{"id":40422,"date":"2024-03-13T08:25:00","date_gmt":"2024-03-13T07:25:00","guid":{"rendered":"https:\/\/zuniclaw.com\/the-law-on-personal-data-protection-a-few-guidelines-on-how-to-get-compliant\/"},"modified":"2024-09-20T11:37:55","modified_gmt":"2024-09-20T09:37:55","slug":"law-on-personal-data-protection","status":"publish","type":"post","link":"https:\/\/zuniclaw.com\/en\/law-on-personal-data-protection\/","title":{"rendered":"The Law on Personal Data Protection – A Few Guidelines On How To Get Compliant"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In our previous blog post, Basic Concepts of The Law on Personal Data Protection In Serbia<\/a>, we explained when the Law applies, what is personal data and what are the principles and legal grounds for personal data processing. In this blog, we will cover the technical measures of personal data protection, the Data Protection Officer, and the rights of the data subject.<\/p><\/div><\/section>

TECHNICAL MEASURES FOR THE PERSONAL DATA PROTECTION<\/h2><\/div>

Ensuring the security of personal data stands as a fundamental pillar of the Law. Consequently, the Law mandates the controller to implement appropriate technical, organizational, and personnel measures to ensure that the processing of personal data aligns with legal standards. Moreover, the controller should consider factors such as the nature, scope, context, and purpose of processing, along with conducting a risk assessment concerning the rights and freedoms of individuals.<\/p>

If needed, the controller has to be able to demonstrate to have acted in compliance with this legal requirement.<\/p>

Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach of the General Data Protection Regulation (GDPR)<\/a> which takes into account the more and more rapid technological progress as well as various areas in which personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the \u201ctechnical, organizational and personnel measures\u201d that the controller should implement.<\/p>

Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.<\/p>

The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational, and personnel measures, to ensure the adequate level of security of the personal data in relation to the specific risk threatening their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances, and the purpose of processing, as well as the chances of the risk occurring and the degree of risk for the rights and freedoms of natural persons.<\/p>

The significance of the implementation of the above-mentioned measures is best reflected in the fact that a great number of penalties for violations of the GDPR has been imposed due to the lack of technical security. For example, a penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers\u2019 attack, as we talked about in our news\u00a0British Airways and Marriott International Violated GDPR \u2013 What Consequences Could They Face?.<\/a><\/p><\/div><\/section>

WHAT CAN YOU DO TO PROTECT THE PERSONAL DATA?<\/h2><\/div>

RISK ASSESSMENT<\/h2><\/div>

In order to choose the adequate measures for your company, you will first need to identify which risks threaten the security of the personal data which you process, as well as the probability for those risks and possibilities to become reality.<\/p><\/div><\/section>

An example<\/strong>:<\/p>

If you process personal data in electronic form, the risks which threaten their security might include unauthorized access to the databases, alteration or deleting the personal data, physical damage to servers and other hardware that stores the data, or which are used for other processing operations, due to fire, flood, etc.<\/strong><\/p><\/div><\/section>

PROTECTION MEASURES AGAINST RISKS<\/h2><\/div>

A. PSEUDONYMIZATION<\/h2><\/div>

Pseudonymization<\/strong> is personal data processing that disables the connection of personal data with a particular data subject, without using the additional information. In other words, pseudonymization \u201chides\u201d the data subject, but it is still possible to ascertain the identity of that person by using additional information. It is very important to keep such additional information separate, as well as to take technical, organizational, and personnel measures to prevent the attribution of personal data to an identified or identifiable data subject.<\/p><\/div><\/section>

B. ANONYMIZATION<\/h2><\/div>

Anonymization<\/strong> is data processing that causes the permanent inability to ascertain the identity of the data subject. Starting from the moment when the personal data are anonymized, you are no longer in the field of the Law on Personal Data Protection i.e. you are no longer obliged to treat that data in accordance with the Law.<\/p><\/div><\/section>

C. ENCRYPTION<\/h2><\/div>

Encryption<\/strong> of data is a protection method which encrypts information and enables the access solely to a person which has the encryption key. The encrypted data are shown in unreadable form to whomever wishes to access them without the encryption key.<\/p><\/div><\/section>

D. SUPERVISORY AUTHORITIES<\/h2><\/div>

Filing systems have to be kept far from the persons who are not authorized to have insight into the filing systems within the company. The compliance process with the Law on Personal Data Protection means that the rights, obligations, and responsibilities of employees in terms of storing and using the filing systems need to be clearly determined. Some data may be available to all employees of the company (for instance, business email addresses), while other data can be available solely to the employees with special authorizations (for example, specific persons within the HR department).<\/p><\/div><\/section>

NOTIFYING THE COMMISSIONER ABOUT THE PERSONAL DATA BREACH<\/h2><\/div>

In the event that a personal data breach occurs, regardless of the implementation of the protection measures, which can cause a risk to the rights and freedoms of natural persons, the controller must notify theCommissioner about the breach as soon as possible but within 72 hours as of the date of being aware of the breach.<\/p>

On the other hand, the processor must notify the controller about every data breach, regardless of the degree of risk to the rights and freedoms of natural persons, without undue delay.<\/p>

The controller needs to keep a record of all data breaches, which contains details of a breach, the consequences of a breach, and the actions taken for their removal.<\/p><\/div><\/section>

NOTIFYING THE DATA SUBJECT ABOUT THE PERSONAL DATA BREACH<\/h2><\/div>

If the data breach can cause a high risk to the rights and freedoms of natural persons, the controller needs to notify the data subject, without the undue delay, unless the controller has taken adequate measures as its reaction to the breach.<\/p>

Therefore, we can see that only a high risk rights and freedoms of natural persons produces the obligation of notification of the data subjects, while the Commissioner has to be notified in case of less significant risk.<\/p><\/div><\/section>

DATA PROTECTION OFFICER (DPO)<\/h2><\/div>

When to Designate a DPO?<\/h3><\/div>

In general, the controller and the processor may designate a DPO<\/a> but are not obliged to do that. However, when it comes to business entities, the Law on Personal Data Protection stipulates when the assignment of a DPO is mandatory:<\/p>