases is to be maintained by controllers or processors, while the one who processes the data takes care of the lawfulness of the processing.
Nevertheless, the cessation of this obligation does not mean that the position of companies has improved, or that it will be easier for either controllers or processors in the future. In fact, a heavy burden of responsibility has been transferred to companies. In the procedure of registering a personal data database, the Commissioner’s office has given instructions and advice to companies, and their processing of data acquired some kind of formal approval of legality and legitimacy. That was done with the purpose to prevent potential problems. However,, companies no longer have that “luxury” and they have, on their own, to assess if the processing is lawful. That means that companies now bear the incomparably more significant risk.
Unfortunately, there are more important questions that need to be kept in mind from August 2019.
In the next blog in the data protection series, we will particularly deal with questions such as Data Protection Officer (DPO), technical measures for the protection of personal data, pseudonymization, and data subject rights.