The famous regulation of the European Union, GDPR (General Data Protection Regulation), has revolutionized the way companies process and handle personal data. Data protection has become one of the most pressing issues for business organizations. Data protection entails the rights of individuals concerning the processing of their personal data, data security, and the responsibilities of data controllers. GDPR is the most comprehensive privacy and data security law in the world, imposing obligations on all companies that collect data from individuals located in the EU, including companies from Serbia processing data of EU individuals. Data protection in the digital age brings forth unique challenges, making it a logical step for our country to introduce legislation ensuring the security of data. Taking inspiration from GDPR, Serbia enacted the Law on Personal Data Protection in 2018, which governs, among other things, the protection of personal data, the rights of individuals whose data is processed, the collection and processing of personal data, the obligations of data controllers, obtaining consent from data subjects, data security, data transfers abroad, and penalties for violations of personal data protection.
What is „Personal data“
According to the Law on Personal Data Protection of Serbia, personal data refers to any information that directly or indirectly identifies a specific individual. These data may include, for example, name, surname, ID number, personal identification number, residential address, health records, description of physical or psychological characteristics, email address, internet activity history (shares, likes, clicks), internet search history, computer or smartphone IP address, and similar information. If a device or browser is personalized, cookies downloaded from websites are also considered personal data.
Who are Data subjects?
Data subjects are exclusively physical individuals. This means that legal entities, in any form, do not enjoy data protection under the Law on Personal Data Protection of Serbia.
Responsibilities of Data Controllers
Both legal entities and individuals have the right to process personal data (such as collection, recording, data usage, etc.), and these subjects can appear as data controllers or data processors under the Law on Personal Data Protection of Serbia. The term "data processing" is often not fully clear. It is important to note that merely accessing data constitutes the processing of personal data. "Processing" may suggest active behavior, but it can also include passive actions such as storing and retaining data. A data controller is a natural person or a company that determines the purpose and means of data processing, while a data processor is a natural person or legal entity, that processes personal data on behalf of the data controller. The data controller decides "why" and "how" data is collected and stored. On the other hand, the data processor has no control over the data processing and does not make essential decisions regarding the purposes, methods, and duration of data processing; they act solely according to the instructions provided by the data controller. The responsibilities of data controllers include implementing appropriate technical, organizational, and personnel measures to ensure full compliance with the Law on Personal Data Protection of Serbia. The data controller is also obligated to ensure that only necessary personal data is processed to achieve the purpose of processing and that the data is used for the purpose for which the individual has given consent. For example, during online purchases, a customer often has to provide their email address in order to register their account with the platform - that is the purpose of providing the email address (personal data). However, this does not mean the seller can use the customer's email address to send them offers and promotions, as the customer did not provide their "personal data" for that purpose. In this example, the company that owns the website is the data controller for its customers' data Personal data is also collected through cookies that a website gathers. For each processing activity, the data controller must provide transparency.
Data Protection Officer
To ensure that all provisions related to the collection and processing of personal data are followed, data controllers and data processors can appoint a Data Protection Officer (DPO). This individual can be an employee of the data controller or data processor or an external entity engaged through a contract, such as a freelance agreement. Often, a lawyer is appointed as the Data Protection Officer. While it is not mandatory for the Data Protection Officer to have a legal background, legal experience in terms of understanding procedures, providing opinions, preparing submissions, and similar aspects is undoubtedly essential for effectively fulfilling this role as prescribed by the Law on Personal Data Protection of Serbia.
The Data Protection Officer may have other responsibilities as well, but these should not lead to conflicts of interest. For instance, the Data Protection Officer cannot be an employee of the data controller who, on the controller's behalf, determines the purpose and means of processing personal data.
The Data Protection Officer is responsible for informing and providing opinions to the data controller or data processor regarding their legal obligations to ensure adequate data protection. Furthermore, the Data Protection Officer acts as the point of contact for cooperation with the Commissioner for Information of Public Importance and Personal Data Protection. The engagement of a Data Protection Officer is often at the discretion of the data controller and data processor. However, the Law on Personal Data Protection of Serbia prescribes specific circumstances under which it is necessary to appoint a Data Protection Officer.
Those cases are as follows:
- Processing is carried out by public authorities, except when it concerns processing by a court in the performance of its judicial duties.
- The core activities of the data controller or data processor consist of processing operations that, by their nature, scope, or purposes, require regular and systematic monitoring of a large number of data subjects. For example, internet service providers, whose primary core activities as data processors often involve regular and systematic monitoring of a large number of individuals.
- The core activities of the data controller or data processor consist of processing special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person's sex life or sexual orientation) or personal data relating to criminal convictions and offenses on a large scale. One practical example of a mandatory appointment of a Data Protection Officer is related to private pharmacy practices if they carry out activities involving the issuance of prescriptions via e-prescriptions, as this involves processing personal data on a large scale.
Legal Basis for Processing Personal Data
Legal bases for processing personal data are defined by the Law on Personal Data Protection of Serbia, and only processing that has a legal basis is considered lawful. In order to ensure lawful data protection, processing must be based on one of the following legal grounds:
- Explicit consent of the data subject: Processing is based on the explicit consent given by the individual.
- Necessary for the performance of a contract or at the data subject's request: Processing is necessary to fulfill obligations under an agreement or other actions requested by the data subject. For example, processing personal data like name, surname, and bank account information in fulfilling employment contracts.
- Necessary for compliance with legal obligations of the data controller: Processing is required to comply with legal obligations imposed on the data controller.
- Necessary to protect vital interests of the data subject or other individuals: Processing is necessary to protect vital interests, usually in life-threatening situations, such as the prevention and control of epidemics.
- Necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the data controller: This applies to cases where personal data is collected and processed in relation to legal obligations specified by laws regulating pensions, health, disability insurance, or banking obligations related to anti-money laundering and counter-terrorism financing measures.
- Necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially if the data subject is a minor. This often relates to protecting the property and security of employers through limited video surveillance, and similar situations.
Although each of the mentioned legal bases for data processing deserves special attention, this blog will focus on the data subject's consent as a condition for lawful processing and data protection, considering that consent is the most inadequate basis for collecting and processing personal data, and companies must exercise particular caution in this regard.
Consent of the Data Subject
Consent of the data subject is one of the six possible legal bases for processing personal data. It represents a statement of the individual's will, through which they grant permission for their data to be processed for specific purposes. The consent of the data subject must be freely given, specific, informed, and unambiguous. When processing personal data based on the data subject's consent, the data controller must be able to demonstrate that the data subject has given consent for the processing of their personal data, and this consent must be documented.
Consent, as a legal basis for processing personal data, cannot be transferred to another data controller, nor can it be assumed from another data controller. For instance, in the case of transferring the entire business from one legal entity to another, consent cannot be transferred in this manner.
Of course, data subjects have the right to revoke their consent at any time without any negative consequences for their position. The revocation of consent does not affect the lawfulness of the processing that was carried out based on the consent prior to its revocation. The revocation of consent must be as simple as giving consent, especially when consent is given online through a consent button. Individuals whose data is being processed must be able to easily revoke their consent in the same straightforward manner. If there is no other legal basis for data processing by the data controller, the revocation of consent must result in the deletion of the personal data and the cessation of any other activities related to the data of the individual who revoked their consent.
A statement of will that cannot be modified or revoked, without causing legal consequences for the position of the data subject, cannot be considered valid consent. This is particularly relevant when it comes to the collection and processing of the personal data of employees by the employer. In this context, the voluntary nature of giving consent by the employee is questionable, considering that employees are unlikely to deny their consent to the employer due to potential repercussions. Therefore, the consent of the data subject (employee) should not be the basis for collecting and processing the personal data of employees.
To be considered freely given, the consent of the data subject must ensure that the execution of a contract is not made conditional on consent that is not necessary for the performance of that contract. For example, if entering into or executing a service contract is made conditional on obtaining the data subject's consent for data processing for direct marketing purposes, such consent is not considered freely given.
The Right to Erasure (Right to be Forgotten)
With the development and expansion of data protection, the right to erasure (also known as the right to be forgotten) has gained widespread application in theory and practice. The "right to erasure" refers to an individual's right to request the data controller to delete available personal data of the data subject, provided that there is a legally permitted basis for such a request.
The Law on Personal Data Protection of Serbia outlines the following legal grounds for the right to erasure:
- The purpose for which the personal data was given has ceased to exist.
- The data subject has revoked their consent in accordance with the law, and there is no other legal basis for the processing of personal data.
- The data subject has submitted an objection to the processing in accordance with the law on data protection.
- Unlawful processing of personal data.
- Personal data must be deleted in order to comply with the legal obligations of the data controller.
- The data was collected from a minor who has reached the age of 15 for the use of internet services (e.g., Google search, hotel reservations, etc.).
However, the right to erasure is not absolute; it is subject to certain limitations, one of which is the exercise of freedom of expression and information. For example, in a case brought before the Commissioner for Personal Data Protection, a request for the right to erasure was denied. The request sought the deletion of personal data from a journalistic portal that had published an article about a specific individual who was a company director. Deleting such data would have hindered the exercise of freedom of expression and information. The journalistic exception is a provision prescribed by the Law on Personal Data Protection of Serbia, which, under certain circumstances, exempts journalistic research and information publishing in the media from some of the obligations regarding personal data protection applicable to other data controllers. Therefore, if someone wishes to file a request to have their data erased or exercise the right to be forgotten, it is advisable to consult with a lawyer or a data protection expert to understand the possible limitations in exercising this right.
Data Protection in Medicine
As we all know, the field of medicine frequently deals with highly sensitive personal data, making data protection in medicine and data security of crucial importance.
Recently, a healthcare institution in the Republic of Serbia was cautioned by the Commissioner for Personal Data Protection because any employee in the institution could access the medical record of a patient. It is important to note that access to personal data without the explicit consent of the individual or without another legal basis constitutes unlawful processing of personal data.
Furthermore, since the healthcare institution acted as the data controller, as it processes personal data, it had an obligation to ensure all necessary conditions (personnel, IT, etc.) for the lawful and secure processing of patients' personal data.
Examining the nature of the data protection breach, in this case, leads us to question why this conduct by the healthcare institution was unlawful. One may wonder: Did the patient provide their personal data to the healthcare institution solely for the purpose of allowing only the attending physicians and relevant staff to access their information, or did they intend for all employees in the institution to have access to their personal (and sensitive) data?
This illustrates just one way in which the processing of personal data in medicine can be conducted unlawfully. To ensure data protection in medicine, all healthcare institutions must implement appropriate security measures and ensure conditions for data safety.
Steps a company – Data controller should take to ensure the protection of personal data?
The Personal Data Protection Law of Serbia does not prescribe exact steps that a company should take to ensure the lawful collection and processing of personal data. The steps for data security are derived from the principles set forth in the law. Legality, fairness, and transparency are fundamental principles that data controllers must adhere to. This includes providing individuals whose data is being processed with complete and clear information regarding the collection and processing of their personal data, and data controllers must maintain a fair relationship with these individuals. The company should start by determining what personal data is being collected, where this data is stored, and which individuals have access to this data – a process known as data mapping. Next, data management should be in line with the principles of the law. This involves creating a list of individuals whose data is being processed, specifying the legal basis and purpose for processing the data, and providing education to employees about the lawful collection and processing of personal data. Additionally, the company needs to identify the mandatory documents for the protection of personal data and create them. Documenting the process also includes keeping records of individuals' requests whose data is being processed, as well as evidence of data transfers to third parties and data exports outside the country.
Data Protection Lawyer
Data protection is undoubtedly a newer and highly challenging area for all companies, requiring the assistance of a lawyer to fulfill all the obligations envisaged by the Personal Data Protection Law of Serbia. This includes creating internal acts on the processing of personal data, mandatory documents for data protection, and avoiding penalties for breaches of personal data protection. Whether you want to engage a lawyer as a data protection officer for your company or require advice and the creation of effective internal data security procedures, feel free to contact Law office Pekić via email: [email protected]
Main photo: Photo by towfiqu-barbhuiya on unsplash