Privacy Policy is a fundamental document that defines the obligations of data handlers, specifically how companies collect, use, and protect personal data, as well as how they ensure their actions in this regard comply with the law.
This article will focus on the obligations of data handlers concerning privacy policies, with particular emphasis on the applicable regulations in Serbia and the GDPR.
We will also clarify some basic terms that companies encounter regarding the protection of their users personal data, and provide an overview of the steps your company must take to ensure the privacy of its customers and fulfill its legal obligations.
1. GDPR Serbia: Basic Terms
When companies first encounter the topic of GDPR in Serbia, or the Law on Personal Data Protection, they will come across confusing terms such as "data controller", "data processor", and "recipient," which are not always clearly defined in terms of the individuals involved.
For this reason, we decided to start this article by clarifying these terms in the simplest possible way:
- Data Controller: This can be a individual or legal entity, or a public authority, that determines the purposes and means of processing personal data. When we talk about a privacy policy, which is a document explaining how your company collects, uses, and protects personal data, the data controller in this context is your company. It handles the data of your customers, suppliers, employees, and others.
- Data Processor: If your company is the data controller, we can say that the data processor is the entity to which the company has entrusted the processing of data on its behalf. Therefore, the company decides what will be done with the data and how, while the processor acts according to the instructions given by the controller. This can be a specific person within the company who handles the data, or it can be a third party.
- Recipient: This person simply receives personal data and does not necessarily do anything with it.
Let’s illustrate this now with the example of an e-commerce site:
The data controller is the online store itself behind the e-commerce site, which decides what data to collect from customers, why, and how it will be stored. The processor might be, for example, a company that provides online payment services and processes customer data such as credit card information for authorization and payment processing. The recipient of personal data, in this case, could be a delivery service that accesses customer address data necessary for package delivery. Anyone to whom you provide someone else's personal data is a recipient. This recipient can also be a processor, as is the case with the delivery service.
All of this information must be included in the privacy policy of an e-commerce store, as well as in all other companies that have obligations regarding privacy policies.
2. Rights of Data Subjects: Mandatory Content of the Privacy Policy Regarding the Rights of Individuals Whose Data is Collected
Your company's privacy policy must include more than just definitions of terms like data controller, processor, and recipient. Data controllers are also required to clearly specify the rights of individuals, or data subjects, whose data is being processed.
Since non-compliance with the rights of data subjects can lead to significant financial fines, let’s review the basic rights of data subjects that must be included in your privacy policy:
1. Right to Information about Personal Data Processing
The right to be informed about the processing of personal data is one of the fundamental rights guaranteed by law to every individual whose personal data is processed.
In your company’s privacy policy, it should specify that individuals whose data you process have the right to:
- Access their data
- Data portability (more on this below)
- Information about the purpose of processing their data
- Information about the retention period of that data
Next, we’ll cover the second right that must be included in your privacy policy, which is the right to data rectification.
2. Right to Data Rectification
The right to data rectification allows individuals whose data is processed to request correction if the collected data is inaccurate.
It also includes the right to complete incomplete data.
3. Right to Restrict Processing
The right to restrict processing enables individuals whose data you process to request that their personal data processing be halted or limited in certain situations.
This applies when the data subject:
- Doubts the accuracy of the collected data
- Believes their data is being processed unlawfully
- Considers that their data is no longer needed for the purpose for which it was collected
- Files an objection to the processing of their data
In these situations, your company may still retain this data but cannot use it for other purposes.
This information should be included in your privacy policy, tailored to the specific circumstances of your business.
4. Right to Data Portability
The right to data portability allows individuals—data subjects—to obtain their personal data that they provided to your company and transfer it to another company or another data controller.
This ensures greater control over their personal data for those whose data your company processes.
5. The Right to Erasure (Right to be Forgotten)
One of the obligations of data controllers (i.e., companies) is to inform the data subject of their right to erasure, or the deletion of their personal data.
The privacy policy must state that a data subject can request the deletion of all their personal data, especially if:
- Their data is no longer needed for the purpose for which it was collected
- The data subject withdraws consent for processing
- The data subject believes that their personal data has been unlawfully processed
- There is another legal obligation requiring you to delete specific personal data
Generally, if an individual provides their personal data while using a service online, they have the right to request the deletion of that data, though there are certain limitations when this right cannot be exercised (e.g., if there is another legal basis for processing the data, such as legitimate interest or for the exercise of freedom of expression and information).
To ensure that your company properly handles requests for data deletion and avoids hefty fines due to irregularities, it is advisable to engage a lawyer specializing in data protection.
6. Right to Consent of the Data Subject
The right to consent of the data subject, also known as the right to informed consent, means that the data subject—an individual whose data you process—must give voluntary (free), informed, and unequivocal consent.
EU institutions require that this consent must represent an active act (opt-in), so for example, the checkbox on your website where visitors must click “I agree” must not be pre-checked; instead, the visitor must actively check the box and then click to agree.
It is crucial to include this right in your company’s operations, as your company must be able to demonstrate that the individual has given their consent, meaning there must be a record of this.
This right also includes the right to withdraw consent at any time, although the withdrawal does not affect the lawfulness of processing that has already occurred based on informed consent.
7. Right to Object and Right to Lodge a Complaint
Your company’s privacy policy must also provide for the right to object of the data subject.
Thus, if a data subject does not wish to receive advertising materials, believes that their personal data is being unlawfully used for profiling, or that the way their data is processed violates their rights, they have the right to lodge an objection.
In such cases, your company may be obliged to cease processing the collected data unless there are compelling grounds for continuing the processing.
The right to lodge a complaint complements the right to object. Therefore, if the individual whose data you process is not satisfied with how your company addressed their objection, they may contact the Commissioner for Information of Public Importance and Personal Data Protection regarding this issue.
Including these rights in the privacy policy represents another obligation of data controllers.
8. Right to Information When Collecting Personal Data from the Data Subject
When a company collects personal data from the data subject, it must provide the following information at the time of collection:
- The identity and contact details of the data controller
- The contact details of the Data Protection Officer (DPO)
- The purpose of data processing (e.g., for an e-commerce company, this could be for fulfilling deliveries)
- The legal basis for processing (e.g., user consent)
- Third parties to whom the company will disclose this personal data (e.g., delivery service)
- The recipient of the data
- International data transfers
- The retention period of the data or the criteria for determining it
- The aforementioned rights of the data subjects
- Whether providing personal data is a legal or contractual obligation or a necessary condition for entering into a contract
- Whether the data subject is obliged to provide their personal data and the possible consequences if the data is not provided
- Automated decision-making, if applicable, with guarantees for the right to human intervention.
All of this information must be included in your company’s privacy policy.
3. Fines for Violating Personal Data Protection
There are three basic fines for violating personal data protection, all of which are monetary in nature:
- A misdemeanor court can impose a fine ranging from 50,000 to 2,000,000 dinars on legal entities that violate personal data protection. This fine can be doubled in cases of multiple violations.
- Individuals who fail to treat personal data as a trade or other professional secret can be fined between 5,000 and 150,000 dinars.
- The Commissioner for Information of Public Importance and Personal Data Protection can impose an additional fine of 100,000 dinars on legal entities for non-compliance with obligations under the Law on Personal Data Protection through a misdemeanor order.
Note: Due to comments suggesting that the currently prescribed fines are not high enough for "giants," the expert public in Serbia, as well as the Commissioner, have agreed that amendments to the law in this area are necessary. In this regard, there are plans to align our law with the GDPR concerning the amount of fines, which could mean that fines for large companies could reach up to 20,000,000 euros or 4% of their annual turnover, depending on which amount is higher.
To avoid your company becoming a target for high fines due to improper handling of personal data, contact a personal data protection lawyer as soon as possible to draft a privacy policy in accordance with the law and other applicable regulations.
Data Protection Lawyer
In light of numerous scandals regarding personal data protection, including the former Facebook (now Meta) scandal where millions of users' data fell into the wrong hands, online privacy has become a necessity that users demand from companies. Firms are compelled to provide this in order to maintain consumer trust.
The privacy policy, once a negligible legal document, has now become a crucial element of trust between companies and users, and a "must-have" for all companies processing personal data of their customers.
Whether you want to hire an attorney as the data protection officer for your company, or you need assistance in creating a privacy policy, feel free to contact Pekić Law Office at: [email protected].