Page 1

Personal data protection:
views and opinions of the Commissioner

Publication no. 4

Page 2

Commissioner for Information of Public Importance
From avac
and personal data protection
Bulevar kralja Aleksandra no. 15, 11000 Belgrade
Tel .: + 381 11 3408 900
Fax: + 381 11 3343 379
Email: office@poverenik.rs
www.poverenik.rs

Stanojla Mandic
For from avacha
Slavoljupka Pavlović
Ure nik
Official Gazette
Lek ura, izajn i relom

Official Gazette
Alone
600 examples
Circulation
ISBN
Belgrade, 2019

Page 3

Information Commissioner
of public importance and protection
personal data

Data protection
about personality:
attitudes and opinions
Commissioner

Page 5
4

The content

Introductory Speech

7

1. Biometric data processing

11

1.1. Can a citizen request the issuance of an ID card?
without a fingerprint?

13

1.2. Is the employer allowed to process fingerprint data
for the purpose of controlling the use of working time?

15

2. Video surveillance

21

2.1. Is it allowed to have video surveillance cameras
in the study?

23

2.2. Is it allowed to place cameras in the toilet of the bus
stations for security?

25

2.3. Under what conditions are cameras allowed to be installed
for video surveillance in an apartment building?

29

2.4. Under what conditions can video surveillance be introduced in schools?

33

2.5. Is the Commissioner authorized to conduct the oversight procedure?
in a space that is privately owned, and on occasion
installed video surveillance cameras?

37

3. Processing of particularly sensitive data

39

3.1. Can the school principal chair the executive board
trade unions provide data on monthly
payment of union membership fees?

41

3.2. Under what conditions can an employer process data
on employees for the purpose of exercising the rights of employees
to solidarity assistance and resolving redundancies?

43

3.3. Is the notary public authorized to procure
medical documentation from the party for decision making
about the necessity of going out on the field?

45

3.4. Under what conditions can the two countries exchange excerpts
from criminal records for the purpose of providing legal aid
in criminal matters?

6

Page 6

48

Personal data protection:

4. Obtaining and exchanging data between different
legal entities

51

4.1. Does the employer have the right to inspect the health card
employee and whether he can data on the conviction of the employee
obtain directly from the police without the presence of an employee?

53

4.2. Does the employer need consent for delivery
data on the employed Republican Health Fund
insurance for the purpose of issuing a health card?

59

4.3. Is the bank authorized to procure from its clients
data on officials, members of their immediate family
and their close associates?

63

4.4. Is the commercial bank authorized to obtain data
about all members of an association, members of the board of directors
or the president of the association?

67

4.5. Is the manager of the residential building authorized to procure
ID numbers and ID numbers of all persons who
live in a particular housing unit?

72

4.6. Is the data of persons employed in the workplace
which involve working with money can in addition to their previous
consent to collect from the Credit Bureau for the purpose
preventing possible abuse in such jobs?

74

5. Frequently asked questions related to specific
cases of data processing

77

5.1. Whether the contractual data processor has the right to collect
bank debtor information from the debtor's neighbor?

79

5.2. Whether the public authority is authorized to process the data
about a person with the consent of a natural person in situations when
has such authority not been established?

84

5.3. Under what conditions the public telephone service provider
directory can publish the phone number of an individual?

85

5.4. Do the sellers during the complaint - replace the goods
right to seek a JMBG customer?

88

5.5. Whether the employer can process and use
private information of the employee from his official
mobile phone?

91

5.6. Is the Commissioner competent to react in case he is
illegal processing of personal data occurred
on the social network Facebook?

94

5.7. Is it allowed to publish biographies of all teachers?
who left the faculty to prepare the publication?

96

5.8. Does the employer need the consent of the employees in order to
their data provided to the payroll agency?

98

Page 7

The content

7

5.9. What needs to be regulated by the data transfer contract
if cloud technology is used ?

101

5.10. Under what conditions can customer data be processed
telecommunications operators in the credit bureau?

103

6. Cases of serious violation of the right to protection
personal data

107

6.1. PIO fund - illegal processing of personal data
beneficiaries of old-age, disability and survivors' pensions

109

6.2. "Selected Doctor" application

114

6.3. Privatization Agency - data compromise
on the identity of 5,190,397 applicants for realization
rights to free shares

118

7. Normative activities of the Commissioner

123

7.1. Opinion on the Draft Law on Personal Data Protection

125

7.2. Opinion on the Draft Law on the Central Population Register

154

7.3. Letter from the Commissioner sent to the National Assembly of the Republic of Serbia
on the occasion of the Draft Law on the Central Register of Mandatory
social security

159

7.4. Proposal for assessing the constitutionality of the Law on Security and Information
agency

162

7.5. Proposal for the Constitutional Review of the Law on the National DNA Registry

165

7.6. Letter from the Commissioner sent to the National Assembly of the Republic of Serbia
on the occasion of the Draft Law on Personal Data Protection

169

8. Annex - General Regulation on Personal Data Protection
(answers to frequently asked questions)

171

8.1. Frequently asked questions about application
General Data Protection Regulations (GDPR)

173

Page 9
8

Introductory Speech

This is the fourth publication of the Commissioner for
and personal data. Preparations for its publication are strong
colored two events. The first is the adoption of a new Law on Data Protection
such a person (Official Gazette of RS, No. 87/18 of 13 November 2018),
which opened up numerous challenges, questions and doubts, and it did not
regulated some important and sensitive issues such as, for example,
part-monitoring and processing of biometric data. The second is the fact that
to the first Serbian Commissioner for Information of Public Importance and
the protection of personal data has expired, and others in the meantime
Not selected.
This makes the responsibility for the content of this publication greater. Basic
the principle we were guided by during the preparation, as well as all
years, was to affirm the right to protection of data
so about the person as one of the basic human rights, guaranteed as
The Constitution of the Republic of Serbia, as well as the European Convention on Human Rights
rights, and raise awareness of its importance.
Processing of biometric data and the use of video surveillance
but they invade people's privacy. Their illegal, pointless or
disproportionate use can have inconceivable harmful consequences
the most basic human rights. Unfortunately, despite numerous warnings
Commissioner, this matter remained systematically unregulated even after
carrying the new Law on Personal Data Protection. Therefore, they are the first
two chapters of this publication are devoted to precisely these topics in order to
both operators and citizens, but also public authorities were introduced to the locals
and international standards in this area.
Citizens, operators, but also public authorities often have different
read doubts about whether any data processing is allowed and, if so
yes, under what conditions. Therefore, the third, fourth and fifth chapters
publications focused on extremely practical issues and assistance and divided
into the following units: “Processing of particularly sensitive data”, “Obtaining
and exchange of information between different legal entities ”and
one hundred questions asked regarding specific processing cases ”.
Chapter 6 presents cases of serious violations
to the protection of personal data, where illegal processing has taken place
data of an extremely large number of persons, including the processing of
to sensitive data, which has extremely detrimental consequences as per
privacy of people and their basic human rights, as well as
chip of the rule of law as an ideal proclaimed by the Constitution itself.

10

Page 10

Personal data protection:

One of the most important roles of independent supervisory bodies in
areas of data protection is preventive. This, inter alia,
understands and gives opinions on the laws and other regulations they have
and may have an impact on the protection of personal data and privacy.
Unfortunately, authorized lawmakers often turn a deaf ear to
of the Commissioner, which is why the Commissioner was forced to submit
and proposals for constitutional review to the Constitutional Court of Serbia. In the seventh chapter
The activities of the Commissioner in the normative area where
examples of regulations that most seriously endanger the rights of persons have been singled out.
What marked 2018 internationally in
in the field of data protection is the beginning of the implementation of the General
protects data. Due to the specific territorial clause, many
blacksmiths have various doubts. Therefore, the Commissioner prepared
answers to frequently asked questions related to this document,
which is printed as a separate appendix in the eighth chapter.
The right to protection of personal data is a right that is essential
concerns every human being and we hope that this publication will
you raise awareness about it.
Editor
Slavoljupka Pavlović

Page 11

1. Biometric data processing

Page 13
12

1. Biometric data processing

13

1.1. CAN A CITIZEN REQUIRE ISSUE
ID CARDS WITHOUT FINGERPRINT?
The Ministry of the Interior, as the data controller,
has legal authority, in terms of the provision of Article 8, paragraph 1, item 1.
ZZPL, for processing biometric data of the ID card holder,
which means that this data must be processed independently of the will
persons
to Rationale
whom the
data relate. :
I The
P OVERENIKA
The applicant requested, inter alia, that the
order the authority to draw up an identity card without a fingerprint. It's a stranger
answered that the Commissioner is not competent or authorized to take action
such an action. From the aspect of its competence in the field of data protection
The following is indicated about the person:
In accordance with the provisions of Article 42 of the Constitution of the Republic of Serbia and Article 8.
ZZPL, during the collection, holding, processing and use of data
as a person it is necessary that every data controller adheres
appropriate principles of this law, and that the operator: may process
only those data that are authorized by law to collect or
received from the person from whom he collects data on the basis of his / her
prescribed or for the purposes determined by the consent obtained, that it must
its
suchthe
permission
information
collected
onlythe
for principle
purposes of
that are legisensure
accuracy and
and that
timeliness
of theisdata,
to respect
by the law or the consent of the person) and the principle of proportionality and processing
ho
nosasi (personal
data are
onlyasinneeded
relationinto the purpose of
(only
much personal
dataprocessed
is processed
given case).
It clearly follows from the stated provisions of the Constitution of RS and ZZPL that it is
legal basis for processing personal data of a person by law or

aprovisions
drawing of
whose
it is.Exceptions
Note that balanced
of the
Art.person
10th and
15thdata
ZZPL.
to this rule are rare and
astrict
person
give a drawing
only in the
and
under
conditions determined
andmay
prescribed
by the provisions
ofmanner
Art. 12th
and
13ththe
ZZPL.
The competence to issue an identity card is determined by the provisions of
Law on ID Card ("Official Gazette of RS", No. 62/06 and 36/11), so it is
thus, the provisions of Article 6 of this Law prescribe that he issue an identity card
in the prescribed manner the ministry in charge of internal affairs, a
that the regulation referred to in paragraph 1 of this Article is issued by the Minister competent for internal affairs.
demand jobs.
The provision of Article 7 of this Law stipulates that the identity card
gives on the form prescribed by the Minister, while the provision of paragraph 2 of the same

14

Page 14

Personal data protection:

member is prescribed to enter the following data on the ID card form o
to the holder of that document: 1) surname; 2) name; 3) gender; 4) day, month and year
births; 5) place, municipality and country of birth; 6) unique parent
number of citizens.
In accordance with the provisions of para. 3 and 4 of the same article in the ID card form
images of the biometric eyes of the holder of that document (photographic
print, fingerprint and signature), as well as the date of issue of the identity card
with the term of its validity. Also, the provisions of Art. 10–18. Personal Law
the card prescribes the procedure for issuing an ID card - submission
request, content of the request, deadline for submission and issuance, etc.
Therefore, the Ministry of the Interior, as the data controller
thus, has legal authority, in terms of the provision of Article 8, paragraph 1, item
1. ZZPL, for the processing of prescribed personal data in the
issuance of an identity card, including prescribed biometric data
holder of an identity card, which arises from the cited provisions of the Law
about ID card.
B ROJ: 011-00-01905 / 2016-05 from 22 12 2016

Page 15

1. Biometric data processing

15

1.2. MAY THE EMPLOYER PROCESS IMPRESSION DATA
FINGERS FOR THE PURPOSE OF CONTROLING THE USE OF WORKING TIME?
Processing of biometric data of employees for control purposes
the use of working time is disproportionate to the purpose of the future processing
that the damage that can result from the misuse of this data is greater
of the benefits that the data controller may have, and in particular
bearing in mind that the purpose of processing (control of the use of
name, ie. arrival of employees at work and departure from work)
can be achieved in many other ways that are equally effective,
and do not open the possibility of such abuses as is the case with
by processing
biometric
data.
I The Rationale
P OVERENIKA
:
The Commissioner carried out the procedure of supervision over the Health
slow "Dr Dragiša Mišović" in Čačak, as a data controller, due to
procurement, installation and configuration of the application system for
working hours of employees, for the needs of the Health Center
Čačak - General Hospital Čačak, which is intended for recording
sta and the middle finger of his left hand, after which he warned the operator that
such data processing is, inter alia, not permitted in terms of
from Article 8, item 7 of the Law on Personal Data Protection.
Namely, by processing the fingerprints of their employees
Health Center "Dr Dragisa Misovic" Cacak did not respect
principle of proportionality, which is one of the basic
processing of personal data, which arises from the provision of
on item 8 of the Law on Personal Data Protection. That means it is
allowed to process only those data that are by number or type
proportionate purposes of processing. In other words, they can be collected and processed
only those data that are necessary to achieve the purpose
ni. This implies that in each case for each species
data must review whether its processing is necessary and
to achieve the purpose of processing. In other words, the question arises
whether to control the use of employees' working time
(which is the purpose of specific processing) it is necessary and necessary to take prints
fingers of employees or that purpose can be achieved on others, less
invasive manner.
There is no law in our legal system that
systemic way regulates the processing of biometric data, as a type of
personal data. However, since the protection of personal data
Article 42 of the Constitution of the Republic of Serbia guarantees as special human
law, in the interpretation and protection of this human right should be applied

16

Page 16

Personal data protection:

appropriate, valid international human rights standards. Similar
provisions of Article 18, paragraph 3 of the Constitution of the Republic of Serbia, provisions on human
and minority rights are interpreted in favor of improving the value of
democratic society, in accordance with applicable international standards
human and minority rights, as well as the practices of international institutions
which oversee their implementation. The provision of Article 5 of the
protects individuals in relation to automatic data processing, which has become
part of the internal legal order based on the Law on Confirmation
Convention for the Protection of Individuals with regard to Automatic Data Processing
("Official Gazette of the FRY - International Agreements", No. 1/92 and "Official Gazette
list SCG - Međunarodni ugovori “, number 11/05 - dr. law) prescribed
is that personal data that is automatically processed:
(a) are obtained and processed loyally and lawfully,
(b) have been entered for specified and legitimate purposes and are not used
non-purpose,
(v) are adequate, relevant and of adequate scope in relation to
the purposes for which they were entered,
(g) are carefully assembled and, where necessary, timely,
(d) are stored in a form that allows the identification of
interested persons in a period not exceeding that necessary
period for the purposes for which they are stored.
Directive 95/46 / EC of the European Parliament and of the Council of 24 October
1995 on the protection of citizens in connection with the processing of
and the free movement of such data is one of the fundamental documents
European Union law, which regulates the processing of personal data
protecting the fundamental rights and freedoms of natural persons, and in particular
the right to privacy, as one of the fundamental human rights.
Relevant international institution, which dealt with biometrics
data and which has established certain standards and guidelines in that
area, is the Working Body 29 (Article 29 - Data Protection Working
Party), established by Article 29 of Directive 95/46 / EC of 24.10.1995, whose
the jurisdiction is prescribed by Article 30 of the same directive. This body has
advisory status and is independent in its work. According to the Working Document
Mentometer on Biometrics, adopted by this working body on 1 August 2003.
Working document on biometrics, adopted 1 August 2003,
12168/02 / EN, WP 80) biometric data can only be used
if they are adequate, relevant and if they are not excessive. Purpose for
which biometric data can be used and processed must be
clearly defined, it is necessary to carry out an assessment
and the legality of processing, taking into account the risk that such processing
may represent for the protection of the fundamental rights and freedoms of individuals,
and especially whether the intended purpose of processing can be achieved to a lesser extent
invasive way. This implies a strict assessment of proportionality

Page 17

1. Biometric data processing

17

processed data. Centralized storage of biometric data
such also increases the risk of using biometric data, because
is crucial for connecting different databases, which can lead to
to the formation of detailed profiles of individuals both in public and in public
and in the private sector. Therefore, the use of biometric data is
žna and necessary only in cases when it is necessary to perform
activities of the operator (in a specific situation this would be the case, for example
that only persons who identify themselves can enter the operating room
the basis of the fingerprint algorithm, because it is a job where the
authorized persons may endanger human health and life or
pillar with psychoactive substances or drugs that are under special
regime can have only authorized persons or part of the intensive
care cannot be entered by persons who have not passed the appropriate sanitation
verification), protection of personal data or trade secrets, security
people, etc. In the specific case, the introduction of biometric measures in
in relation to the purpose of processing (control of working time) for which
collection is excessive, disproportionate and their introduction
puts unnecessary intrusion into an individual’s privacy. This is for a reason
which the purpose of processing can be achieved in other ways, better
by determining the employees who will control the departure
and the arrival of employees, video surveillance, etc. However, even in the case of
introduction of biometric measures, data processing can be performed on
less invasive way, which poses less risk to rights and freedoms.
de individual. Namely, biometric data should not be stored in the
lysed database, but in some place that can be accessed
user only, such as microchip card and the like. In other words,
the application of authentication / authorization can be performed without central
biometric data (pursuant to paragraph 3.2
working document on biometrics). Because of all the above, he is the Commissioner
warned the Health Center "Dr Dragisa Misovic" in Cacak
permitted data processing in terms of the provision of Article 8, item 7 of the Law
on the protection of personal data, as described in more detail in point 2.
warning dispositive.
Undisputed application of the standards from the said Directive, as well as
Convention, ie the Law on Ratification of the Convention in question,
proceeds from the provision of Article 16, paragraph 2 of the RS Constitution ("Generally accepted
rules of international law and ratified international treaties
are an integral part of the legal order of the Republic of Serbia and are directly
change ”), as well as the provisions of Article 194, paragraph 4 of the Constitution of the RS
international treaties and generally accepted rules of international law
they are part of the legal order of the Republic of Serbia ”).
In issuing this warning, the Commissioner had in mind
of responsible persons in the Health Center "Dr Dragisa Misovic"

18

Page 18

Personal data protection:

in Čačak that during the processing of specific data no
sci finger, already recording the finger from three points and converting to
a fingerprint algorithm that is unique to each employee,
but he found that it did not affect taking a different position on the occasion
of this legal issue, because even if the fingerprint image is not preserved,
but only a coded pattern - a digital pattern of the print, from which it is not
it is possible to reconstruct the fingerprint image, it is considered
by processing personal data. Manufacturers and suppliers of biometrics
This equipment often states that user privacy is ensured, therefore
that, for example, a fingerprint cannot be reconstructed from digital
foot pattern. However, even if the reconstruction of the original data
is not really possible, the user's privacy is still not protected,
since the fingerprint sample and the digital sample are
ju unique identifiers because of what can be from the latter
to single out the identity of an individual. If instead of taking biomeThe data system is based on a personal identification system
number and although it is not possible to reconstruct the data from the original
fingers, because it is not known how they can be transformed
hours (convert to another form), a unique identification number
assigned to an individual, in this case an algorithm for
ske fingers, also represents personality data. Question breaksalgorithmic codes and reconstruction of data from the original
fingerprint does not matter regardless of whether a very single
simple algorithm or a very sophisticated mathematical formla. A key issue from the point of view of protecting the privacy of individuals
refers to the use, connectivity and security of anyone

identifier that may be represented. What applies to biomecharacteristics, can also be applied to digitization
recordings made on the basis of the same unique characteristics
teristics, regardless of the fact how many times such recording is
processed or modified. Regardless of the shape, manner of recording or
other changes, even if the amount of detail in the transformations (transforming into another form) can shrink, staying forever
preserved a unique connection with the individual. Based on the above, it is possible
say that biometric data, although stored in reduced digitalized form, are still considered personal data because
refer exclusively to a particular individual, or an individual when
can be identified. Because these data are so accurate
and that there is undoubtedly a preserved unique connection with the individual, which
opens up the possibility of huge abuses, it is a damage that can
become their abuse much greater than the benefit provided by the operator
data may have their use for the purpose of controlling the working
time, which is why their use is disproportionate to the purpose of processing.

Page 19

1. Biometric data processing

19

Thus, the processing of biometric data of employees for the purpose of controll use of working time is disproportionate to the purpose of processing,
because the damage that can be caused by the misuse of this data is greater
of the benefits that the data controller may have, and in particular having
in view that the purpose of processing (control of the use of working time, ie.
arrival of employees to work and departure from work) can be achieved
in many other ways that are equally effective and do not open up
such abuses as in the case of biometric processing
data. Thus e.g. data controller for the purpose of controlling the
working hours can set up video surveillance under
clearly defined rules, so that it will be in a visible place under the cameras
put an appropriate warning to enter the General Hospital filmed
in real time and keep a certain period for review and profaith in the time of departure and arrival of employees, as well as work
general security. The data controller can also organize
various forms of control by the competent persons, to appoint
obliged to control departure and arrival at work and the like.
B ROJ: 164-00-00193 / 2011-07 OF 22. 9. 2011 YEAR

Page 21
20

2. Video surveillance

Page 23
22

2. Video surveillance

23

2.1. IS IT ALLOWED TO HAVE VIDEO SURVEILLANCE CAMERAS
FINDINGS IN THE WORK SPACE?
The data controller can perform video surveillance of access to
official and business premises only if necessary
for the security of persons and property, control of entry or exit
ska from office or business premises or, if due to nature
work, there is a possible risk to employees. If you
part of the supervision aims exclusively at the supervision of regular
and behavior of employees during working hours
performance appraisal of employees, such processing of personal data
is notI allowed.
The Rationale P OVERENIKA :
The party addressed the Commissioner for Information of Public
tea and the protection of personal data by asking whether a video camera
-supervision can be located in the workroom.
The data controller may perform video surveillance of access in case of
premises and business premises only if it is necessary for
security of persons and property, control of entry or exit from the official
or business premises or, if due to the nature of the business, there is a possible
risk to employees. In that case, the data controller is obliged to
the decision to introduce video surveillance, which must be made in writing
form and must contain the reasons for the introduction of video surveillance,
as the introduction of video surveillance is not provided by law. Employees who
working in a space under video surveillance must be in writing
informed about the performance of video surveillance in accordance with Article 15 of the Law on
protection of personal data.
With the decision on the introduction of video surveillance, the operator can predict
use of video surveillance within the workspace in which they work
sent only when necessary for the safety of people and property,
or the protection of classified information and trade secrets, whereby it should
take into account that video surveillance within the workspace can be
introduced only in exceptional cases and provided that such
ha can not be achieved by milder means, provided that the video surveillance
applies only to those parts of the space where they must be protected
stated interests and assets.
If the purpose of video surveillance is exclusively surveillance
over the regular activities and behavior of employees during work
time to assess the performance of employees, such processing
such a person is not allowed. Namely, by such processing of data on Fr.
personalities violate the privacy of employees, and the purpose of processing could

24

Page 24

Personal data protection:

would be achieved in another way that could measure work performance.
nak, methods that are less invasive by employee rights.
This position is also emphasized in the Recommendation of the Committee of Ministers
member states of the Council of Europe CM / REC (2015) 5, which refers to
processing of personal data in the context of employment, and in which
states that the introduction and use of information systems and technologies
for the direct and primary purpose of monitoring the activities and conduct of
slein should not be allowed.
B ROJ: 073-11-696 / 2017-02 OF 28. 6. 2017

Page 25

2. Video surveillance

25

2.2. IS IT ALLOWED TO INSTALL CAMERAS IN THE TOILET
BUS STATIONS FOR SAFETY?

Installation of video surveillance cameras in the toilet, in the building on
incoming platform at the bus station, constitutes an impermissible
data processing, because such processing by number and type of
proportional to the purpose of processing, which is why such processing is not allowed
in terms of the provisions of Article 8, item 7 of the LPP. The subject of the recording
it can and must have a certain degree of privacy. Constantly recordingpersons when using the toilet, deprives those persons of privacy
and endangers
their
human dignity.
I The Rationale
P OVERENIKA
:
The Commissioner, through his authorized persons, carried out the immediate
supervision over the implementation and execution of ZZPL by BAS - Belgrade
city ​bus station AD from Belgrade, as an operator (hereinafter
text: handler), on which occasion it was established that in the proThere is an established video surveillance system on the operator's side, as well as yes
are cameras installed in toilets. The operator stated that it was the purpose
processing of the protection of persons and property, bearing in mind that
father of particular importance for the security and defense of the country, to
ke frequencies of people circulating in objects and other space
(platforms, etc.) operator, there are various safety risks, starting
from fraud and theft (pickpocketing), gambling (match-fixing), smuggling
drug abuse, sexual offenses and, most importantly,
the risk of terrorist attacks as a current threat, in particular
expressed at bus, train stations and airports.
After the procedure, the Commissioner determined that such processing
impermissible in terms of the provisions of Article 8, item 7 of the LPP and without conditions for
processing without the consent from Article 12 of the Law on Public Procurement, which he warned about
operator.
The Constitution of the Republic of Serbia (“Official Gazette of the RS”, No. 98/06)
nu 42. prescribes that the protection of personal data is guaranteed. Prikupayment, holding, processing and use of personal data are regulated
by law. The criminal use of personal data from
outside the purpose for which they were collected, in accordance with the law, except for the needs
conducting criminal proceedings or protecting the security of the
beats, in the manner prescribed by law. Everyone has the right to be informed
on collected personal data, in accordance with the law, and
the right to judicial protection for their abuse.
Article 3, item 1 of the Law on Public Procurement, prescribes that personal data are each
information relating to a natural person regardless of the form in

26

Page 26

Personal data protection:

to which it is also expressed on an information carrier (paper, tape, film,
electronic medium, etc.), by whose order, in whose name, or for whose account
the information is stored, the date the information was created, the
information storage, the way in which information is
but, through listening, watching, etc., that is, indirectly, through insight into
document in which the information is contained, etc.), or regardless of
another feature of the information, in point 2, inter alia, that the physical
as the person is the person to whom the data relates, whose identity has been determined
or determined on the basis of the characteristics of his physical identity, and in
point 3. that the data processing any action taken in relation to the data
such as: collecting, recording, transcribing, duplicating,
copy, transfer, search, sort, store,
separation, crossing, unification, assimilation, change,
scoring, use, disclosure, disclosure, publication,
disseminating, recording, organizing, storing, adapting, discovering
by transmission or otherwise making available, concealment,
relocation and otherwise making inaccessible, as well as enforcement
other actions related to the stated data, regardless of whether it is performed
automatically, semi-automatically or otherwise.
Article 8 of the LPP stipulates that during the processing - collection
holding or transmitting personal data is necessary to
which handler adheres to the relevant principles of the Act, among others
and that we are the controller: to process only those data for which it is by law
authorized or has written consent obtained from the person whose
processes the data, as well as to collect the data only for the purposes
prescribed by law or for purposes determined by the consent obtained, as
and to process only as much personal data as necessary
to achieve the purpose of processing, so point 7 determined that the processing is not
allowed if the number and type of data being processed are disproportionate
processing purposes.
Article 12 of the LPP prescribes that processing without consent is allowed: 1)
to pursue or protect the vital interests of persons or
another person, and in particular life, health and physical integrity; 2) u
the purpose of fulfilling the obligations determined by law, by an act adopted in accordance with
with a law or contract concluded between the person and the operator, as well as
to prepare the conclusion of the contract; 2a) for the purpose of raising funds
for humanitarian purposes; 3) in other cases specified by this
by law, in order to achieve the predominant legitimate interest of the person
vaoca or user.
Further, the Law on Ratification of the Convention for the Protection of Individuals with regard to Relationships
on automatic data processing ("Official Gazette of the FRY - International
contracts ", no. 1/92 and "Official Gazette of Serbia and Montenegro - International Agreements", no.
11/05 - dr. Law, "Official Gazette of RS - International Agreements", no

Page 27

2. Video surveillance

27

98/08 and "Official Gazette of RS - International Agreements", No. 12/10), in
Article 3, item 1 stipulates that the contracting parties undertake to
apply this Convention to collections and automatic processing of personal
data in the public and private sectors. In the provision of Article 5 of the Convention
it is arranged that personal data that are automatically processed: (a) are loyal
and legally obtained and processed, (b) entered for well-established and
team purposes and are not used inappropriately, (c) are adequate, relevant
and of an appropriate scope in relation to the purposes for which they were introduced, (d)
they are vividly stacked and, where necessary, timely, (e) stored
are in a form that allows the identification of interested persons in
period which does not exceed that necessary period for the purposes for which they are
and stored.
By the said law on the ratification of this Convention, it is
became an integral part of the internal legal order of the Republic of Serbia and
directly applicable.
The position of the Commissioner is that in this case, the number and type of data that
unnecessary and disproportionate purposes of processing, thus making such
work is not allowed in terms of Article 8, item 7 of the LPP.
Furthermore, when introducing video surveillance, it is especially necessary to
take into account whether the intended purpose of processing is user safety
the toilets themselves can be accomplished in a less invasive way.
Namely, the subject of recording can and must have a certain measure
privacy. Continuous facial imaging when using the toilet,
deprives those persons of their privacy and endangers their human dignity.
creation. In the present case, the continuous recording of the user during
during their stay in the toilets, during the performance of physiological
ba, ie. performing urination, represents an unnecessary intrusion into their
privacy.
Such data processing is disproportionate to the purpose, as it is
the purpose of processing - the security of the users themselves, as well as security
property, can also be realized in a less invasive way. It's possible
achieve e.g. in the way that cameras capture the space in front of the entrance
to toilet number 1 (old building 1 ), as this contributes to the future
mentioned purpose of performing video surveillance. Also, at any time,
in the toilet area there is always an employee who charges for
gu use of toilets, as well as personal users who are witnesses of each
eventual "incident", and by collecting their statements about it
appropriate information could be obtained to prevent the incident
the same or identifying a potential perpetrator.
Based on the stated factual situation, it was determined that the
provisions of Article 8, item 7 of the LPP, and that the conditions for
1 Aimed at access to toilet no. 1 sideways and covers a wider area in front of the entrance

28

Page 28

Personal data protection:

processing referred to in Article 12 of this Law, due to which the Commissioner, on the basis of
Article 56, paragraph 1. ZZPL, gave the Operator a Warning as in the dictum.
When issuing this Warning, the Commissioner had a special
in the form of the provision of Article 31, paragraph 2 of the Law on Private Security
("Official Gazette of RS", No. 104/13 and 42/15), which stipulates that

a technical device used in performing oslova riva nog
security is not authorized to benefit and in a manner that violates the
and nose rugih .
NUMBER: 164-00-00560 / 2016-07 FROM 13.10.2016

Page 29

2. Video surveillance

29

2.3. UNDER WHAT CONDITIONS IS IT ALLOWED TO PLACE
VIDEO SURVEILLANCE CAMERAS IN A RESIDENTIAL BUILDING?
To establish video surveillance in the building, it is necessary to
the housing association assembly decides on the establishment
video surveillance, bearing in mind that it is a public space that
serves for the regular use of all occupants of the building and their
sensors. When deciding whether and which space should be
covered by video surveillance, one must keep in mind the realistic assessment that
whether it is necessary to cover a certain area with video surveillance or
the purpose of the processing can be achieved in a way that does not require recording.
and whether the coverage is proportionate to the purpose of the processing. Visual
the angle covered by the camera must not be such that a larger
page of that which is necessary to achieve the purpose of processing or yes
covers space that is the exclusive property of other persons (
knows the doors to apartments as separate parts of the building). Persons stepping
in the area covered by video surveillance they have the right to be about it
informed. The person performing the video surveillance is obliged to be in sight
place a public notice to conduct video surveillance, which would
should contain information that video surveillance is in progress (
forged or graphic symbol of video surveillance, telephone number
for video surveillance information). In addition, special attention should be
Note that the system used to perform video surveillance
dawn must be protected from access by unauthorized persons as well
that the duration of the recording period does not exceed that required
the period
for whichP video
surveillance
was established.
I The Rationale
OVERENIKA
:
The party addressed the Commissioner, among other things, by asking whether
is also where it is allowed to install video surveillance in the housing
buildings.
The Law on the Collection and Processing of Personal Data
and prescribe the rights of persons and the protection of the rights of persons whose data
collect and process. This law is based on Article 42 of the Constitution
of the Serbian public conceived as a law that protects one person,
Human rights guaranteed by the Constitution - the right to data protection
the personality specific person , ie the protection of waterfront nose and perbe. Thus, in accordance with the provisions of Article 8 of the LPP, during the collection,
holding, processing and using personal data is necessary to
each operator adheres to the relevant principles of this law, and
that the operator: we may collect only those data that are by law

authorized to collect or obtained the authorization from the person from whom

30

Page 30

Personal data protection:

collects data based on his drawing , to process the data
only for the purposes prescribed by law or for the purposes of certain
consent must ensure the accuracy and timeliness of the data, yes
respects the principle of purposeful nose and (personality data are processed only
in relation to the purpose regulated by law or the consent of the person) and the principle
proportionality of processing.
Regarding the issue of the permissibility of placing video surveillance in
residential building, we first point to Article 3 of the LPP, where point 1,
among other things, it is prescribed that personal data is any information
information relating to a natural person regardless of the form in which
is also expressed on the information carrier (paper, tape, film, electronic
ski media, etc.), the way of finding out information (directly, through
listening, watching, etc., or indirectly, through insight into the document
in which the information is contained, etc.), and point 2 that it is physical
the person is the person to whom the data relates, whose identity has been determined or
identifiable on the basis of a personal name, a unique personal identification number
address, address code or other feature of his physical, psychological
spiritual, economic, cultural or social identity.
The provision of item 3 of this Article prescribes that data processing is each
action taken on data such as, inter alia:
buying, duplicating, searching, storing, using,
making available, discovering, publishing, disseminating, recording ,
detection, transmission or otherwise making available
as well as the implementation of other actions related to the specified data
whether performed automatically, semi - automatically or on
Another way.
According to the above, it is indisputable that the recording is a processing
personal data, however, when it comes to processing data on
personality performed using a recording device (video surveillance),
the general principles established by the LPP do not have their own precise elaboration.
Here we point out that the use of video surveillance can significantly
endanger the privacy of the individual, but also other rights and freedoms of people (e.g.
freedom of movement, the right to protection of personal data), so on
its introduction must not be seen as a simple technical decision,
sno should clearly define the reasons for the introduction of supervision, ie. purpose of processing.
Further, we believe that access to system recordings should be denied
video surveillance via internal cable television, public cable
television, the Internet or other means of electronic
communications to which such recordings may be transmitted, at any time
their emergence either after that, because it to a wide range of users
allows them to intrude indefinitely, without real need and reason
privacy of citizens, ie. other tenants and visiting persons.
The need and importance of taking measures to protect property and persons do not

Page 31

2. Video surveillance

31

excludes the obligation that these measures be proportionate to the purpose and not
violate the constitutionally guaranteed rights of citizens.
Finally, persons entering the space covered by video surveillance
have the right to be informed. A person who performs video surveillance
it is obliged to display the public notice in a visible place
video surveillance, which should contain information that the video
- ongoing surveillance (artistic or graphic symbol of video surveillance,
telephone number for video surveillance information).
In addition, special attention should be paid to the system that
used for video surveillance must be protected from access.
so unauthorized persons, as well as that the duration of the period of storage of recordings does not
exceeds the necessary period for which video surveillance and
vljen.
We also point out that the Law on Housing and Maintenance
residential buildings (“Official Gazette of RS”, No. 104/16),
log, regulate the issues of building management and use and maintenance
is a special part of the building - a special functional unit in the building which
of
buildings
, so in office
Articlespace,
3, item
8, it isgarage
prescribed
cancommon
represent
an apartment,
garage,
spacethat
or a garage box, in point 16, that the common parts of the building are
hunts for buildings that do not represent a separate or independent part of the building,
which are used for the use of special or independent parts of the building,
that is, the building as a whole, such as: common areas (
nothing, entrance areas, common hallway and gallery, attic
storeroom, basement, bicycle shed, laundry room, common terrace and
other premises intended for joint use by the owners of special
or independent parts of the building, etc.).
Article 42 of the same law, item 10 prescribes the assembly

s ambene
zaje nice
onosi
o luku paragraph,
o fizicno-echnicom
osiguranju
According
to the
previous
and refers
to the recording
the
building
is
also
welded
to
the
land
in
which
it
is
used
for the construction
of the building.
video surveillance in the building, it is necessary that the assembly
of the
nice brought about the port of establishing video surveillance, bearing in mind that
it is a public space that serves for the regular use of all apartments
ra buildings and their visitors. When deciding whether and which
the space should be covered by video surveillance, the real one should be kept in mind
assess whether it is necessary to cover a certain area with video surveillance
or the purpose of the processing can be achieved in a way that does not require
less, as well as whether the coverage is proportional to the purpose of processing. Visual
the angle covered by the camera must not be such as to capture more space
than is necessary to achieve the purpose of processing or a auspices

va ros or which is exclusively owned by other persons (entrance door to
s anove as personal elove buildings e).

32

Page 32

Personal data protection:

Here, having in mind all the above, we point to the provision of Article 49.
ZZPL and the duty of the operators (here the housing community) to
processing, ie establishing a data collection (here the collection
video recordings) shall submit to the Commissioner a notice of intent to
data collection, after which the Commissioner, according to Article 50, checks
processing operations that could significantly lead to injury
rights of the person, and Article 51, which stipulates that the controller submits
data collection, ie changes in the records at the latest
within 15 days from the day of establishment, ie change, as well as to
records referred to in this Article shall be entered in the Central Register established by
is led and led by the Commissioner.
Also, given that video surveillance can significantly jeopardize
you the privacy of the individual as well as other rights and freedoms, the Commissioner
prepared and made available to the Government the prepared Model of the new
ZZPL, harmonized with the current standards of the relevant European ones
documents, which, inter alia, contains provisions on video surveillance
ru, about which you can find information on the website http: // www.
poverenik.rs/sr/2017-03-06-09-09-59.html.
B ROJ: 072-03-285 / 2018-05 OF 27. 1. 2018

Page 33

2. Video surveillance

33

2.4. UNDER WHICH CONDITIONS CAN IT BE INTRODUCED
VIDEO SURVEILLANCE IN SCHOOLS
The school may envisage the use of video surveillance within
public space when necessary for the safety of students,
employees, visitors and property with care
that video surveillance within this area can be introduced in
cases and provided that the purpose cannot be achieved
by milder means, provided that video surveillance can only be performed
in parts of the space where the aforementioned interests must
be protected, such as the area in front of the school, the entrance to the school
or access to official premises. Other parts of the space do not
they may be covered by video surveillance or video surveillance
should not be performed in places where an individual can reasonably expect
a greater degree of privacy, such as toilets, rooms for
rest, locker rooms, etc.
When introducing video surveillance, special attention should be paid to
whether the intended purpose of processing (security) is
students and teaching staff are constantly present in the history,
dig in a less invasive way. Namely, the subject of the recording can
and must have some degree of privacy. Continuous recording of learning
and teaching staff during their stay in classrooms,
deprives those persons of their privacy and endangers their human dignity.
and represents an unnecessary invasion of their privacy.
Such data processing is not proportionate to the purpose, because the mentioned purpose
ha processing - safety of children and employees, as well as safety of property
wine and school funds, can be realized on other appropriate
the way.
I The Rationale P OVERENIKA :
The party addressed the Commissioner with a request to give an opinion on
whether and under what conditions the school can introduce video surveillance
in school corridors, classrooms, in front of and behind the school, as well as in
team.
The LPP regulates the conditions for the collection and processing of personal data.
and prescribe the rights of persons and the protection of the rights of persons whose data
collect and process. This law is, on the basis of Article 42 of the Constitution
the public of Serbia, conceived as a law that protects one person,
Constitutionally guaranteed human right - the right to data protection o
personalities of a particular person.
When it comes to the processing of personal data performed by
bomb recording device (video surveillance), general principles set out in

34

Page 34

Personal data protection:

ZZPL do not have their own precise elaboration, but, according to the provisions of Article 42.
Of the Constitution of the Republic of Serbia and Article 8 of the LPP, it is necessary that
data collector when collecting, holding, processing and using
personal data adheres to the relevant principles of this law,
namely: that we may process only those data that are authorized by law to
collects or has received authorization from the person from whom he collects
data on the basis of his drawing , to collect data only for purposes
prescribed by law or for purposes determined by the consent
kom, to have to provide achnos and up-to-date o a aka , to respect
for a purpose regulated by law or the consent of the person) and the principle of
principle of purposeful nose and (personality data are processed only in relation
required in the given case).
s i obra
e (onlyfollows
as much
personal
data provisions
is processed
is
It clearly
from
the stated
ofas
theit Constitution
of RS and ZZPL that it is
a valid legal basis for the processing of a person's personal data by law
or a drawing of the person whose data it is. Exceptions to this rule
are rare and restrictive and prescribed by the provisions of this law, so
Thus, Article 12 of the LPP stipulates that, inter alia, processing without
a break allowed to achieve or protect vital
interests of a person or another person, and in particular life, health and physical
integrity, for the purpose of fulfilling the obligations determined by law, the act
in accordance with the law or a contract concluded between the person and
operator, as well as to prepare the conclusion of the contract and in other
determined by this Law, in order to achieve the predominant justification
interest of the person, operator or user.
Bearing in mind that the processing of personal data of students,
and school visitors is subject to the general principles of
Thus, the person referred to in Article 8 of the LPPD, each controller is obliged to
applies the provisions of the LPP, as well as the provisions of any
other laws that are in the function of performing its activities.
In principle, the right to privacy is the human right to which most
affects video surveillance as open and secret recording of recordings, images
data and information about persons. This right belongs, primarily,
to a person who enters a public space and who justifiably expects not to be
supervised. It is therefore necessary that the data controller, who manages
by video surveillance, in a clear and visible manner, ie in a manner that
allows individuals to meet, and at the latest when they start with
video surveillance, highlights a notice (written or graphic): yes
video surveillance in progress and the name of the person performing surveillance with the telephone number
to obtain information about it (eg precisely defined, cona moving situation in which the processing of personal data is envisaged
video surveillance, where and for what period the system records are stored
video surveillance, etc.).

Page 35

2. Video surveillance

Further, the operator can predict the use of video surveillance in
within the public space (here the school space) when necessary
for the safety of students, employees, visitors and property, pri
which should be taken into account to video surveillance within this space
may be introduced in exceptional cases and provided that the
ha can not be achieved by milder means, provided that the video surveillance
may be carried out only in parts of the premises where the
the terraces must be protected. Other parts of the space must not
be covered by video surveillance, ie video surveillance must not be
performed in places where an individual can reasonably expect a higher degree
privacy, such as, toilets, rest rooms, locker rooms
and similarly.
Furthermore, the video surveillance system must be protected from access

35

unauthorized persons. Video surveillance system security rules,
as well as for the security of individual recordings are the same as the rules for
security of personal data in general.
It is recommended that the school, as a data controller, consult with
employee representatives, and to respect their views and reasons
and found a common position on the establishment of video surveillance
system.
Furthermore, the processing of personal data of students and employees in
whether, using video surveillance systems, should be observed with
views of proportionality in relation to the purpose of processing, in terms of Article 8.
point 7. ZZPL.
Namely, when introducing video surveillance, special care should be taken
takes into account whether the intended purpose of processing (security), when in
the premises are permanently occupied by students and teaching staff,
you in a less invasive way. Namely, the subject of the recording can and must
to have a certain degree of privacy. Continuous recording of students and
during their stay in the classrooms deprives these persons
privacy, endangers their human dignity and constitutes
necessary invasion of their privacy. Such data processing is not
proportionate purpose, because the mentioned purpose of processing - child safety and
employees, as well as the safety of school property and assets, can
dig and in another appropriate way. This can be achieved e.g. so
which cameras would record the space in front of the school, the entrance to the school, access
to official premises if necessary for security reasons
persons and property, control of entry or exit from official or
letter space, if due to the nature of the work there is a possible risk for
children and employees.
Here we point to the provision of Article 15 of the Law on the Fundamentals of the System
Education and Upbringing ("Official Gazette of RS", No. 88/2017 and 27/18
- dr. law), which regulates the field of upbringing and education, which

36

Page 36

Personal data protection:

stipulates that all forms of collection, processing, publication and
data processing is carried out in accordance with this, special and law
which regulates the protection of personal data.
Bearing in mind that video surveillance can significantly endanger private
of the individual as well as other rights and freedoms, the Commissioner has prepared
and made available to the Government a complete model of the new LPP,
with current standards of relevant European documents,
which, inter alia, contain provisions on video surveillance, which may be
you can inform on the website http://www.poverenik.rs/
sr / 2017-03-06-09-09-59.html.
B ROJ SUBJECT: 072-03-6632 / 2018-05 OF 3. 11. 2018

Page 37

2. Video surveillance

37

2.5. IS THE COMMISSIONER AUTHORIZED TO IMPLEMENT
SUPERVISION PROCEDURE IN A PRIVATE SPACE
OWNERSHIP, AND ON THE OCCASION OF INSTALLED CAMERAS
FOR VIDEO SURVEILLANCE?
The Commissioner is not authorized to conduct the oversight procedure in
a space that is privately owned, but a person who considers them to be
his rights violated by the installation of video surveillance cameras in
privately owned space may seek judicial protection.
you. I The Rationale P OVERENIKA :
The person addressed the Commissioner for Information of Public Importance
and personal data protection stating that they are at a neighbor's house
installed video surveillance cameras that record his yard and
street, which threatens his privacy.
In this regard, the Commissioner, among other things, pointed out the following.
It is indisputable that the recording is the processing of personal data,
however, when it comes to the processing of personal data that is performed
using recording devices (video surveillance), the general principles
ZZPL women do not have their own precise elaboration.
Article 5 of the LPP stipulates that, unless they clearly predominate
conflicting interests of persons, certain provisions of this law on the conditions for
processing, as well as the rights and obligations related to processing do not apply,
among other things, to the processing of data processed for family and
other personal needs and are not available to third parties.
Please note here that a private person may have an interest in
performs supervision in a certain place that serves public use in order to
protect their property and security or to protect some of
their rights. In that case, that space would have to be in the immediate area
near the private space that that person wants to protect. It means
that the visual angle covered by the camera must not be such that it is recorded
more space than is necessary to achieve the purpose of processing or
to record space that is the exclusive property of other private individuals
persons (entrance and exit, ie exterior or interior of others
apartments and houses).
Also, we point out that Article 40 of the Constitution of the Republic of Serbia
prescribes that the apartment is inviolable (paragraph 1); no one can do without writing
court decisions to enter another's apartment or other premises against the will of
of their holder, nor to search them. Apartment holder and others
the premises have the right to be alone or through his representative and with two others
an adult witness attends the search. If the holder of the apartment or

38

Page 38

Personal data protection:

his representative were not present, a search was allowed in the presence of
two adult witnesses (paragraph 2); without a court decision, entering someone else’s
apartment or other premises, exceptionally and search without presence
witnesses, are allowed if necessary for the immediate deprivation of
the freedom of the perpetrator of the crime or the removal of the immediate and
serious danger to people or property, in the manner prescribed by law
nom (paragraph 3).
In view of the above, the Commissioner cannot conduct the procedure
supervision in privately owned space.
In accordance with the provision of Article 42, paragraph 4 of the Constitution of the Republic of Serbia,
the person has been informed that he or she may seek appropriate judicial protection.
B ROJ: 072-03-183 / 2018-05 OF 13. 1. 2018

Page 39

3. Processing of particularly sensitive data

Page 41
40

3. Processing of particularly sensitive data

41

3.1. CAN THE PRINCIPAL OF THE SCHOOL PRESIDE THE PRESIDENT
OF THE EXECUTIVE BOARD OF THE TRADE UNION ORGANIZATION
PROVIDE DATA ON MONTHLY PAYMENTS
MEMBERSHIP FEES OF TRADE UNION MEMBERS
Data on trade union membership, as a particularly sensitive data
so about the person, the employer, ie. the school could handle exclusive
based on the consent of the employee given in accordance with the provisions
Art. 16
andRationale
17 of the
Law on Personal
Data Protection.
I The
P OVERENIKA
:
The person addressed the Commissioner for Information of Public Importance and
protection of personal data by asking whether the school principal can
to the President of the Executive Board of the trade union organization
information on the monthly membership fees of the members of that union.
ZZPL regulates the conditions for the collection and further processing of data on
and prescribes the rights of persons and the protection of the rights of
ci collect and process. This law is based on Article 42 of the Constitution
audience of Serbia ("Official Gazette of RS", No. 98/06) conceived as
a law that protects a personal, constitutionally guaranteed human right
in - the right to protection of personal data of a specific person, ie
protecting that person’s privacy.
In accordance with the provisions of the said Article of the Constitution and Article 8, item 1.
ZZPL, the legal basis for the processing of personal data may be
authorization or consent of the data subject, which
is given in the manner and under the conditions prescribed by the provisions of Articles 10 and
15. ZZPL.
The provision of Article 16, paragraph 1 of the LPP stipulates that the data that are
relations to union membership may be processed on a free basis
of the given consent of the person, except when the law does not allow processing either
with consent.
Article 17 of the LPP stipulates that consent to the processing of
it provides sensitive information in writing, which contains a label
the data being processed, the purpose of processing and the manner of its use,
and that if the consenting party is not literate or for some other reason is not
able to sign the consent in his own hand, the consent is valid
if two witnesses confirm with their signatures that they contain a statement in writing
the will of the consent provider, while Article 18 of the same law prescribes that
is, in case of revocation, the person who gave consent is obliged to give to the operator
reimburse justified costs and damages, in accordance with the regulations
regulates liability for damage, unless otherwise specified in the statement
about consent.

42

Page 42

Personal data protection:

According to the above, data on trade union membership, as
particularly sensitive personal data, the employer (here the school) could
would process only with the consent of the employee, given
dical organization in accordance with the cited provisions of the LPP.
We point out that schools, as operators, are obliged to independently
but apply the provisions of the regulations governing the
non-activities: Law on the Fundamentals of the Education System
("Official Gazette of RS", No. 88/17 and 27/18 - other law), Labor Law
("Official Gazette of RS", No. 24/05, 61/05, 54/09, 32/13, 75/14, 13/17 decision US and 113/17), and special laws, as well as the provisions of ZZPL and basic
principles contained in it.
Thus, Article 206 of the Labor Law prescribes that employees
guarantees the freedom of trade union organization and action without approval,
with entry in the register, and Article 207 that the employer is obliged to
who is a member of the trade union on behalf of the trade union membership
nose from earnings based on his name statement and to pay that amount to
appropriate account of the trade union, while Article 210, inter alia, that
the employer is obliged to provide the trade union with access to data and
necessary for the performance of trade union activities.
B ROJ: 072-03-6805 / 2018-05 of 28 11 2018

Page 43

3. Processing of particularly sensitive data

43

3.2. UNDER WHAT CONDITIONS AN EMPLOYER CAN
PROCESSES DATA ON EMPLOYEES FOR PURPOSES
EXERCISING THE RIGHTS OF SOLIDARITY EMPLOYEES
ASSISTANCE AND SOLUTIONS OF SURPLUS OF EMPLOYEES?
Making a social card of a certain person implies processing
personal data, some of which are particularly sensitive data
in terms of Article 16 of the Law on Personal Data Protection. Business
the provider could only perform such personal data processing
if he has an explicit legal authority for that or by law
established obligation, in which case the processing is performed within the limits
that authorization, which means that the employer can only process
data whose processing is determined by law, ie data which
are necessary and suitable for the performance of a legally prescribed obligation.
Processing of personal data based on the consent of the employee
the employer could only perform when the data processing is not and is not
can have an impact on the rights and obligations of the employee, and then they are
performed
within the
limits of the :given consent.
I The Rationale
P OVERENIKA
Commissioner for Information of Public Importance and Data Protection
on the person received a request from the person to give an opinion on whether
is a “draft social survey”, prepared by JMU RTS, in accordance with the Law
on the protection of personal data. In the request, he stated that JMU is RTS
requested from the Department of Social and Psychological Protection of Employees
to make a social map of employees and submit it for realization
the rights of employees to solidarity assistance, as well as the forthcoming solution
redundancy.
In this regard, it was first pointed out that the rights and obligations of
taxpayers and employees, exercising the right to solidarity assistance, as well as
manner and conditions of resolving redundancies, regulated by regulations from
areas of work, so in accordance with the above, in order to obtain information about
whether the employer is authorized to draw up a social
in accordance with these regulations, should be addressed to the Ministry of
labor, employment, veterans and social issues.
Having in mind the above, and starting from the fact that the development of social
identity card of a certain person implies the processing of personal data,
some of which are particularly sensitive data in terms of Article 16 of the Law
on the protection of personal data, from the aspect of the competence of the Commissioner
with regard to the application of that law, we point out in principle that
the provider could perform such personal data processing only if
for that he has an explicit legal authority or established by law

44

Page 44

Personal data protection:

obligation, in which case the processing is performed within the limits of that authorization,
which means that the employer can only process data processed
to be determined by law, ie data that are necessary and appropriate for
fulfillment of a legally prescribed obligation.
Processing of personal data based on the consent of the employee
the employer could only perform when data processing is not and cannot be
have an impact on the rights and obligations of the employee, and then it is done in
the limits of the consent given.
Should the condition regarding the legal basis be met, the
lac and data processor have obligations prescribed by the Law on
protection of personal data, such as notifying the Commissioner of
intentions to establish a data collection (Article 49 of the Law), undertaking
appropriate data protection measures (Article 47 of the Law) and so on.
This opinion is of a principled nature and does not constitute an instruction
to act in any particular case. This is because the
renik body that supervises the application of the Law and second instance
body in the process of exercising the rights of natural persons in connection with processing
personal data and, accordingly, attitudes on specific issues
a particular case may be taken only in the proceedings for which the
keeping competent.
B ROJ: 073-11-1766 / 2018-02 from 27 11 2018

Page 45

3. Processing of particularly sensitive data

45

3.3. IS THE NOTARY PUBLIC AUTHORIZED TO OBTAIN
MEDICAL DOCUMENTATION FROM THE PARTY IS WORKING
DECISIONS ON THE NECESSITY OF GOING TO THE FIELD?
The notary public is obliged to ask the party for proof that he would
justified the request to perform an official action outside the headquarters.
However, when proving the justification of that action, it is public
the notary must take into account the proportionality between the
work of this data to which he is obliged by law and the rights of persons to whom
the data relate. Among other things, that means that he is a notary public
obliged to justify requests for official action
outside the seat processes only a minimum of personal data that
are necessary.
I The Rationale P OVERENIKA :
Commissioner for Information of Public Importance and Data Protection
on the person received a request from the party entitled "objection" to
treatment of notaries and requesting medical documentation
is a party to prove the necessity of going out on the field. With that in
regarding the Commissioner pointed out the following.
Law on Personal Data Protection ("Official Gazette of RS",
no. 97/08, 104/09 - dr. law, 68/12 - US decision and 107/12) prescribes
conditions for processing personal data. As regulated by Article 8.
Of the Law, which prescribes the conditions for processing, processing is not allowed if,
among other things, the natural person did not give consent for processing, that is
if the processing is performed without legal authorization, if the data that is
processes unnecessary or unsuitable for the purpose of processing or are
the number or type of data being processed for disproportionate purposes of processing.
As regulated by Article 20 of the Law on Public Notary (“Official
Official Gazette of RS ", no. 31/11, 85/12, 19/13, 55/14 - dr. law, 93/14 dr. law, 121/14, 6/15 and 106/15), performing official activities outside
official headquarters and notary office is regulated in more detail
Notary Rules of Procedure.
This matter is not explicitly regulated by the Notary Public
dictionary ("Official Gazette of RS", No. 88/14). Notary
Rules of Procedure (“Official Gazette of the RS”, No. 62/16)
is not edited.
Article 15 of the Notary Rules of Procedure prescribes:
Notarial deeds are drawn up, solemnized or certified
her in the notary's office.
In urgent cases, ie in case of justified reasons and
urgent needs, at the reasoned request of the party in writing,

46

Page 46

Personal data protection:

a notary public may perform an official action outside the established
leg time, non-working days and holidays, in the office or outside
notary offices, but only as long as that need lasts.
The request of the party is especially considered justified when the conclusion
legal business necessary to protect the rights and interests of that person and:
- when due to age, illness or disability the party cannot
to come to the notary's office with the help of others
faces;
- when requested by a person undergoing treatment in a hospital or hospital
another rehabilitation institution or a care institution
care and stay of the elderly;
- when requested by a person serving a prison sentence;
- if it is useful due to the larger number of submitters of documents whose
signatures certify on the occasion of the same event or if any
other justified reasons or it is justified due to increased
workload. Increased workload is considered to be certification,
lemnization or making three or more documents or when u
five or more signatories participate in the procedure.
Article 16 of the Notary Rules of Procedure prescribes:
In cases where, at the reasoned request of a party, the public
The official should perform an official action outside the seat of the notary public.
office, the notary public is obliged to obtain the permission of the Chamber.
Request for granting a permit to perform an official activity outside
the seat of the notary office, in writing, the public notary
shall be handed over to the Chamber directly, by post or by other appropriate means
way (by e-mail, fax, etc.).
Permission of the Chamber to perform official activities outside the seat of the public
notary office may be submitted to the notary public
on average, by mail or in another appropriate way (by e-mail, fax, etc.).
It follows from the above that the notary public is obliged to ask from
parties proof to justify a request to perform an official action
outside the seat.
However, when proving the action, the notary must also
take into account the proportionality between the purposes of processing this data on
which is bound by the Law and the rights of the data subject. Between
among other things, this means that the notary public is obliged to justify
requests to perform an official action outside the headquarters are processed only by
the minimum personal data that are necessary. For example, instead
medical records or special remittances containing
as a more extensive set of personal data than is necessary for a given
action, the notary public may request confirmation from a particular doctor o
inability of a person to come to the space on his own or accompanied by others
notary public.

Page 47

3. Processing of particularly sensitive data

47

Of course, the scope of data depends on the circumstances of each specific
case and that this example should not be used as applicable to everyone
the case.
As for the actions of the Commissioner in a specific case and
supervision, we point out that this is possible with regard to some conmobile person as a personal data controller.
B ROJ: 011-00-00873 / 2016-02 from 19 7. 2016.

48

Page 48

Personal data protection:

3.4. UNDER WHICH CONDITIONS CAN TWO COUNTRIES EXCHANGE
EXCERPTS FROM CRIMINAL RECORDS FOR THE PURPOSE OF PROVISION
LEGAL ASSISTANCE IN CRIMINAL MATTERS?
From the point of view of the application of the Law on Personal Data Protection
that the processing of personal data involving
dealing with extracts from criminal records from another state for the purpose
providing legal aid, was allowed, it is necessary that for such
processing there is a legal authorization, ie the authorization of the
but inI The
a ratified
international
treaty.
Rationale
P OVERENIKA
:
The Ministry of Foreign Affairs of the Republic of Serbia addressed
To the Commissioner for Information of Public Importance and Data Protection on
person, for the purpose of giving an opinion and submitted a proposal note which would, in
in accordance with Article 14 of the Agreement between the Republic of Serbia and Bosnia and Herzegovina.
agreements on amendments to the Agreement between Serbia and Montenegro
and Bosnia and Herzegovina on legal assistance in civil and criminal matters
matters, was referred to Bosnia and Herzegovina to regulate the issue
obtaining excerpts from criminal records for citizens of the Republic
Serbia and Bosnia and Herzegovina.
In this regard, we emphasize that the Commissioner supports the efforts of the
Serbia and Bosnia and Herzegovina, on a reciprocal basis, will enable
subsequent exercise of the rights of citizens before the competent authorities of another
and, from the point of view of the competence of this body, we point out the following.
Data from criminal records relating to a natural person
whose identity is determined or identifiable is personal data
in the sense of the Law on Personal Data Protection, especially
sensitive data from Article 16 of that law.
Any action taken in relation to personal data
represents data processing in terms of Article 3, item 3 of the Law, which,
among other things, it is not allowed if it is done without a valid legal one
basis, ie. without legal authorization, ie physical consent
persons to whom the data being processed relate.
When it comes to data processing performed by a state body, it should
keep in mind that this processing is, above all, limited by the competence of the
established by law (or ratified international agreements
that the authority may process personal data for the purpose of
work within its competence, for the purpose and in the manner prescribed
by law (or a ratified international treaty).
As a question of the competence of a state body, by the nature of things,
represents a matter that is regulated by law, with the consent of the physical

Page 49

3. Processing of particularly sensitive data

49

persons for the processing of personal data may not be
which has not already been established by law (or
birth contract).
Therefore, from the point of view of the application of the Law on Personal Data Protection
to process personal data for the purpose and in the manner you are in
submitted act was allowed, it is necessary that for it
ji legal authorization, ie authorization contained in the confirmed
international agreement.
Please note that this opinion has a principled character and was given without
entry into the provisions of the Treaty of Serbia and Montenegro and Bosnia and
not on legal assistance in civil and criminal matters and the Treaty
between the Republic of Serbia and Bosnia and Herzegovina on amendments
Agreement between Serbia and Montenegro and Bosnia and Herzegovina on
assistance in civil and criminal matters.
B ROJ: 073-11-182 / 2018-02 OF 9. 2. 2018

Page 51
50

4. Obtaining and exchanging data between
different legal entities

Page 53
52

4. Obtaining and exchanging data between different legal entities

53

4.1. DOES THE EMPLOYER HAVE THE RIGHT TO INSPECT IN HEALTHCARE
EMPLOYEE CARD AND CAN I DATA ON
OBTAIN CONVICTIONS OF THE EMPLOYEE DIRECTLY
FROM THE POLICE WITHOUT THE PRESENCE OF THE EMPLOYEE?
The employer does not have the right to inspect the employee's health card.
foot, unless exceptionally there is the written consent of the employee given in
within the meaning of Article 17 of the Law on Personal Data Protection, whereby
it should be borne in mind that valid consent for processing implies
the freely expressed will of the person giving the consent, as well as
to revoke it, in the sense of Article 11 of the Law, with all legal
consequences of such a recall, because in the relationship between the employer and
last, the employee as a "weaker" party is not really free to
decides, there is a disproportion between influence and power between the
nak acquires (employer) and the one from whom he is sought (employees).
In addition, insight into the data on the health condition of a person
it is also possible on the basis of a court decision.
The employer could request information from the competent court
criminal records on the employee, or candidate for employment,
on the basis of a reasoned request and if there is a justified
teres,I based
on law.P OVERENIKA :
The Rationale
The person addressed the Commissioner for Information of Public Importance and
protection of personal data (hereinafter: the Commissioner) as follows
questions:
1) "Does the employer have the right to inspect the health care by law
employee card and, if so, under which article of the law is he entitled to it? ”and
“Can the employer obtain data on convictions
directly from the police and without the presence of an employee? ”
1) Article 16, paragraph 1 of the LPP stipulates that the data
nationality, race, sex, language, religion,
political party membership, trade union membership, health status,
receiving social assistance, victim of violence, conviction for a crime and
sex life can be processed on the basis of freely given consent
to persons, except when the law does not allow processing even with consent.
Paragraph 2 of the said Article of the LPP stipulates that, exceptionally, data
relating to affiliation with a political party, health condition
and receiving social assistance, can be processed without the consent of the person,
only if required by law.
Consent to the processing of particularly sensitive data is given in
by changing the form, which contains the designation of the data being processed, the purpose

54

Page 54

Personal data protection:

processing and manner of its use, which is prescribed by Article 17.
paragraph 1. ZZPL. If the consenting party is not literate or for any other
is unable to sign the consent in his own handwriting, the consent is
important if two witnesses confirm with their signatures that it contains in writing
statement of the will of the consent provider, in accordance with Article 17, paragraph 2 of the LPP.
When it comes to regulations in the field of health care which
the processing of particularly sensitive personal data in the
Slu provisions of Art. 16–18. ZZPL, Law on Patients ’Rights (“ Services
nor the RS Gazette ”, No. 45/13) in Article 21, para. 1 and 3 prescribe that data
on the state of health, ie data from medical documentation
is, belong to personal data and are particularly sensitive
data on the patient's personality, in accordance with the law and to be special
Sensitive data on the patient's personality are also considered to be
substances, on the basis of which the identity of a person can be established
whence they originate.
Article 21, paragraph 2 of the Law on Patients' Rights stipulates that
are data on health status, ie data from medical
documentation, must be kept by all health workers, ie
health associates, as well as other persons employed in health care
institutions, private practice, organizational unit of higher education
health care institutions that perform health care activities,
another legal entity that performs certain health care tasks
activities in accordance with the law, the organization of compulsory health
foot insurance, as well as a legal entity that performs voluntary work
health insurance, with which the patient is health insured,
and to whom this information is available and necessary in order to
of the established competencies.
Persons listed in Article 21, paragraph 2 of the Law on Patients' Rights,
as well as other persons who are unauthorized, ie without the consent of the patient
or legal representative, have information from the medical
documentation contrary to this article, and unauthorized amounts
to the public these data, are responsible for disclosing particularly sensitive
data, in accordance with the law, which is prescribed by paragraph 4 of Article 21.
of this law.
Law on Health Care ("Official Gazette of RS", No. 107/05,
72/09 - dr. law, 88/10, 99/10, 57/11, 119/12, 45/13 - dr. the law,
93/14, 96/15, 106/15, 113/17 - dr. law and 105/17 - others. law) in Article
73, among other things, prescribes that health care institutions are private
practice, social welfare institutions, penitentiaries
sanctions, health faculties that perform certain
words of health activities, as well as other legal entities that perform
certain health activities in accordance with the law required
to keep medical records of patients from unauthorized persons

Page 55

4. Obtaining and exchanging data between different legal entities

55

access, copying and abuse, regardless of the form in which they are
data from medical documentation preserved (paper, microfilm,
optical and laser disks, magnetic media, etc.), in accordance with the law.
Also, the Law on Health Documentation and Records
in the field of health ("Official Gazette of RS", No. 123/14, 106/15 and
105/17) in Article 40 prescribes that the data from the medical
whose patients represent particularly sensitive personal data.
Health care institutions, private practice and other legal entities, obliged
are to collect and process the patient's personal data on
the manner in which the exercise of the right to privacy and rights is ensured
on the confidentiality of the patient's personal data, in accordance with the law
governing the rights of patients and the law governing the
and personal data. Duties of data storage referred to in paragraph 2 of this
member, competent health worker, ie health associate
and another authorized person may be released only on the basis of a letter
the consent of the patient, or his legal representative, or
based on a court decision.
So, having in mind the first question and the cited provisions of the law,
the employer would not have the right to inspect the employee's health card
unless the data subject would give a valid one
consent to such data processing in terms of Article 17 of the LPP, or would
the court had previously had to make such a decision.
2) Regarding another issue concerning the possibilities of the employer
"[...] to obtain data on convictions directly from the police and without
the presence of an employee ... ”The Commissioner pointed out the following.
The content and provision of data from criminal records are prescribed
Article 102 of the Criminal Code ("Official Gazette of RS", No. 85/05,
88/05 - amended, 107/05 - amended, 72/09, 111/09, 121/12, 104/13, 108/14 and
94/16). When it comes to the employer's request for the employee to submit it himself
proof of his conviction or non-conviction, we emphasize that
paragraph 4 of the said article of the Criminal Code prescribes that no one
has no right to ask a citizen to submit proof of his conviction
or non-conviction.
Paragraph 2 of the said Article of the Criminal Code prescribes that
data from criminal records can only be given to the court, the public prosecutor and
police in connection with criminal proceedings against a person who
previously convicted, the body for the execution of criminal sanctions and
participating in the procedure of granting amnesty, pardon, rehabilitation
litigation or deciding on the cessation of the legal consequences of a conviction, as well as
guardianship authorities, when necessary for the performance of
responsibilities. Data from criminal records may also be provided
gim state bodies responsible for detection and prevention
committing criminal offenses, when it is prescribed by a special law.

56

Page 56

Personal data protection:

Furthermore, paragraph 3 of the same article of the Criminal Code states that
criminal records may, at the reasoned request of the criminal
authority, enterprise, other organization or entrepreneur, if any
the legal consequences of the conviction or security measures continue and
her legitimate interest based on law. Here we point out that it is
provisions of Article 99 of the Court Rules of Procedure ("Official Gazette of RS", no.
110/09, 70/11, 19/12 and 89/13) prescribed that at the request of the party, third parties
persons who have a legitimate interest and when required by regulations, the court
issues a certificate on the facts about which it keeps official records.
Having regard to the cited provisions of Article 102 of the Criminal Code,
the employer could request information from the criminal court from the competent court
records on the employee, or candidate for employment, on the basis of
reasoned request and if there is a justified interest in it, based
on the law. Should the employer require the employee to
put proof of his conviction or non-conviction, such processing
would be impermissible in terms of Article 8, item 5 of the LPP.
The provisions of the Labor Law (“Official Gazette
snik RS ", no. 24/05, 61/05, 54/09, 32/13, 75/14, 13/17 - US decision i
113/17) which prescribe the conditions for employment. Members
No. 24, paragraph 1 of the said law stipulates that employment may
is based with a person who is at least 15 years old and fulfilling
other conditions for work on certain jobs, determined by law, ie
sno by the rulebook on the organization and systematization of work. Attitude
2 of the said Article of the Law prescribes that they shall be determined by an ordinance
organizational parts of the employer, name and job description, type
and the level of required education, ie education and other
special conditions for working on these jobs, and the number of
performers.
Article 26, paragraph 1 of the same law prescribes that the candidate is obliged
to submit documents to the employer when establishing an employment relationship and
other evidence of fulfillment of the conditions for work on the jobs for which
in the employment relationship, determined by the rulebook, and paragraph 2 of the same article to
the employer cannot request family information from the candidate,
ie marital status and family planning, ie
documents and other evidence that are not of immediate relevance to both
employment for which he is employed.
For example, if the employer, in its rulebook on
and systematization of work provided, as one of the conditions for
performing certain tasks, that the person has not been legally convicted for
a crime at work or in connection with work, would have the legitimacy to from
competent court requests data from criminal records. Previously onThis situation would be relevant in the event that a candidate for
the latter was a person who was convicted of a crime on

Page 57

4. Obtaining and exchanging data between different legal entities

57

work or in connection with work and that the legal consequences of such condemnation, or measures
security, still lasting, by analogous application of Article 179, paragraph 1, item
2. of the Labor Law, which stipulates that the employer may to the employee
to terminate the employment contract if there is a justifiable reason for it
refers to the working ability of the employee and his behavior, and if
has been convicted of a criminal offense at work or in connection with work.
Here, the provisions of Article 176, item, would also be of interest to the employer.
2–4. Of the Labor Law, which prescribe that the employee's employment is terminated.
nose regardless of his will and the will of the employer: if, by
the law, ie a final decision of a court or other body,
it is forbidden to perform certain tasks, and it cannot be provided to him
performing other tasks - on the day of delivery of the final decision
ke, if due to serving a prison sentence he must be absent from work in
for a period longer than six months - on the day of entering the serving of the sentence
and if a security measure, educational or protective measure has been imposed on him
for more than six months and must therefore be absent from
work - on the day of the beginning of the application of that measure.
Also, we note that the Constitutional Court, by its Decision no. IUz424/2014 of 17 November 2016, which was published in the "Official Gazette of RS",
No. 13/17 of 24 February 2017 determined that the provision of Article 179, paragraph
3. item 5 of the Labor Law, which is based on the said decision and deleted
on, unconstitutional for the reason that it is to the employer, ie the responsible person
with the employer, was left to his own discretion and whether
an employee's conduct constitutes an act of committing a criminal offense
acts committed at work and in connection with work, regardless of whether
criminal proceedings were instituted against the employee for the criminal offense,
the employee would be terminated from employment, and a final conviction
the verdict of the criminal court was not even rendered (Article 179, paragraph 1, item 2
work law).
As the provision of Article 179, paragraph 3, item 6 of the Labor Law
written that the employer may terminate the employment contract of the employee who
he has committed a breach of duty through his own fault, if he has given an inaccurate
data that were decisive for the establishment of the employment relationship,
the employer would have an interest in collecting data that he would have previously
these situations were the basis for termination of the employment contract
and may collect them from official (criminal) records, in accordance
with Article 99, paragraph 1 of the Court Rules of Procedure ("Official Gazette of RS", no.
110/09, 70/11, 19/12, 89/13, 96/15, 104/15, 113/15 - corrected, 39/16,
56/16, 77/16 and 16/18) which stipulates that at the request of a party,
persons who have a legitimate interest and when required by regulations,
the court issues a certificate on the facts about which it keeps official records.
On the other hand, when it comes to proof of whether they are against a person
conducts criminal proceedings, Article 165 of the Labor Law stipulates that

58

Page 58

Personal data protection:

the employee may be temporarily removed from work if he / she is against
he was prosecuted in accordance with the law for criminal purposes
acts committed at work or in connection with work.
Analogously, one could hypothetically talk about the situation here
the employer may have an interest in finding out whether the person
intends to establish an employment relationship with them
a criminal offense committed at work or in connection with work, from a simple
evil that the employer, if determined, would have a situation to
the latter, already after the establishment of the employment relationship, is removed from work, and similarly
applying the provisions of Article 167, paragraph 2 and Article 168 of the Labor Law,
the removal may last until the final conclusion of that criminal
leg of the procedure and the employer would be obliged to pay that employee
salary compensation in the amount of one quarter, and if he
dicu, in the amount of one third of the basic salary.
The Labor Law does not prescribe the obligation of job candidates to
provide the employer with evidence as to whether criminal proceedings are being
and if the employer needs this information for the purpose of
employment, the legal basis for such processing would be consent, in
within the meaning of Art. 10th and 15th ZZZPL.
With regard to consent, as a legal basis for the processing of personal
when establishing an employment relationship, we note that
personal consent to processing implies the freely expressed will of the person
which gives consent, as well as the possibility to revoke it, in terms of the article
11. ZZPL, with all the legal consequences of such revocation, because in
are between the employer and the employee, employed as a "weaker" party
he is not really free to decide, there is a disproportion between influence and power
between the one who obtains the consent (employer) and the one from when
seeks (employees, job candidate). That's why the employer in each
in this particular case, it must also take into account the principles of proportionality
and expediency of processing from Article 8 of the Law on Public Procurement.
B ROJ: 072-03-2615 / 2018-05 OF 8. 5. 2018

Page 59

4. Obtaining and exchanging data between different legal entities

59

4.2. DOES THE EMPLOYER NEED CONSENT?
FOR SUBMISSION OF EMPLOYEE DATA
TO THE REPUBLIC HEALTH INSURANCE FUND
FOR THE ISSUE OF A HEALTH BOOK?
Under the law, the employer is obliged to register for
compulsory social security, on which occasion on
basis of legal authority performs the collection and processing of data
such about the personality of the employee, which further means that the employer
the consent
of the employee
is not required.
I The Rationale
P OVERENIKA
:
The person addressed the Commissioner for Information of Public Importance and
protection of personal data by asking whether his employer can
forward his data to the health care provider without his consent
to make a health booklet.
Article 8, item 1 of the LPP stipulates that the processing of personal data
is not allowed if the natural person has not given consent to
du, ie if the processing is performed without legal authorization. Listed
means that the controller may process the data only if required by law
authorized or obtained authorization from the person from whom he collects
data based on his consent.
Article 12 of the LPP prescribes that the processing of personal data is free
consent of the person allowed in order to realize or protect the
but important interests of a person or another person, and especially life, health and
physical integrity; for the purpose of fulfilling the obligations determined by law,
by an act passed in accordance with the law or a contract concluded between
persons and operators, as well as for the preparation of the conclusion of the contract; for the purpose of
fundraising for humanitarian needs and in other casesma determined by this law, in order to achieve the predominant justification
interests of the person, operator or user.
Article 35, paragraph 2 of the Labor Law ("Official Gazette of RS", No. 24/05,
61/05, 54/09, 32/13, 75/14, 13/17 - decision US and 113/17) prescribes that
the employer is obliged to on the basis of an employment contract or other contract
on the performance of activities concluded in accordance with this Law
single application for compulsory social insurance within the
the law regulating the Central Register of Compulsory Social
public insurance, and at the latest before the entry of the employee and another worker
engaged person to work.
Pursuant to Article 11 of the Law on the Central Register of Compulsory
social insurance, registration of insured persons and insured persons in
The Central Registry is done by submitting a single application in

60

Page 60

Personal data protection:

in electronic form by the single applicant; isThe application shall be submitted within three working days from the date of
last, ie from the day of concluding the employment contract, ie another
contract on the performance of activities or from the date of commencement of
ie from the day of termination of employment, termination of
letters or performance of activities, ie from the day of the change in
insurance flow; the single application contains the information required
nor for exercising the rights from the obligatory social insurance, which are
determined by the regulations governing pension and disability insurance,
health and unemployment insurance; close to
the content and form of the single application, the
applications, evidence submitted with the application, as well as
non-methodological principles and a unique code of codes for
data to the Unified Database are prescribed by the Government; day of receipt of the unique
applications in the Central Register are considered the day of receipt of the single
applications in all organizations of compulsory social insurance.
Pursuant to Article 11, paragraph 4 of the Law on the Central Register of
social security, the Decree on the content, form and
the manner of submitting a single application for compulsory social security
pushing, unique methodological principles and unique
code of codes for entering data into the Unified Database of the Central
register of obligatory social insurance ("Official Gazette of RS", no.
54/10, 124/12 and 119/13), which in Article 7, paragraph 1, item 1 and 2 prescribes
the following:
"In the Unified Database of the Central Registry, data on
pushing, namely:
1) Date of commencement of insurance, as follows: day, month and year of employment
appointments or appointments; date of commencement of independent performance
or agricultural activities; the date of commencement of the contractbusiness; date of exercising the right to a pension or cash benefits
hopes in accordance with the law; date of commencement of schooling, ie professional
foot training; date of commencement of suspension of rights and obligations on the basis
work; date of inclusion in compulsory social insurance; the beginning of
emergency medical services; the date of the injury at work or
occupational diseases; the date of submission of the application, ie the date
acquiring the status of an insured person;
2) Basis of insurance, as follows: (1) employment - for persons in employment
nose, ie persons employed in a company, other legal
person, state body, local self-government unit or code
natural persons; for civilians serving in the army and military units
and institutions; professional military personnel according to the regulations on
sci of Serbia, for domestic and foreign citizens and stateless persons
who are employed by foreign or

Page 61

4. Obtaining and exchanging data between different legal entities

61

international organizations and institutions, foreign diplomatic and
zularnih representations or in foreign legal or physical
persons unless otherwise provided by an international agreement, ie
if such insurance is provided by an international agreement; for faces
who perform work outside the employer's premises; for persons at work
relationship, ie employees who are sent to work abroad, from
employees in the company. "
Law on Health Insurance ("Official Gazette of RS", no.
107/05, 109/05 - corrected, 57/11, 110/12 - US, 119/12, 99/14, 123/14,
126/14 - US, 106/15 and 10/16 - dr. law) regulates the rights from the obligatory
health insurance of employees and other citizens, covered
compulsory health insurance, organization and financing
compulsory health insurance, voluntary health insurance
and other issues relevant to the health insurance system.
Article 10 of the Law on Health Insurance prescribes the principle of
obligations, which is achieved by organizing and implementing
comprehensive compulsory health insurance for employees and others
citizens in the Republic (hereinafter: insured persons) in accordance with this
by law, by which the insured for themselves and their family members (in
text: insured persons) provide the right to health care
there is also the right to monetary compensation, in accordance with this law and regulations
adopted for the implementation of this law; the principle of obligation provides
is obliged to pay contributions for compulsory health insurance
by employees and employers, as well as other payers
contributions in accordance with the law, which is a condition for
compulsory health insurance rights; principle of obligation
is realized and implemented by the overall organization of compulsory health
foot insurance, which applies to employees and other persons covered
This insurance ensures and guarantees the exercise of the rights
health insurance prescribed by this law and regulations
enacted to implement this law.
Article 17, paragraph 1, item 1 of the same law prescribes that they are insured
natural persons who are compulsorily insured in accordance with this law, and
to: employed persons, ie employees in a company,
another legal entity, a state body, a body of a local
self-government and autonomous provinces, as well as with natural persons (hereinafter
text: employees).
Article 112, paragraph 1 of the Law on Health Insurance prescribes that
to a person who has been recognized as an insured person by the parent branch
issues the prescribed health insurance document (hereinafter:
insurance document), which proves the status of the insured person.
Article 113 para. 1 and 2 of the same law prescribes that legal and physical
to the persons obliged to submit to the parent branch all data related to

62

Page 62

Personal data protection:

by applying for compulsory health insurance, by applying for a change in
compulsory health insurance or deregistration from compulsory health
insurance, in order to determine the characteristics of the insured person,
information on the termination or change in the determined property of the
pushed face; that on the basis of the data referred to in paragraph 1 of this Article, the parent
the branch establishes the facts for the acquisition of the property of compulsory insurance
foot face.
Therefore, the employer is obliged by law to make a report.
vu employee on compulsory social insurance, on which occasion on
the basis of legal authority is the collection and processing of data on
the identity of the employee concerned, which further means that the employer
the consent of the employee is not required.
B ROJ: 072-03-6747 / 2018-05 of 26 11 2018

Page 63

4. Obtaining and exchanging data between different legal entities

63

4.3. IS THE BANK AUTHORIZED TO FROM ITS CLIENTS
OBTAINS INFORMATION ABOUT OFFICIALS, MEMBERS
THEIR NEAR FAMILIES AND THEIR NEARBY
ASSOCIATES?
Banks, as obligors under the Law on Prevention of Money Laundering and
terrorist financing, have a legal obligation to collect personal
not the data of natural persons with whom they enter into a business relationship, as
and information on the official as other states and international
organization, as well as about the official of the Republic of Serbia, a member of it
immediate family or a close associate, so there is no
provisions
of the Law
on Personal :Data Protection.
I The Rationale
P OVERENIKA
The person addressed the Commissioner for Information of Public Importance
and protection of personal data (hereinafter: the Commissioner)
whether the bank has the right to request information on whether it is a person
official, a member of the official's immediate family, a close associate
functionary.
In order for data processing to be allowed, there must be
legal basis. Legal basis for processing personal data
it may be the law or the written consent of the person.
Furthermore, Article 7 of the Law on Prevention of Money Laundering and Financing
terrorism ("Official Gazette of RS", No. 113/17; hereinafter:
ZSPNFT) stipulates that the taxpayer is obliged to: establish identity
customers; verify the identity of the party on the basis of documents, data
or information obtained from reliable and credible sources;
establish the identity of the beneficial owner of the party and verify his
in cases prescribed by this Law; obtain and evaluate
the credibility of information about the purpose and intent of the business relationship or
transactions and other data in accordance with this law; obtain and proappreciates the credibility of information about the origin of property that is or will be
be the subject of a business relationship or transaction, in accordance with
at the cost of risk; regularly monitors business operations and checks the compliance of
activities of the client with the nature of the business relationship and the usual
my and the type of business of the party.
The obligor is obliged to reject the offer to establish a business
leg of the relationship and the execution of the transaction if it cannot perform the actions
and measures referred to in paragraph 1, item 1–5. of this article, and if the business relationship is already
established is obliged to terminate it, except in the case of an account
blocked on the basis of the procedure of the competent state body in accordance
with the law.

64

Page 64

Personal data protection:

In the cases referred to in paragraph 2 of this Article, the taxpayer is obliged to make
official note in writing, as well as to consider whether they exist
grounds for suspicion of money laundering or terrorist financing
and to act in accordance with the provisions of Article 47 of this Law. Official
the taxpayer keeps the note in accordance with the law.
Article 8 of the LSPNFT stipulates that the actions and measures referred to in Article 7
the liaison officer performs: when establishing a business relationship with a client; at
performing a transaction in the amount of 15,000 euros or more in dinars
equivalent, at the official middle exchange rate of the National Bank of
on the day of execution of the transaction (hereinafter: in dinar
value), regardless of whether it is one or more
interrelated transactions, in the case where the business relationship is not
established; when transferring funds in accordance with Art. 11–15.
of this law, in case the business relationship has not been established; when u
in connection with a party or transaction there are grounds for suspicion that it is
on money laundering or terrorist financing; when there is doubt in
the truthfulness or credibility of the obtained data on the foreigner and
to the actual owner.
Notwithstanding the provisions of paragraph 1 of this Article, the obligor
is obliged to perform the actions and measures referred to in Article 7 of this Law.
when performing a transaction in the amount of 5,000 euros or more in
dinar equivalent, regardless of whether it is one or
multiple interconnected transactions.
Also, exceptionally from the provisions of paragraph 1 of this Article, the taxpayer
on paragraph 4, item 8 of this Law, he is obliged to take actions and measures referred to in Article 7.
of this law executes when withdrawing winnings, placing bets
or in both cases, when transactions in the amount of 2,000 euros are performed
or more in dinar equivalent, regardless of whether it is a word
about one or more interrelated transactions.
Article 17, paragraph 6 of the LSPNFT stipulates that during the identification
the obligor is obliged to obtain a photocopy of the personal
mint that person. The taxpayer is obliged to write the date on that photocopy,
time and personal name of the person who performed the inspection. A photocopy of this
the taxpayer keeps in accordance with the law.
Article 3, item 22 of the LSPNFT stipulates that an official:
official of another state, official of an international organization and
cioner of the Republic of Serbia.
Item 23 of the same article stipulates that an official of another state
a natural person who has been performing or has been performing for the last four years
performed a high public office in another state, namely: the head of state
and / or the government, a member of the government and his deputy, an elected representative
legislative body, a judge of the Supreme and Constitutional Court or another
of a high-level body, against whose judgment, except in exceptional cases

Page 65

4. Obtaining and exchanging data between different legal entities

65

cases, it is not possible to use regular or extraordinary legal
lek, a member of the Court of Audit, ie the Supreme Audit Institution and
members of the governing body of the central bank, ambassador, charge d'affaires
affairs and senior officer of the armed forces, member of the administrative and supervisory
the body of a legal entity majority owned by a foreign state,
member of the governing body of a political party.
Item 24 of the same article stipulates that an official
gender organization a natural person who performs or is in the last
held a senior public office in the international
organization, such as: director, deputy director, member of the body
management, or another equivalent function in the international
organization;
Item 25 of the same article stipulates that an official of the Republic
Serbia, a natural person who performs or has been in the last four years.
dune performed a high public function in the country, namely: the president
States, Prime Minister, Minister, Secretary of State, Special
Adviser to the Minister, Assistant Minister, Secretary of the Ministry,
the director of the body within the ministry and his assistants, and
the rector of the special organization, as well as his deputy and his assistant
nici, MP; Judge of the Supreme Court of Cassation, Commercial Court
of the Court of Appeals and the Constitutional Court, President, Vice-President and Member
Council of the State Audit Institution, Governor, Vice Governor,
member of the executive board and member of the Board of Governors of the National Bank of Serbia
beats; a person in a high position in diplomatic and consular missions
communities (ambassador, consul general, charge d'affaires);
member of the management body in a public enterprise or company
majority state-owned entity, a member of the
political parties.
Item 26 of the same article stipulates that they are close family members
officials, spouse or common-law partner, parents, siblings and
children, adopted children and stepchildren, and their married or unmarried
partners.
Item 27 of the same article stipulates that a close associate of the
a natural person who makes a joint profit from property
or an established business relationship or has any other close
business relations with an official (eg: a natural person who is
small owner of a legal entity or a foreign law entity, and the actual profit
realized by the official).
Article 38 of the LSPNFT stipulates that the taxpayer is obliged to determine
whether the party or the actual owner of the party is an official. This postit is determined by the internal act of the taxpayer, in accordance with the guidelines
issued by the body referred to in Article 104 of this Law, competent for supervision over
by applying this law to that taxpayer.

66

Page 66

Personal data protection:

Based on all the above, banks, as obligors under ZSPNFT, have
legal obligation to collect personal data of natural persons with whom
enter into a business relationship, as well as information about the official as other
international organizations, as well as the official of the Republic
Serbia, a member of his immediate family or a close associate, and thus in
there is no violation of the provisions of the LPP.
B ROJ: 072-03-5531 / 2018-05 from 21. 8. 2018

Page 67

4. Obtaining and exchanging data between different legal entities

4.4. IS A COMMERCIAL BANK AUTHORIZED?
GETS INFORMATION ABOUT ALL MEMBERS OF SOMEONE
ASSOCIATIONS, MEMBERS OF THE MANAGEMENT BOARD
OR THE PRESIDENT OF THE ASSOCIATION?
The Bank, as the obligor, has the legal authority to request
about the members of the association, if it is registered in the Agency for
valuable registers (APR), because in that case it is a legal entity
in terms of the Law on Prevention of Money Laundering and Financing
rorism, and if the association is not registered in the APR, in that case the bank
has the authority to process only the data of the representatives of the association,
which is also prescribed by the Law on Prevention of Money Laundering and
terrorist
civil law entities.
I Thefinancing
Rationale for
P OVERENIKA
:
The person addressed the Commissioner for Information of Public Importance
and protection of personal data by asking whether it is a commercial bank
authorized to request information about all members of the association, members
board of directors or president of the association.
Article 3 of the LPP defines which actions are considered processing
personal data, as well as the notion of data controller. Each handthe data processor is obliged, in terms of the provision of Article 8 of the LPP,
takes into account the admissibility of the processing of personal data and may
to keep only those data that he is authorized by law to collect or is
authorization received from the person from whom he collects data on the basis
his consent, to collect data only for purposes that are by law
prescribed or for the purposes specified by the consent obtained,
to ensure the accuracy and timeliness of the data, to respect the principle of expediency
(personal data are processed only in relation to the purpose regulated by law
or with the consent of the person) and the principle of proportionality of processing
as much personal data as needed in a given case).
In order for data processing to be allowed, there must be
legal basis. Legal basis for processing personal data
it may be the law or the written consent of the person.
Article 4 of the Law on Associations (Official Gazette of RS, No. 51/09
and 99/11 - others. law) stipulates that the entry in the register of associations

67

voluntary, as well as that the association acquires the status of a legal entity on the day of registration
in the register.
Article 3 of the Law on Prevention of Money Laundering and Financing
rorizma ("Official Gazette of RS", No. 113/17) stipulates that they are persons
civil law associations of individuals who associate or will associate
money or other property for a specific purpose.

68

Page 68

Personal data protection:

Article 7 of the Law on Prevention of Money Laundering and Financing
rorism, it is prescribed that the taxpayer is obliged to: establish identity
customers; verify the identity of the party on the basis of documents, data
or information obtained from reliable and credible sources;
establish the identity of the beneficial owner of the party and verify his
in cases prescribed by this Law; obtain and evaluate
the credibility of information about the purpose and intent of the business relationship or
transactions and other data in accordance with this law; obtain and proappreciates the credibility of information about the origin of property that is or will be
be the subject of a business relationship or transaction, in accordance with
at the cost of risk; regularly monitors business operations and checks the compliance of
activities of the client with the nature of the business relationship and the usual
my and the type of business of the party.
The taxpayer is obliged to reject the offer to establish a business
relationship, as well as the execution of the transaction if it cannot perform the actions and
measures from paragraph 1. point. 1–5. of this Article, and if the business relationship has already
placed, he is obliged to terminate it, except in the case when the account is blocked
based on the procedure of the competent state body in accordance with the law.
In the cases referred to in paragraph 2 of this Article, the taxpayer is obliged to make
official note in writing, as well as to consider whether they exist
grounds for suspicion of money laundering or terrorist financing
and to act in accordance with the provisions of Article 47 of this Law. Official
the taxpayer keeps the note in accordance with the law.
Article 8 of the Law on Prevention of Money Laundering and Terrorist Financing
It is prescribed that the actions and measures referred to in Article 7 are performed by the obligor:
establishing a business relationship with a client; when conducting transactions
in the amount of EUR 15,000 or more in dinar equivalent,
at the official middle exchange rate of the National Bank of Serbia on the day of execution
transactions (hereinafter: in dinar equivalent) without
whether it is one or more interconnected transaction, in case the business relationship is not established; during transmission
funds, in accordance with Art. 11–15. of this law, in case when
business relationship is not established; when in relation to a party or transaction there are grounds for suspicion that it is money laundering or
terrorism; when there is doubt about the truth or credibility
obtained data on the foreigner and the beneficial owner.
Article 20 of the Law on Prevention of Money Laundering and Financing
rorism is required that the taxpayer establishes and verifies the identity
a party that is a legal entity by obtaining the data referred to in Article 99, paragraph
1. item 1 of this law. The data referred to in paragraph 1 of this Article shall be obtained
by inspecting the original or a certified copy of the documentation from the register
kept by the competent authority of the State of the seat of the Party, a copy of which it shall keep
in accordance with the law. On the copy he keeps, the taxpayer enters the date,

Page 69

4. Obtaining and exchanging data between different legal entities

69

time and personal name of the person who inspected the original or
renu copy.
The documentation referred to in paragraph 2 of this Article may not be older than three
months from the date of issue.
The taxpayer may obtain the data referred to in paragraph 1 of this Article
by an intermediate inspection of the register kept by the competent authority of the
what or other official public register. The obligor is obliged to
in a printed excerpt from that register, enter the date, time and personal name
the person who performed the inspection. The excerpt from this paragraph shall be kept by the taxpayer in accordance with
du with the law. If it is not possible to obtain all the data from the official one
public register, ie the register kept by the competent body of the state
headquarters, the taxpayer is obliged to obtain the missing data from the
original document or a certified copy of the document or other
not the documentation provided by the party. If individual data that
missing for objective reasons can not be determined as prescribed
manner, the taxpayer is obliged to determine this information on the basis of a written
public parties.
If the taxpayer doubts the veracity of the obtained data or
authenticity of the submitted documentation, he is obliged to
deals with the written statement of the party.
If the party is a foreign legal entity performing activities in the Republic of
close to Serbia through its branch, the taxpayer is obliged to determine and
believe the identity of the foreign legal entity and its branch.
Article 21 of the Law on Prevention of Money Laundering and Financing
rorism is required that the taxpayer establishes the identity of the representative
legal entity by inspecting the original or a certified copy of the documentation
from the register kept by the competent authority of the state of the registered office of the legal entity
or by direct inspection of the official public register, ie the act
they are assigned a person authorized to represent if in the
whose data is not listed in the register. On a copy which he keeps,
According to the printed statement, the taxpayer enters the date, time and personal name
the person who inspected the original or a certified copy, ie
official public register.
To verify the identity of the legal entity's representative and obtain it
data referred to in Article 99, paragraph 1, item 2 of this Law shall be applied accordingly
provisions of Article 17 para. 2 and 6 of this law. If the taxpayer at the
and verification of the identity of the representative of the legal entity
nity of the obtained data, he is obliged to obtain his
written statement. When establishing and verifying the identity of
persons of foreign law and obtaining his data accordingly
apply the provisions of para. 1–3. of this article. If the legal entity is a representative
legal entity or a person of foreign law, the taxpayer is obliged to determine
and verify the identity of the representative in accordance with Article 20 of this Law.

70

Page 70

Personal data protection:

To determine and verify the identity of the representative of the legal entity that
represents a legal entity or a person of foreign law, the taxpayer is obliged to
apply the provisions of Art. 1–3. of this article.
Article 23 of the Law on Prevention of Money Laundering and Financing
It is stipulated that the taxpayer is obliged to establish and verify the
the person authorized to represent, obtain a written authorization
for representation; obtain the data from Article 99, paragraph 1, item 2 and 14 of this
of the law.
The obligor is obliged to establish the identity of the representative of the
by inspecting the original or a certified copy of the written authorization
for representation, a copy of which is kept in accordance with the law. On a copy of which
kept by the taxpayer, enter the date, time and personal name of the person who
lo insight. The taxpayer is obliged to verify the identity of the person's representative
civil law and obtain the data referred to in Article 99, paragraph 1, item 2 of this
of the law by inspecting the personal document of the person authorized to represent, in
his presence, a copy of which the taxpayer keeps in accordance with the law. On the
a copy kept by the taxpayer shall enter the date, time and personal name of the person who
inspected the original personal document. If from that document
it is not possible to obtain the prescribed data, the missing data
they are obtained from another official document, a copy of which the taxpayer keeps
in accordance with the law.
The obligor is obliged to provide the data referred to in Article 99, paragraph 1, item 14 of this
law shall be obtained from a written authorization submitted by the
but for representation. If it is not possible to obtain from that written authorization
In order to obtain this data, the missing data is obtained directly from
representatives.
If the taxpayer doubts the veracity of the obtained data or
authenticity of the submitted documentation, he is obliged to
deals with a written statement of the person authorized to represent.
Article 25 of the Law on Prevention of Money Laundering and Financing
terrorism stipulates that the obligor is obliged to establish identity
the beneficial owner of a party which is a legal person or a person
by obtaining the data referred to in Article 99, paragraph 1, item 13 of this Law.
The obligor is obliged to obtain the data referred to in paragraph 1 of this Article
home in the original or a certified copy of the documentation from the register which
managed by the competent authority of the State of the
of six months from the date of issue, a copy of which shall be kept in accordance with
by law. On the copy he keeps, the taxpayer enters the date, time and in person
the name of the person who inspected the original or a certified copy . Podacan also be obtained by direct insight into the official public
old in accordance with the provisions of Article 20 para. 4 and 6 of this law.
If from the official public register, ie the register
competent authority of the State of residence, it is not possible to obtain all information on

Page 71

4. Obtaining and exchanging data between different legal entities

71

to the beneficial owner of the party, the obligor is obliged to provide the
obtained from the original document or a certified copy of the
or other business documentation provided to him by the representative
procurator or proxy of the party.
Data that for objective reasons cannot be obtained at
the manner specified in this Article, the taxpayer may also obtain by inspecting
commercial or other available databases and data sources or from pichange the statement of the representative, procurator or proxy and the real one
party owner. In the process of establishing the identity of the actual
the taxpayer may obtain a copy of the personal document of the actual
party owner.
If the obligor, after taking all actions prescribed by this
member is not able to determine the actual owner, he is obliged
to establish the identity of one or more natural persons performing
the function of the highest leadership in the party. The taxpayer is obliged to
document the actions and measures taken under this article.
The obligor shall take reasonable steps to verify the
the beneficial owner of the party, so that he knows at all times
and management structure of the party and to know who the real
party members.
Based on all of the above, applying the above provisions,
the bank as a obligor has the legal authority to request data for
members of the association, if the same is registered in the APR, because in that case it is done
on a legal entity in the sense of the Law on Prevention of Money Laundering and Financial
spreading terrorism, and if the association is not registered in the APR, in that case
the bank has the authority only to process the data of the association's representatives,
which is also prescribed by the Law on Prevention of Money Laundering and Financial
spreading terrorism to civil law entities.
B ROJ: 072-03-32275 / 2018-05 OF 4. 8. 2018

72

Page 72

Personal data protection:

4.5. IS THE MANAGER OF THE RESIDENTIAL BUILDING AUTHORIZED
TO OBTAIN REGISTRATION NUMBERS AND NUMBERS
ID CARDS OF ALL LIVING PERSONS
IN A CERTAIN HOUSING UNIT?
Authorization of the manager of the residential building to establish and manage
records on owners of special parts, owners of selfpermanent parts and persons to whom they have common or special
hunts buildings leased, ie used for another
basis, which contains their name, surname and JMBG, derives from
horse authorization, ie. from the provisions of Article 50 of the Housing Act
and maintenance
buildings.
I The RationaleofPresidential
OVERENIKA
:
The person addressed the Commissioner for Information of Public Importance
and the protection of personal data by asking whether the building manager has
the right to request identification numbers and identity card numbers of all persons
who reside in the apartment, including children.
The LPP regulates the conditions for the collection and processing of personal data.
and prescribes the rights of persons and the protection of the rights of persons whose data
collect and process. This law is based on Article 42 of the Constitution
of the Serbian public conceived as a law that protects one person,
Human rights guaranteed by the Constitution - the right to data protection
on the personality of a particular person, ie the protection of the privacy of that person
be. Thus, in accordance with the provisions of Article 8 of the LPP, during the collection,
holding, processing and using personal data is necessary to
each operator adheres to the relevant principles of this law, and
that the operator: we may collect only those data that are by law
authorized to collect or obtained the authorization from the person from whom
collects data based on his consent to process the data
only for the purposes prescribed by law or for the purposes of certain
consent must ensure the accuracy and timeliness of the data, yes
respects the principle of expediency (personal data are processed only
in relation to the purpose regulated by law or the consent of the person) and the principle
proportionality of processing.
According to the above, from the point of view of ZZPL, legal
basis for the collection and further processing of personal data may
be the legal authority or valid consent of the person whose
dacima is the word given in the manner and under the conditions prescribed by the provisions of Art.
10th and 15th ZZPL.
In the specific case, the provision of Article 50 of the Law on Housing and
maintenance of residential buildings ("Official Gazette of RS", No. 104/16)

Page 73

4. Obtaining and exchanging data between different legal entities

73

the competencies of the building manager are prescribed, so in paragraph 1, item 6.
of this article states that the manager: “Establishes and keeps records of
special parts owners, independent parts owners and persons
which the common or special parts of the building have been leased, or
sno to use on another basis (for natural persons name, surname and
JMBG, and for legal entities business name, registered office address and identification number). "
Therefore, the authority of the trustee to establish and maintain
about the owners of special parts, owners of independent parts
and persons to whom common or separate parts of the building have been issued in
lease, ie for use on another basis that contains theirs
name, surname and JMBG in this case derive from the law
authorizations (cited provisions of the Law on Housing and Maintenance
residential buildings).
As the provisions of the said law, except for the data from the previous one
paragraph, the collection of any other personal data is not
as well as personal data of other tenants (family members
foot of the household, etc.), the building manager does not have the legal authority
for their processing.
B ROJ: 072-03-2539 / 2018-05 OF 12. 5. 2018

74

Page 74

Personal data protection:

4.6. IS THE DATA OF PERSONS EMPLOYED AT WORKERS
PLACES THAT IMPLY WORK WITH MONEY I CAN
WITH THEIR PRIOR AGREEMENT TO COLLECT
FROM THE CREDIT BUREAU FOR THE PURPOSE OF PREVENTING THE POSSIBLE
ABUSE IN SUCH WORKPLACES?
Processing of data on the financial condition of individual employees
by the employer, solely due to the fact that you
sleni work in jobs that involve working with money,
from the standpoint of the Law on Personal Data Protection, it is disputable
from several aspects, both in terms of the legal basis and with
aspects of the principle of expediency and proportionality of data processing.
Namely, due to the fact that a person is in a bad financial situationaction, it could not and should not be automatically assumed that it is
person, due to the situation in which he finds himself, prone to financial
versions
abuse PofOVERENIKA
their workplace.
I Theand
Rationale
:
The Commissioner for Information of Public Importance and Data Protection
as a person, he received a request to give an opinion on whether he would
employers could find persons working in jobs that support
include working with money (eg sales agents, cashiers)
in trade facilities, employees in accounting, etc.)
pay the data from the credit bureau, on the basis of which they would gain insight into
financial condition of these persons, with their prior consent, and all in
for the purpose of preventing financial fraud.
Competence of the Commissioner in the field of personal data protection
it is determined by Article 44, paragraph 1 of the Law on Personal Data Protection
("Official Gazette of RS", No. 97/08 and 104/09 - other law, 68/12 - decision
U.S. and 107/12). Pursuant to the above provision, the Commissioner, as a second instance
and the supervisory body in the field of personal data protection and
rights to the protection of personal data, can only indicate
principled views relating to the processing of personal data, how
would not prejudge his decision in the event of any of the
paka for whose management he is competent. Therefore, the Commissioner's response to
frontal character.
In order for the processing of personal data to be allowed, they must be
fulfilled conditions for data processing determined by the Law on Protection
personal data. The provision of Article 8 of that law stipulates that
processing of personal data is not allowed: if it is done without
authorization or if the natural person has not given consent for processing;
if it is performed for a purpose other than that for which it was determined; if purpose

Page 75

4. Obtaining and exchanging data between different legal entities

75

processing is not clearly defined; if the data subject is
determined after the purpose of processing has been achieved; if the way
processing prohibited; if the data being processed is unnecessary or
unsuitable for the purpose of processing; if the number and type of data
which are processed for disproportionate purposes of processing and if the data is untrue
and incomplete. Therefore, the processing of personal data would be
chosen, for her, above all, there must be a legal basis. It can be
legal authority or consent of the data subject for
data processing. In addition, appropriate care must be taken
principles of personal data protection, namely: the principle of expediency,
the principle of legality, the principle of proportionality, the
and the principle of accuracy and timeliness.
In this sense, the processing of personal data by collecting
from the credit bureau by the employer on the financial situation
employees in certain jobs is controversial in several respects.
both in terms of the legal basis and in terms of the principle of
similarity and proportionality of data processing.
Namely, as already mentioned, the legal basis for the processing of personal data
may be the legal authority or consent of the person. In order to
the stay of a person was a valid legal basis for the processing of personal data, he
it must be informed and voluntary, ie it must be a person
first informed about the processing of personal data and that it is
but agreed. As in the employment relationship, there is an unequal distribution
power between employer and employee, employee consent for processing
personal data in an employment relationship can rarely be represented
a valid legal basis for the processing of personal data. Namely, employees, who
is by the nature of things in a situation of dependence on the employer, can not
give free consent. Consent would be free in a situation where
the employee would be in a position to deny it and not suffer harm as a result
consequences, which is almost never the case in an employment relationship.
Furthermore, the principle of proportionality presupposes that
you only have as much personal information as you need to
achieved the purpose of processing. Processing of data on the financial condition of persons
employees of the employer, in order to prevent potential abuse
should, it would be disproportionate to the purpose for which it was established. AcquiresThe report from the credit bureau directly encroaches on privacy
faces. However, the processing of this data would not be necessary to achieve
processing the purpose of processing (prevention of abuse), because the employer, after
as a rule, there are other legitimate means at his disposal to protect
their business interests, which are significantly less invasive in terms of
(eg more efficient control of the work process, control of
chasing the market, handing over money, etc.). The fact that this type of “controlls "may have been more comfortable for the employer, because it does not require introduction

76

Page 76

Personal data protection:

special procedures in the work process, does not encroach on privacy
employees are neither justified nor permitted, as the rule is to
If the same purpose could be achieved by other methods, data on
personalities do not process at all.
Finally, the principle of expediency presupposes that data on
personalities are processed for a clearly defined and permitted purpose. In particular
case, the purpose of processing data on the financial condition of employees
in certain jobs it is neither clearly defined nor allowed. Naime, due to the fact that a person is in a bad financial situation, no
one could not even automatically assume that it is a person, because of
the situation in which he finds himself, prone to financial fraud and
abuse of his job. In this way, without any basis,
the person would be labeled as a “potential criminal”
the home needs to exercise intensified control.
Therefore, the processing of data on the financial condition of individuals
employed by the employer, solely due to the fact that you
employees work in jobs that involve working with new
cem, from the standpoint of the Law on Personal Data Protection would not
was allowed.
B ROJ: 073-11-1080 / 2017-02 from 12 7 2017

Page 77

5. Frequently Asked Questions
in connection with the specific
cases of data processing

Page 79
78

5. Frequently asked questions regarding specific cases of data processing

79

5.1. DOES THE CONTRACTUAL DATA PROCESSOR HAVE THE RIGHT
TO COLLECT DATA ON THE BANK'S DEBTOR
FROM THE DEBTOR'S NEIGHBOR?
The Bank, as the controller of personal data, has illegally
process the data of its client, when through its contractual
data producer, asked her client's neighbor by phone
(debtor) information about his client in order to obtain various information
information about him, which is an unauthorized processing from Article 8.
touch 1 and 8 of the Law on Personal Data Protection, because the processing
performed without the legal authority or consent of the person to whom they are
these data are related, by obtaining data in a way that is not
based on a credible source, and for which processing they have not been fulfilled either
conditions
from Article
14 of the LPP
I The Rationale
P OVERENIKA
: for collecting data from another person.
Acting on a petition filed on 17 February 2017 by AA,
renik, through the authorized person from Article 54, paragraph 2 of the LPP, initiated
the process of overseeing the implementation and enforcement of the law by
BANCA INTESA a. d. White City. The petition states that the
of the operator, on 14 February 2017, called the applicant by telephone,
and asked him for information about his neighbor BB - a client of the
blacksmith. When he asked where his phone number came from, the serviceno one told him that he had found it in the telephone directory ("White Pages").
Upon receipt of the petition, the authorized person of the Commissioner is, 28. 2.
2017, sent a request for a statement to the operator and on that occasion
the handler had to state: whether the applicant's claims were true
applications to call the neighbors of their clients in order to
about them; on what legal basis and for what purpose; on which
the act comes to the phone numbers of its clients ’neighbors; whether it leads
a special collection of personal data of the neighbors of their clients; who is
collects all personal data from its clients' neighbors; Do you
their employees directly call the client's neighbors, or in
their name is made by another legal or natural person with whom they have
key business cooperation agreement; whether they record telephone conversations
vore when calling neighbors of their clients.
In this regard, the handler submitted a written statement in which he is
stated that “BANCA INTESA” a. d. Belgrade in connection with the collection of due
search has established cooperation with four external agencies,
regulated by the contract and annexes to the business cooperation agreement, as well as
confidential information agreement. Practice of Bank employees
and instructions submitted to the agencies, as well as the contracts by which it is

80

Page 80

Personal data protection:

regulated mutual cooperation does not imply communication with
neck. In an attempt to make contact with the client,
available funds related to the search by "White Pages" and
by calling available telephones to provide information. If it's
client registered at the appropriate address, an employee of the Bank or
the external agency with which the cooperation was established was left
the ability to reach the available number based on the address data
phone through which to establish communication with the client. U
that part is strictly forbidden to reveal confidentials to other persons
customer information. The bank determined that one happened by mistake
a case of calling their client's neighbor in an attempt to reach
data on the Bank's client. On February 14, a natural person who is not
left information about himself filed an objection that he was called to a fixed
the phone number registered on the "White Pages". The reason for the
is a debt based on a loan from another person - a client of the Bank who
did not answer the phones left in the Bank's system. Given that
that the Bank had the client’s address, the “White Pages”
search at that address. The call was sent to the number of telethe background of the person who filed the objection, and who resides at the same address as
and a client of the Bank. The call was made by an external agency with which
cooperation to invite and inform in the name and on behalf of the Bank
clients to settle their due and outstanding obligations to the Bank,
negotiate pre-defined strategies and refer to the Bank
for the purpose of concluding an appropriate contract. In conversation with the person who is
filed an objection employees from the agency introduced themselves and mentioned that
calls in the name and on behalf of the Bank, without providing information about its client
which are confidential. Information was obtained from the said person
information that the client has passed away. The Bank does not maintain a collection of
necks of their clients, does not collect data about them, does not call
them (except by mistake), there are no conversations to be recorded nor are these
letters entrusted to a third party. Along with the statement in question, he is the operator
submitted a photocopy of the Business Cooperation Agreement that he concluded
with the legal entity "EOS MATRIX" d. about. about. Belgrade, as well as a photocopy of the
on the handling of confidential information concluded between
of the same contracting parties.
In the supervision procedure, it was determined that he was an employee of a legal entity
EOS MATRIX d. about. about. Belgrade, on the basis of the Agreement on Business Cooperation
which the operator concluded with that legal entity, on 14 February 2017,
called the applicant on his public telephone number.
but available, said to call on behalf of the operator and requested information
is about the client of the operator who resides at the same address as the applicant
petition, after which the applicant provided him with information
that the operator's client has passed away.

Page 81

5. Frequently asked questions regarding specific cases of data processing

81

Having in mind the stated facts, the answers were applied to them.
fraudulent regulations governing the protection of personal data.
First of all, the Constitution of the Republic of Serbia, in Article 42, prescribes that
personal data protection. Collection, holding, processing and
the use of personal data is regulated by law. It is also forbidden
punishable use of personal data beyond the purpose for which they were
confiscated, in accordance with the law, except for the purposes of
procedure or protection of the security of the Republic of Serbia,
seen by law. Everyone has the right to be informed about what has been collected
information about his personality, in accordance with the law, and the right to a court
protection due to their abuse.
The provision of Article 3, item 3 of the LPP stipulates that the processing
thus any action taken in relation to data such as:
copying, copying, transcribing, duplicating, copying, transmitting,
search, sort, store, separate, cross,
unifying, comparing, changing, providing, using,
making available, disclosing, publishing, disseminating, recording, organizing
stringing, storing, adapting, detecting by transmission or on
other ways of making available, concealing, relocating and others
the manner of making it inaccessible, as well as carrying out other actions in connection with it
with the specified data, regardless of whether it is done automatically,
semi-automatic or otherwise.
The provision of Article 8, item 1 of the LPP stipulates that the processing is
preferred if the natural person has not given consent for processing, ie if
processing is performed without legal authorization, while the provision of Article 8.
item 8 of the same law, stipulates that the processing of personal data is not
allowed when the data is untrue and incomplete, ie when it is not
based on a credible source or is outdated.
Exceptions to this rule are provided for in Article 12 of the LPP, where
con allows processing without consent in the following cases: to
realized or protected the vital interests of a person or another
persons, in particular life, health and physical integrity; for the purpose of
obligations determined by law, by an act adopted in accordance with
or by a contract concluded between the person and the operator, as well as for work
preparation of contract conclusion; for the purpose of raising funds for
humanitarian needs and in other cases determined by this Law,
in order to realize the predominant legitimate interest of the person, operator or
users.
The provisions of Art. 10 and 15 of the LPP stipulate that the consent of the person o
whose information is in question, it must be given in writing or orally
snik, after prior notice by the data controller
in terms of the provisions of Article 15 of the Law on Personal Data Protection
(controller who collects data from the persons to whom it relates, ie

82

Page 82

Personal data protection:

from another person, before collection, he will meet the data subject
relations, ie another person about his identity, the type of data that
are processed, the purpose of the intended data processing, the scope of protection of these
data, eventual transfer and further use of data, as well as
the duration of the intended processing, the right to revoke the consent and the legal
the consequences of this revocation, the rights belonging to the person in the case
unauthorized processing and other circumstances whose non-disclosure would
to the person to whom the data relate, or to another person
conscientious conduct).
The provision of Article 14 of the LPP stipulates that data be collected
from the persons to whom they refer and from the administrative bodies authorized by law
nor for their collection. The same provision stipulates that data
may be collected from another person if provided for in the
key with the data subject; if prescribed for
konom; if necessary given the nature of the work; if collected
the payment of data from the person to whom it relates requires excessive
expenditure of time and resources; if data are collected for
protection or protection of the vital interests of the persons to whom they relate,
especially life, health and physical integrity.
Further, by the provision of Article 46 of the Law on Banks (Official Gazette
RS, no. 107/05, 91/10 and 14/15) is prescribed to be a banking secret
consider data that are known to the bank, and relate to personal data,
financial position and transactions, as well as ownership or business
no customer connections of that or another bank; data on the condition and turnover of
individual deposit accounts; other data to which the bank
comes into business with clients without being considered a banking secret:
public data and data that are justified to interested parties
available from other sources; consolidated data on
the basis of which the identity of an individual client is not revealed; the data
on the bank's shareholders and the amount of their participation in the shareholder
asked the bank, as well as data on other persons with participation in the bank and
data on that participation regardless of whether they are clients of the bank; as perdata relating to the orderliness of the client's obligations to
banks. The provision of Article 47 of the same law prescribes the obligation to keep
banking secrets, according to which the bank and members of its bodies, shareholders and
employees of the bank, as well as the external auditor of the bank and other persons who due
nature of the work they perform have access to the data referred to in Article 46.
paragraph 2 of this Law, may not communicate this information to third parties
nor use them against the interest of the bank and its clients, nor
may allow third parties access to that data. The obligation to keep
banking secrets for persons referred to in paragraph 1 of this Article shall not cease even after that
termination of the status on the basis of which they gained access to data from
that attitude. The bank may provide customer information that is considered banking

Page 83

5. Frequently asked questions regarding specific cases of data processing

83

secretly communicate to third parties only with the written consent of that client.
unless otherwise provided by this or another law.
As it is during the telephone conversation in question to the applicant
petitions given information on the basis of which he can conclude that
his neighbor is the client of the operator, that is the operator, through the legal
the person who made the telephone conversation in question on his behalf,
performed unauthorized processing of his client 's personal data in
in the sense of Article 8, item 1 of the LPP, because there is no legal authority either
the consent of its client to make such information available
to the applicant. In addition to the above, the operator is collecting
personal information about his client from his neighbor performed
unauthorized processing of personal data from Article 8, item 8 of the Law
on the protection of personal data, because it is about collecting data that
not based on a credible source.
In particular, the Commissioner appreciated and found that for the subject processing
the legal requirements for processing without the consent referred to in Article 12 have not been met.
of this Law, nor the conditions for data collection referred to in Article 14, paragraph
1. of the same law, because the data are not collected from the data subject
relations, nor from administrative bodies authorized by law for theirs
collection, ie from another person in cases prescribed by
vom 2. of the same article.
In view of the above, the Commissioner issued this warning, however
that the operator is obliged to, within 15 (fifteen) days from the day of
This warning shall inform the Commissioner of the measures taken and

planned activities to eliminate these irregularities
in the processing of personal data, and for possible further action
Commissioner in accordance with the powers from ZZPL.
In POZORENJE COMMISSIONER NUMBER 072-03-707 / 2017-05 OF 10. 3. 2018, respectively.
YEARS

84

Page 84

Personal data protection:

5.2. IS THE PUBLIC AUTHORITY AUTHORIZED TO PROCESS
PERSONAL DATA WITH THE CONSENT OF A NATURAL PERSON
IN SITUATIONS WHEN SUCH IS NOT ESTABLISHED
JURISDICTION OF THE AUTHORITY?
The competent authority may process personal data in
for the purpose of issuing a public document - excerpt / certificate on the basis of
books in the case when there is an obligation established by law
authority to issue an appropriate public document. Possible consent
natural person for the processing of personal data cannot be
nor the basis for establishing the competence of the body if that
is notI already
established
by law. :
The Rationale
P OVERENIKA
Commissioner for Information of Public Importance and Data Protection
on the person received a request for an opinion on whether
giving a death certificate to a certain person, who is from the registry office
on the territory of the City of Belgrade requested "Raiffeisen Bank" a. d. White City,
which refers to the client of that bank, in accordance with the provisions of the Law on
protection of personal data.
In this regard, first of all, we emphasize that the Law on Data Protection
o personality system law that regulates the conditions for data processing o
persons and the rights of persons in relation to the processing of data,
personal data performed by public authorities in the performance of their duties
it regulates from its scope by special laws.
Competence to keep registers, including the issuance of
water and certificates on the basis of registry books, is regulated by the Law on
books.
Accordingly, from the point of view of the application of the Law on
Thus, the competent authority may process data on
personalities for the purpose of issuing a public document - excerpt / certificate based on
vu registries in the case where there is a statutory obligation
of that body to issue an appropriate public document. Possible consent
a natural person for the processing of personal data cannot be legal
basis for establishing the competence of the body if that competence
it is not already established by law.
B ROJ: 073-11-1733 / 2018-02 from 27 11 2018

Page 85

5. Frequently asked questions regarding specific cases of data processing

85

5.3. UNDER WHAT CONDITIONS IS THE PUBLIC SERVICE PROVIDER
HE CAN PUBLISH THE PHONEBOOK NUMBER
PHONE OF AN INDIVIDUAL?
The provider of the public telephone directory is obliged to do so
fees inform the subscriber of his intention to
will be included in a publicly available telephone directory in print or
electronic form, the purpose of the directory, the availability of personal
such through notification services as well as search capabilities
personal data by third parties through search functions
ge in electronic directory form. The subscriber has the right to, by
upon receipt of such notice, refuse to consent to the inclusion
personal data in a publicly available telephone directory. Provider
the public telephone directory service is obliged to obtain additional
the subscriber 's consent before enabling the use of data from
public telephone directory for purposes other than entering
tact with the subscriber through personal name and surname, respectively
the name of the subscriber or a minimum of his other identities
labels.
I The Rationale P OVERENIKA :
Commissioner for Information of Public Importance and Data Protection
about the person he received a petition from the person in which that person complained about it
to be frequently contacted by landline operators on behalf of the landline
different companies that offer him different products /
services, and product presentations at a nearby hotel.
In this regard, the Commissioner pointed out the following:
Article 5, paragraph 1, item 1 of the Law on Personal Data Protection
(ZZPL) stipulates that unless the opposing interesi persons, certain provisions of this law on processing conditions, as well as
on rights and obligations related to processing do not apply to processing
data available to everyone and published in the media and
publications or available in archives, museums and other similar
organizations.
Article 8, item 1 of the LPP stipulates that the processing of personal data
is not allowed if the natural person has not given consent for processing,
that is, if the processing is performed without legal authorization.
Article 22 of the LPP stipulates that a person has the right to receive from the operator
requires correction, addition, updating, deletion of data, as well as termination
and temporary suspension of processing if: 1) the purpose of processing is not clearly
woman; 2) the purpose of processing has been changed, and the conditions for processing have not been met
for that modified purpose; 3) the purpose of processing has been achieved, ie data

86

Page 86

Personal data protection:

they are no longer needed to achieve a purpose; 4) the method of processing is
elected; 5) the data belongs to the number and type of data whose processing is
moderate purpose; 6) the data is incorrect and cannot be replaced by a correction
correct; 7) the data is processed without the consent or authorization of the
leg in law and in other cases when processing cannot be performed
in accordance with the provisions of this law.
Further, Article 120, paragraph 1 of the Law on Electronic Communications
("Official Gazette of RS", No. 44/10, 60/13 - US decision and 62/14; hereinafter:
ZEK) stipulates that the provider of public telephone directory services
to be obliged to inform the subscriber of his / her intention free of charge
include personal data in a publicly available telephone directory in the
billboard or electronic form, about the purpose of the directory, the availability of personal
data through notification services as well as search capabilities
personal data by third parties through search functions in
electronic directory form. Paragraph 2 of the same article stipulates that
the subscriber has the right to, upon receipt of the notification referred to in paragraph 1 of this
member, refuses consent to the inclusion of personal data in the public
column directory. Paragraph 4 of the same article stipulates that
the person referred to in paragraph 1 of this Article is obliged to obtain additional consent
subscribers before enabling the use of data from the public telephone
directory for purposes other than contacting the subscriber
through the personal name and surname, ie the name of the subscriber
or a minimum of his other identity marks.
Article 121, paragraph 1 of the ECA stipulates that the operator is the provider
publicly available telephone services are obliged to: 1) make and keep up to date
public telephone directory with data of its subscribers; 2) both
provide users of its services with access to information and public
telephone directories.
Pursuant to the previously cited provisions of the LPP, it follows that the data
on the telephone number of a natural person that is determined or identifiable,
puts personal data, and the actions of processing the specified data
apply the provisions of the LPP.
Pursuant to the provisions of the ECA, fixed and mobile telephony operators,
as persons performing the activity of electronic communications, are obliged
are to maintain a publicly available electronic directory of subscribers for the purpose
getting in touch with them through personal name and surname, and to
at the request of the user, exclude it from the specified directory. Operators
are obliged to obtain consent from the subscriber for data processing
on the telephone number for purposes other than those prescribed by law.
Pursuant to the provisions of Article 5 of the LPP, on the processing of personal data
which are publicly available in the directory published by
communications ("White Pages"), the provisions of the Law on Public Procurement do not apply, so
is thus their use by all interested physical

Page 87

5. Frequently asked questions regarding specific cases of data processing

87

and legal entities for the purpose of contacting natural persons telephone numbers, allowed from the aspect of application of ZZPL,
because the same law does not apply to such processing. Quite the opposite,
if the person - the user of the telephone number, requested from the operator
to remove his data from the publicly available directory, a prerequisite
the permissibility of processing and using that data for the purpose of realization
contact, pursuant to the provisions of Article 8, item 1 of the LPP, has been previously
obtaining the consent of the person who uses that number for data processing
about personality.
B ROJ: 072-03-2429 / 2018-05 OF 8. 8. 2018

88

Page 88

Personal data protection:

5.4. DO SELLERS DURING COMPLAINTS - REPLACEMENT OF GOODS
DO THEY HAVE THE RIGHT TO LOOK FOR A BUYER's JMBG?
Sellers provide information on the personal identification number of the person making the replacement / complaint
goods are sought on the basis of Article 8 of the Rulebook on content and manner
recording of transactions by issuing a fiscal invoice, the manner of
bowing error in recording turnover through the fiscal cash register and
on the content and keeping of the book of daily reports. Bylaw
cannot be a valid legal basis for data processing, nor
la turnover and tax enforcement can be achieved and
other methods that do not compromise consumer privacy and
the right to the protection of their data, as JMBG is a complex
nor data that contains a large amount of personal information.
For these reasons, the Commissioner sent a letter to the Minister of Finance and
invited him to urgently reconsider the expediency of the prescribed solution in
Article 8 of the Rulebook and to amend it in accordance with its legal
powers.
I The Rationale P OVERENIKA :
The person addressed the Commissioner, complaining that during the refunbail in a retail facility was forced to, in addition
names and surnames, the seller and JMBG.
In this regard, the Commissioner pointed out the following.
Article 42 of the Constitution of the Republic of Serbia guarantees the
personal data, as well as the collection, holding, processing and
The use of personal data is regulated by law, while Article 8 of the Law on Personal Data
prescribes in which cases processing is allowed, ie that
the blacksmith may process only those data that are authorized by law
to collect or obtain authorization from the person from whom
plja data on the basis of his consent. The same article states
di that the controller collects data only for purposes that are by law
prescribed or for the purposes specified by the consent obtained, that it must
ensure the accuracy and timeliness of the data, to respect the principle of
(personal data are processed only in relation to the purpose of the
law or the consent of the person) and the principle of proportionality of processing
(only as much personal data is processed as needed
in a given case).
According to the above, from the point of view of ZZPL legal
basis for the collection and further processing of personal data may
be the legal authority or valid consent of the person in question
data word given in the manner and under the conditions prescribed by the provisions
Art. 10 and 15 of the LPP, while data processing is without the consent of the person (whose

Page 89

5. Frequently asked questions regarding specific cases of data processing

89

data processed), as an exception to the general rule, allowed only in
cases determined by the provisions of Art. 12th and 13th ZZPL.
Article 19, paragraph 1 of the Law on Fiscal Cash Registers (“Official Gazette
RS ", no. 135/04 and 93/12) provides, inter alia, that errors in
denoting turnover through fiscal cash registers that have not been eliminated until
the moment of giving the command to the fiscal cash register for printing the fiscal
clips can be corrected only if the purchased good is returned or returned to
the other way is the reclamation of goods after the issuance of the fiscal
clip.
This correction is made on the basis of the so-called. correction order (form
NI - Correction order) signed by the customer who makes the complaint/ replacement of goods, which is prescribed by the Rulebook on content and manner
recording of transactions by issuing a fiscal invoice, the manner of
errors in recording transactions through the fiscal cash register and the content of
and keeping a book of daily reports ("Official Gazette of RS", no
140/04), which has been in force since 1 January 2005.
Namely, the provisions of Article 8, paragraph 1 of this Ordinance prescribe that,
if the individual value or the total value of the purchased
bars that are returned or advertised for more than 500 dinars, in the form
NI must enter the name and surname of the buyer, his
JMBG, and the buyer is obliged to sign in his own handwriting. Paragraph 2 of the same article
it is prescribed that, if it has not acted in accordance with paragraph 1 of that
on, such a form is NOT valid, and in paragraph 3 yes for the goods that are returned
or otherwise advertised, and whose individual value is or
total value less than 500 dinars, data on the buyer and his
handwritten signatures are not required.
The Commissioner sent a letter to the Ministry of Finance in which he is
pointed out the established legal standards related to the protection of
such a person, in which the letter stated, inter alia, that the
traffic control and tax enforcement can also achieve other
methods that do not compromise consumer privacy and rights
to protect their data because JMBG is a complex data
which contains a large amount of personal information (date of birth,
place of birth or place of residence at the time
entry into force of the Law on JMBG, as well as the gender of persons). In addition, JMBG is
unique data for each person and his illegal processing can
lead to various abuses as a result of which the person concerned may
suffer material damage (in case of possible identity theft),
but his right to privacy may also be violated by
operation of such data only for the purpose of satisfying the
ze absolutely disproportionate to the purpose of processing.
The Commissioner called on the Minister of Finance to urgently review the
similarity of the prescribed decision in Article 8 of the Rulebook and to amend it

90

Page 90

Personal data protection:

in accordance with its legal powers, and in support of the said
vori and the decision of the Constitutional Court of Serbia I With no. 41/2010 of 6 July 2012no, published in the "Official Gazette of the RS", No. 68/12, which clearly indicates
that this court also takes the position that only the law and not the by-laws
they may regulate the collection, holding, processing and use
data.
B ROJ: 072-03-2670 / 2018-05 OF 12. 5. 2018

Page 91

5. Frequently asked questions regarding specific cases of data processing

91

5.5. CAN AN EMPLOYER PROCESS AND USE
PRIVATE INFORMATION OF THE EMPLOYEE FROM HIS
OFFICIAL MOBILE PHONE?
The employer can access the business, ie. official transcript
sci of employees which takes place by telephone (or electronic
mail) when necessary for security or other reasons
legitimate reasons (eg urgent performance of work, and employees
is not present), provided that the employees have been
are aware of such a possibility and that such an approach is
less invasive
way byPtheir
privacy. :
I The Rationale
OVERENIKA
The person asked the Commissioner if the employer had the right to
to review and comment on private data and information that
are in the official telephone of the employee.
The ZZPL regulates the conditions for the collection and further processing of data.
as a person and prescribe the rights of persons and the protection of the rights of persons whose
data is collected and processed. This Law is based on Article 42 of the
in the Republic of Serbia ("Official Gazette of RS", No. 98/06) conceived
as a law that protects one person, a person guaranteed by the Constitution
right - the right to protection of personal data of a specific person,
protection of that person's privacy.
Processing without consent, as an exception to the above,
is preferred to achieve or protect vital interes of a person or another person, and especially life, health and physical
integrity; for the purpose of fulfilling obligations determined by law, act
enacted in accordance with the law or a contract concluded between the persons
and the operator, as well as for the preparation of the conclusion of the contract; for the purpose of
purchasing funds for humanitarian needs and in other cases
determined by this law, in order to achieve the predominantly justified
interests of the person, operator or user, as prescribed by Article
12. ZZPL.
Except for the legal basis, for lawful data processing, in terms of article
8. ZZPL, it is necessary that the purpose of processing is clearly defined and allowed,
that the data being processed be necessary and suitable for realization
for this purpose, that the data processed be true, accurate and collected
nor from a credible source. Also, it should be applied accordingly
measures to protect personal data from any possible misuse.
The question you asked, is the employer entitled to this cocancer, refers to the legality of the processing of personal data of employees
by the employer, by controlling the use of the official mobile

92

Page 92

Personal data protection:

telephone (or control of e-mail accounts, video surveillance
rom, by monitoring the movement of official vehicles via GPS devices, etc.).
In principle, the data that the employer would process in the described way,
represent personal data of employees, and to process them
was allowed, it is necessary that there is a valid legal basis for it,
and that it is about the processing of data whose number and type are suitable for
the intended, permitted processing purposes. Principles of proportionality i
expediency in processing are particularly relevant in the present case.
tea, when there is an essential inequality between the subject who performs
processing (employer) and persons whose data are processed (employees).
Applying the above principles, we conclude that it is permissible to
only those personal data that are really needed and
for the purpose of processing, while respecting the
leg of the “reasonable expectation of privacy” standard, which implies
that the employee has the right to privacy and when in the workplace, and
that the employer must inform and inform him about the processing of data
about the person at the workplace and on the occasion of the workplace, before
of such processing. Informing the employee is especially important to
the employee could adjust the behavior and expectations, depending on
from the specific processing performed by the employer (eg the employee will not
use an official mobile phone for private purposes if
has been informed that the employer will process call data from
listing, etc.). The employer is authorized to determine the most suitable
the manner of informing the employee, and his form (employment contract,
rulebook, decision, etc.) is not relevant, while the content
prescribed by Article 15. ZZPL.
The employee is obliged to follow the instructions of the employer in
regarding the assigned official mobile phone (or electronic
e-mail and the use of technical means), and even to be in
completely refrain from using them for private purposes, if
this requires a specific work process and safety aspect of everyday
work tasks, especially if explicitly warned about
that, or signed a statement that the given resources will be used exclusively in
business purposes.
The employee should be informed about the above beforehand
starting work with the employer, in order to and on the basis of the presented
voa “reasonably expected privacy” could appreciate acceptability
the job offered to him or for which he applied.
Of course, if this is not the case before and if he is an employer
aware of the possibility that employees through the assigned official order
receives and sends e-mails or official mobile phones
private mail or text messages, search for official mail
What / SMS messages and insight into them should be done in

Page 93

5. Frequently asked questions regarding specific cases of data processing

93

the presence of that employee in order to eliminate the danger to a third party
inspect private correspondence.
Namely, employers are allowed to collect only those
personal data that are of immediate importance for the execution of
work process and are necessary for the realization and assumption of obligations and
employment responsibilities. In fact to the official phone
or an official e-mail order and technical resources
to the employee for the purpose of fulfilling and realizing the obligations arising from
employment contract, from the employer's perspective is reasonable and justified
the expectation that employees will use them, above all, for execution
work obligations.
In the case of official communication, in accordance with
of the Committee of Ministers to member states of the Council of Europe CM /
REC (2015) 5, the employer can access the business, ie. official
employee correspondence that takes place over the telephone (or electronic
when necessary) for security or other reasons
legitimate reasons (eg urgent performance of work, and the employee is not
present), with the previous condition that the employees are informed in advance about
such a possibility and that such an approach is performed on the least invasive
way by their privacy.
In this regard, we point to the judgment of the European Court of Human Rights
rights of 5 September 2017, which, in the appellate proceedings at the first
degree of judgment in the case of Barbulescu ro iv Romania , Grand Chamber
that court ruled that the national courts were not adequately balanced
lived the interest of the employee, ie. his right to privacy, and interes of the employer to monitor communications sent from the workplace. Tawhere, as a conclusion, the Grand Chamber concludes that the national courts
did not assess the relevant factors in the particular case
- whether the employer has previously informed the employee that he will supervise
his business communications; whether monitoring is business
employee communications justified; whether there were less invaliving measures that the employer could apply to achieve
same goal; and the need for disciplinary action taken against
employee. More details about this decision, during the mentioned procedure and
relevant facts can be found at: https://hudoc.echr.coe.int/
eng # {“itemid”: [“001-177082”]}.
B ROJ: 072-03-6925 / 2018-05 from 4 12th 2018

94

Page 94

Personal data protection:

5.6. IS THE COMMISSIONER RESPONSIBLE TO REACT IN CASE
WHEN IS THE ILLEGAL PROCESSING OF PERSONAL DATA
COME ON THE SOCIAL NETWORK FACEBOOK?
In situations when it comes to possibly illegal processing
personal data via the social network Facebook , authorized
The Commissioner's actions are limited by territorial application
Law on Personal Data Protection. The commissioner couldn't
to take measures and activities within its competence
determined by the Law on Personal Data Protection, ie yes
from a foreign legal entity Facebook Inc. based in the United
States of America, obtain relevant information and
formations.
I The Rationale P OVERENIKA :
The person addressed the Commissioner for Information of Public Importance
and protection of personal data, stating that his former
the employer abused his personal profile on the social network
Facebook by printing a picture without his knowledge and stating it
as evidence of disciplinary proceedings, and requested that the Commissioner
measures within its competence.
In this regard, the Commissioner pointed out the following.
Article 3, item 1 and 2 of the LPP, it is prescribed that the data on the person
any information relating to a natural person designated
or determinable regardless of the form in which the information carrier is
macije. In accordance with the above, a photograph of a person represents
personal data. Item 3 of the same article prescribes that processing
data any action taken in relation to personal data, in which
including photography and publishing.
In the present case, according to the application,
of the Facebook social network, the process of processing the publication of
so about the personality contained in the photograph.
Pursuant to the provisions of Article 8, item 1 of the LPP in order to process data on
personality was allowed, it requires a data controller
has the legal authority or consent of the person regardless of whether
is a data controller that performs processing by a legal entity, or as such
here the case - a natural person (Article 3. Article 5. ZZPL). As described
In this case, according to the petition, it is a matter of publishing data
on a person without consent, in principle such processing would be considered
beloved, because there would be no valid legal basis for it.
The same article, in point 2, prescribes that processing is not allowed if
performs for a purpose other than that for which it is intended regardless

Page 95

5. Frequently asked questions regarding specific cases of data processing

95

whether it is performed on the basis of the consent of the person or legal authorization
for processing without consent (here initiating disciplinary proceedings).
However, bearing in mind that in this particular case it is a matter of processing
personal data via the social network Facebook , authorizations
The Commissioners in the present case are limited to the territorial
by applying the Law on Personal Data Protection, because the Commissioner
could not take measures and activities within its competence
values ​determined by this law, ie from a foreign legal entity
Facebook Inc. based in the United States
deals with relevant data and information. This means that the Commissioner in
in the present case he is unable to establish in an indisputable manner
whether it is really an unauthorized processing of personal data that
was committed by a natural person from the petition, nor is he able to
take the measures prescribed by law in order to eliminate any
irregularities.
B ROJ: 072-03-53 / 2018-05 OF 9. 1. 2018

96

Page 96

Personal data protection:

5.7. IS IT ALLOWED TO PUBLISH BIOGRAPHIES OF EVERYONE
TEACHERS WHO LEFT THE FACULTY WORK
PUBLICATION PREPARATIONS?
For publication in the publication of biographies of natural persons teachers who left the faculty for various reasons,
from the point of view of application of the Law on Personal Data Protection,
there should be the consent of the data subject, given in
in accordance
with PArt.
10 and 15 :of the Law on Personal Data Protection.
I The Rationale
OVERENIKA
Commissioner for Information of Public Importance and Data Protection
on the person received a letter from the Faculty of Medicine in Belgrade, in which
It was stated that on the occasion of marking 100 years of work, the faculty
rava to prepare publications in which biographies will be published
of all teachers who were in the period 2005–2020. left the facult for various reasons (deceased, pension, dismissal, etc.). With that
in this connection, the opinion of the Commissioner on whether it is necessary was requested
obtaining the consent of the teacher whose data will be
published and published, since the Law on Personal Data Protection
does not apply to data that is available to anyone and published in
public media and publications, or accessible in museums, arhivama, etc. ,, a „certain data related to the biographies of teachers
they were already available to the public by publishing in papers on occasion
election to certain titles. "
In this regard, the following is indicated.
Conditions and manner of processing personal data for the purpose of issuing
are not regulated in a special way by the regulations from the jurisdiction
Commissioner (Law on Free Access to Information and Law on
protection of personal data), so this body is not competent to provide
information on how and under what conditions you can
data for this purpose.
Therefore, from the point of view of the competence of the Commissioner, regarding the application
Law on Personal Data Protection, in principle, we point out the following.
Any action taken in relation to data relating to fia natural person whose identity is determined or identifiable
work of personal data, which, in accordance with the provisions of Article 8 of the Law
on the protection of personal data, is not allowed if a natural person
did not give consent for processing, ie if it is done without law
powers; if it is performed for a purpose other than that for which it was determined;
if the purpose of the processing is not clearly defined, if it is changed, it is not allowed
or already achieved; if the data subject is specific or

Page 97

5. Frequently asked questions regarding specific cases of data processing

definable even after the purpose of processing has been achieved; if the method of processing
impermissible; if the data being processed is unnecessary or
a dream to accomplish the purpose of processing; if the number or type of data being
process disproportionate purposes of processing; if the information is untrue and
complete, ie when it is not based on a credible source or is
obsolete.
So that the processing of personal data would be allowed in the sense
Law on Personal Data Protection, should be done within the limits
legal authorization - when it comes to processing without consent, ie in
limits of consent of a natural person - when processing is performed on the basis of
consent. The operator can also process only those data on
persons who are necessary, suitable and proportionate to the purposes of processing.
The provision of Article 5, paragraph 1, item 1 of the Law on Data Protection o
persons are prescribed to, unless the opposite is clearly prevalent
interests of persons, certain provisions of that law on processing conditions,
as well as on the rights and obligations related to processing do not apply, in between
among other things, to the processing of data available to everyone and published in
public media and publications or accessible in archives,
zejima and other similar organizations.
The fact that “certain data related to teacher biographies
ka ”, as you state, were already available to the public by publishing in the
during the election to certain titles, is not relevant in the specific
in this case, because the purpose and legal basis of the processing are different.
From all the above, it follows that, in order to biographies of the physical
persons could publish in the publication, from the point of view of application of the Law
on the protection of personal data, there is a need for consent
persons to whom the data relate, given in accordance with Articles 10 and 15.
law on personal data protection.
We note that this opinion is of a principled nature and does not
provides instructions for action in any particular case. This
because the Commissioner is the body that supervises the application of the Law
and the second instance body in the procedure of exercising the rights of natural persons in
in connection with the processing of personal data, and accordingly,
movable issues of a particular case can be occupied only in the proceedings
for the implementation of which he is competent.
B ROJ: 073-11-1030 / 2018-02 from 10 7 2018

98

Page 98

Personal data protection:

5.8. DOES THE EMPLOYER NEED CONSENT?
EMPLOYEES TO PROVIDE THEIR DATA
SALARY AGENCY?
Legal entity in the capacity of employer, for the purpose of enforcing the law
obligations regarding the calculation and payment of wages to employees, can
with a company or entrepreneur (who as a
performs accounting services) to conclude a contract
vor on the calculation of wages for employees. In other words, the employer,

97

in the capacity of a manager, he entrusts certain tasks in the relationship with a contract
with the processing of data to the accounting agency in the
đivača. In such a situation, the operator does not need consent
persons, in accordance with the Law on Personal Data Protection, but are also
operator (employer) and processor (accounting agency)
i) are obliged to undertake all technical, personnel and organizational
data protection measures, in accordance with established standards and
procedures, which are necessary to protect data from
battle, destruction, illicit access, change, publication
and any other abuse, as well as to establish the obligation of the persons who are
employed
in processing,
to keep the
I The Rationale
P OVERENIKA
: data confidential.
Commissioner for Information of Public Importance and Data Protection
on the person received a request to give an opinion on whether the company
which abolishes the payroll service has the right to employee data
(JMBG, account numbers, salary amounts, etc.) handed over to a third party, ie. agency
to process them without the written consent of the employees.
Pursuant to Article 16, item 1 of the Labor Law ("Official Gazette of RS",
no. 24/05… 113/17) the employer is obliged to give the employee for the performed
work pays the salary, in accordance with the law, the general act and the contract on
work in. Article 121 of the same law prescribes the obligations of the employer in
nose on payroll and salary compensation. The said law does not contain
a provision obliging the employer to calculate wages within
its business and organizational structures.
Furthermore, Article 15, paragraph 1 of the Law on Accounting (“Official Gazette
snik RS “, No. 62/13), it is prescribed that the keeping of business books and
submission of financial statements by a legal entity, ie an entrepreneur
may entrust the contract in writing, in accordance with the law,
valuable company or entrepreneur, who have a registered
activities for the provision of accounting services . Paragraph 2 of the same
Article stipulates that the provision of paragraph 1 of this Article does not apply to
National Bank of Serbia, banks and other financial institutions over

Page 99

5. Frequently asked questions regarding specific cases of data processing

99

which, in accordance with the law, are supervised by the National Bank of Serbia, companies
for insurance, financial leasing providers, voluntary pension
funds, voluntary pension fund management companies
ma, investment funds, investment management companies
funds, stock exchanges, broker-dealer companies and factoring companies.
Article 42 of the Constitution of the Republic of Serbia ("Official Gazette of RS", no
98/06) the protection of personal data is guaranteed, and the collection,
Harvesting, processing and use of personal data are regulated by law.
For lawful data processing, in terms of Article 8 of the LPP, necessary
is that there is consent to the processing or that the processing is carried out on the basis of
legal authority for the purpose for which it was determined regardless of whether
whether it is performed on the basis of the consent of the person or the legal authorization for
processing without consent, that the purpose of processing is clearly defined and allowed,
that the data being processed be necessary and suitable for realization
for this purpose, that the number and type of data be proportionate to the
the data being processed are true, accurate and collected from the
standing source and to apply appropriate data protection measures
about the person from every possible abuse.
Article 8, paragraph 1, item 1 of the LPP stipulates that data processing
on a person is not allowed if the natural person has not given consent for
processing, ie if the processing is performed without legal authorization.
As an exception to the above, Article 12 of the LPPP prescribes that processing
personal data without the consent of the person allowed to
protect or protect the vital interests of a person or another person,
and especially life, health and physical integrity; for the purpose of execution
obligations determined by law, by an act passed in accordance with the law or
by a contract concluded between the person and the operator, as well as for the purpose of preparation
conclusion of contracts; for the purpose of raising funds for humanitarian
in other cases determined by this Law in order to achieve
the predominant legitimate interest of the person, operator or user.
Article 3, item 5 of the LPPP stipulates that the data controller is
natural or legal person, ie the authority that processes the data,
while point 8 of the same article stipulates that the data processor is
natural or legal person, ie a public authority, to which the
vu of the law or contract entrusts certain tasks related to processing.
Article 47 of the LPP stipulates that the data must be
yesterday protected from abuse, destruction, loss, unauthorized
change or approach. The operator and the processor are obliged to take action
technical, personnel and organizational data protection measures, in
du with established standards and procedures, which are necessary to
data shall be protected against loss, destruction, unauthorized access
so, changes, publications and any other abuse, as well as to determine
the obligation of the persons employed in the processing to keep the data confidential.

100

Page 100

Personal data protection:

From the above provisions of the Labor Law and the Accounting Law
it follows that a legal entity in the capacity of an employer, for the purpose of enforcement
legal obligations regarding the calculation and payment of salaries to employees,
may be with a company or entrepreneur (who as a
to perform accounting services) to conclude a contract on
payroll for employees.
In this situation, the employer, in his capacity as operator,
Roma transfers certain tasks related to data processing to
news agency, in its capacity as processor. In this regard, the
cu does not require the consent of the person, according to ZZPL, but they are also the operator
(employer) and processor (accounting agency) are obliged to
take all technical, personnel and organizational measures for protection
data, in accordance with established standards and procedures, which are
necessary to protect data from loss, destruction, inadmissibility,
access, change, publication and any other abuse,
as well as to determine the obligation of the persons employed at the processing to keep
confidentiality of data.
B ROJ: 072-03-2034 / 2018-05 from 19 4th 2018

Page 101

5. Frequently asked questions regarding specific cases of data processing

101

5.9. WHAT NEEDS TO BE REGULATED BY THE TRANSFER CONTRACT
DATA IF THE CLOUD TECHNOLOGY IS USED ?
Use of software services and product packages
them on cloud technology is characterized, among other things, by the fact that
personal data can be processed in multiple locations and in multiple
state, so the contract should also contain information on which
data would
be stored
in locations in: other countries.
I The Rationale
P OVERENIKA
The company addressed the Commissioner for Information from
of public importance and protection of personal data by a request for interpretation
Of the Law on Personal Data Protection in relation to newspapers
letter group (FMC) plans to introduce in its information system
stem. In his reply, the Commissioner stated, inter alia:
Processing operations such as removal, transfer, relocation, storage
personal data, as well as other actions defined in the article
3, paragraph 1, item 3 of the Law on Personal Data Protection (hereinafter:
con), represent the processing of personal data. For each of these
there must be a legal basis, in the form of legal authority or
the consent of the natural person for the processing of data relating to him,
which must cover all actions to be taken
in relation to the data being processed.
If the intended processing you mention would be processing
personal data (Article 3, item 3 of the Law), a legal entity
blacksmith of registered collections in the Central Register of Commissioners either
should, before commencing such processing, submit to the Commissioner
a notice of intent to establish a collection containing that information
check the legality of such processing (Article 49, paragraph 1 of the Law), ie
to change the records on the already existing collection for the purpose of enrollment in the Central
register (Article 51 of the Law).
In that situation, the operator would have to take care not only of the
the possibility of such processing (Article 8 of the Law) than other obligations
arising from the Act. In case they are regulated by a contractual relationship
mutual relations, this includes the obligation of the controller and processor from
on the 47th Law to take technical, personnel and organizational measures
protection of personal data from misuse, destruction, loss,
authorized changes or access to transmitted data and to identify both
connections of persons employed in processing to keep data confidential.
If the controller of personal data collections in Serbia decides to
uses the Microsoft Office 365 platform (in accordance with the
agreement between the parent company and Microsoft), which

102

Page 102

Personal data protection:

based on cloud technology, depending on the type of services offered
with which they would be used, based on the elements of a specific contract
can determine whether it would be performed using certain services
processing and even presentation of personal data from the Republic of Serbia.
When it comes to presenting personal data from the Republic
Serbia, the Law in Article 53 prescribes the regime of presenting these data and
situations in which the disclosure of personal data requires
you the permission of the Commissioner.
Rights and obligations of the operator, who intends to provide information on
persons from the Republic of Serbia and another entity to whom the data are
bear, must be regulated by the contract (in terms of the type of data,
processing purposes, processing operations, types of users to whom the data will be
available, duration of processing and data protection measures).
It should also be borne in mind that the use of software packages
it and products based on cloud technology are characterized by
and that personal data can be processed in more detail
location in several countries, so the contract should also contain information
about where they would be stored in other states
the data.
B ROJ: 073-11-1284 / 2018-02 OF 10. 9. 2018

Page 103

5. Frequently asked questions regarding specific cases of data processing

103

5.10. UNDER WHAT CONDITIONS CAN DATA BE PROCESSED
ABOUT CLIENTS OF TELECOMMUNICATION OPERATORS
IN THE CREDIT BUREAU
The processing of personal data in the Credit Bureau is not regulated.
legally, and consequently there is no obligation to telecommunications
cation operators to provide data on their customers
To the credit bureau to assess their creditworthiness. In other wordsHowever, there is no legal basis in law for the processing of personal
in the Credit Bureau, so the legal basis for their processing can
be only the consent of the person. However, having in mind the type, the scope
and the number of personal data that are otherwise processed in Credit
bureau, and an extremely large number of persons whose data are processed, a
taking into account the purpose of the data processing in it (
the solvency faith of borrowers and borrowers
banks, leasing houses; fraud prevention etc.), legitimate
interest of different economic entities to perform such
labor, as well as the wider social interest, the principled position of the
as if the processing of personal data in the Credit Bureau would have to
to be regulated by law, including the processing of data that would
teleoperators should have enabled the Credit Bureau about their
clients.
I The Rationale P OVERENIKA :
Commissioner for Information of Public Importance and Data Protection
on the person (hereinafter: the Commissioner) received a joint letter
telecommunication operators in the Republic of Serbia - "VIP mobile",
"Telekom" and "Telenor" asked for an opinion on whether it is
in accordance with the Law on Personal Data Protection,
customer data of telecommunications operators to the Credit Bureau.
The competence of the Commissioner is prescribed by the provisions of Article 35, paragraph 1.
Law on Free Access to Information of Public Importance (“Official
Official Gazette of RS ", no. 120/04, 54/07, 104/09 and 36/10) and Article 44 para
1. Law on Personal Data Protection ("Official Gazette of RS", no.
97/08 and 104/09 - dr. law, 68/12 - US decision and 107/12). About that,
first of all, it should be borne in mind that the Commissioner is a second instance body in
procedures for exercising the right to access information from the public
importance and supervisory and second instance body in the field of data protection
as a person and exercising the right to protection of personal data.
Accordingly, the Commissioner is not authorized to
the attitude that refers to acting in a specific situation takes
attitude, because it would prejudge his decision in case it comes to someone

104

Page 104

Personal data protection:

from the proceedings for which he is competent. Also, the Commissioner, as supervisual authority in the field of personal data protection, is not authorized
to instruct data controllers on how to proceed. Therefore it will
The commissioner give only a principled opinion.
Article 42 of the Constitution of the Republic of Serbia guarantees the protection of personal data.
. Paragraph 2 of the same article stipulates that the collection, holding,
processing and use of personal data is regulated by law. For any
what processing of personal data should have a legal basis.
The legal basis for the processing of personal data may be legal
Authorization to process personal data implies that the controller
authorization
consent
the person
whose
are processed. Legally
(natural or legalorperson,
ie of
a public
authority
thatdata
processes
ke) the legal basis for their processing draws from the legal norm itself which
authorizes him to do so.
The processing of personal data in the Credit Bureau is not regulated
by law, and consequently there is no obligation of telecommunications
operators to submit data on their clients to the Credit
rou to assess their creditworthiness. In other words, the law does not
there is a legal basis for the processing of personal data in the Credit Bureau,
so the legal basis for their processing can only be the consent of the person.
However, having in mind the type, scope and number of personal data
which are normally processed in the Credit Bureau, and an extremely large number
persons whose data are processed, taking into account the purpose of
de data in it (checking the solvency of the persons taking the loan
and who borrow from banks, leasing companies; fraud prevention and
etc.), the legitimate interest of various economic entities to be carried out
such processing, as well as the wider social interest, is a principled position of the
that the processing of personal data in the Credit Bureau would have to
be regulated by law, including the processing of data
rator should provide in the Credit Bureau about their clients.
As it has already been said, due to the lack of an explicit legal one
processing authorizations, personal data can only be processed with
the consent of the data subject, which is given in accordance with
provisions of Art. 10 and 15 of the Law on Personal Data Protection. To
consent to the processing of personal data was considered a valid
basis for the processing of personal data, the declared will by which
gives consent for data processing must meet certain conditions.
First of all, the declaration of will must be freely given, ie. we must not be given
under threat, deception, coercion or delusion. It has to be special,
ie. given for a specific purpose and informed, which means that the person
giving consent has enough information to guarantee that it
gives informed consent to the processing of its data. The face of the sea
to know who the data controller is, what types of data he processes, in which

Page 105

5. Frequently asked questions regarding specific cases of data processing

105

purposes, how they will be used, how long they will be stored
data, etc. Law on Personal Data Protection in Article 15, paragraph 1.
exhaustively lists what information the one who wants to process
data must be given to the data subject. At the same time, the way
informing the person whose data are processed, ie whose data will be
ci process, must be clear, understandable and unambiguous, so that
and a person who is a complete layman and has no knowledge within the scope of work
data controller, can understand everything that is important to him
the decision whether to agree to the processing of his personal data. Informations must be given directly to the person whose data are being processed.
Instructing the controller that the conditions for data processing are available
in a public place (on a bulletin board, on the Internet, etc.)
willingly. Finally, consent must be unambiguous. Consent
for a person who is not capable of giving consent is given by his guardian
or legal representative, and the consent given may be revoked, and after
revocation further data processing becomes impermissible.
If interested actors make the decision to Credit
make available to the bureau information about their clients
đu teleoperators, then the text of the consent of the person to process his
data in the Credit Bureau must contain information that yes
the verification of his possible debts will also be performed in the databases
teleoperator data. Also, in that case, you should take into account Fr.
all other principles of personal data processing, and in particular
lu proportionality, ie. to process only as much personal data
how much is needed to achieve the purpose of processing.
B ROJ: 011-00-01332 / 2016-02 from 17 11 2016

Page 107
106

6. Cases of grave breaches of rights

Page 109
108

6. Cases of grave breaches of rights

109

6.1. PIO FUND - ILLEGAL PROCESSING OF PERSONAL DATA
BENEFICIARIES OF THE ELDERLY, DISABLED AND FAMILY
PENSION
Commissioner for Information of Public Importance and Protection of
personal data filed a criminal complaint with the First Primary
Public Prosecutor’s Office in Belgrade against an unidentified official in
public pension and disability insurance fund due to
standing grounds for suspicion that in Belgrade, during November 2018,
personal data of more than 1,700,000 users of age, invalid and survivors ’pensions in the Republic of Serbia, and their
names, surnames and residential addresses, as personal data
which are collected, processed and used in the Republic Fund for
pension and disability insurance based on the Pension Act
and disability insurance, in the performance of the service, unauthorized
dealt with and communicated to the Serbian Progressive Party, and that information is
party used to send letters to pension beneficiaries, which
is the purpose for which these data are not intended by law, which is done
criminal offense of unauthorized collection of personal data from
Article
146, paragraph
3 in conjunction
paragraph
1 of the Criminal Code.
I FROM
THE EXPLANATION
OF THEwith
CRIMINAL
REPORT:
Since 15 November 2018, the Commissioner has been addressed by several citizens of
of the Serbian public, who state that they are pension beneficiaries, and that
as soon as the letter addressed to them (name, surname and address) arrived,
from the contents of which it is concluded that it was sent to the pension beneficiary, which
signed by the President of the Republic of Serbia, Aleksandar Vučić,
com of the Serbian Progressive Party on the envelope. Some of these persons
de that the letters were also addressed to their minor children, as beneficiaries
survivors' pensions.
On this occasion, the Commissioner initiated the supervision procedure according to
Republic Pension and Disability Insurance Fund, President
to the Republic of Serbia and the Serbian Progressive Party.
Asked whether he had made it available to the Serbian Progressive Party,
information on names to the President of the Republic of Serbia or a third party,
surnames and addresses of pension beneficiaries in the Republic of Serbia, and
what is the legal basis and purpose of making this information available,
Blic fund for pension and disability insurance even in addition to the sent
urgency did not respond to the Commissioner by the date of submission of this
skillful applications.
When asked whether, in what way and when he obtained information on
names, surnames and addresses of the pension beneficiaries they received

110

Page 110

Personal data protection:

the subject letter, and on what legal basis the subject data are
obtained, the General Secretariat of the President of the Republic
he told the Commissioner by an act dated 20 November 2018 that he had not obtained it
subject data.
When asked if, how and when she obtained information about
names, surnames and addresses of pension beneficiaries who have received
the letter in question, and on what legal basis the data in question were
engaged, the Serbian Progressive Party responded to the Commissioner by an act of
On November 19, 2018 (attached) that these data “[...] were obtained from the database
membership of the Serbian Progressive Party, as well as through VDV actions and stands
which we have been conducting for the last ten years. Data were obtained
in accordance with Article 10 of the Law on Personal Data Protection. Faces from
whose data were taken gave valid consent for the processing of personal
data to foreigners as the controller of the collected data. "
On November 16, 2018, the Commissioner received an anonymous email from the Service
for postal network number 2018-173422 / 2 which states that it is a subject
"Delivery of addressed direct mail of the user Srpadvanced parties ", and that the user of the Serbian Progressive Service is their user
the party notified the shipment of about 1,700,000 shipments addressed
direct mail, which will be successively handed over at 11200 Belgrade
1 c. Then the delivery plan and instructions on the quality of delivery are given
at the highest level, and that it is necessary for all postmen and controllers to
put them acquainted with the importance of quality delivery of these shipments.
On this occasion, the Commissioner, in order to determine the extent of processing
data on the person who is the subject of this supervision, on November 19, 2018
requested a statement from the PE “Post of Serbia” (attached) whether
thinner authentic content of the document.
PE "Post of Serbia" by its act of November 20, 2018 (attached)
replied that the photographic presentation of the text “[...] is a credible
the content of the document of this public company ... ”, and that the same text“ [...]
puts part of the Notice No. 89 of 14 November 2018, which was made in
RJ 'Novi Sad' and sent to organizational units under the jurisdiction of this
work units ... “.
On the website of the Republic Fund for Pension and Invalid insurance, at the web address https://bit.ly/2DYzvY8, there is
Monthly statistical bulletin for September 2018. On page 4
This report shows the total number of pension beneficiaries for September
2018, classified by categories (age, disability and
relative pension), which amounts to 1,712,869 (one million seven hundred and twelve
one thousand eight hundred and sixty-nine).
Article 42 of the Constitution of the Republic of Serbia states that it is guaranteed
protection of personal data, to be collected, held, processed and
the use of personal data is regulated by law, that it is prohibited and

Page 111

6. Cases of grave breaches of rights

111

punishable use of personal data beyond the purpose for which they were
confiscated, in accordance with the law, except for the purposes of
security protection of the Republic of Serbia, in the manner
by law and that everyone has the right to be informed of what is collected
information about his personality, in accordance with the law, and the right to a court
protection due to their abuse.
Article 3 of the Law on Public Procurement stipulates the following: personal data is each
information relating to a natural person regardless of the form in
to which it is also expressed on an information carrier (paper, tape, film,
electronic medium, etc.), by whose order, in whose name, or for whose account
the information is stored, the date the information was created, the
information storage, way of finding out information (directly,
listening, watching, etc., or indirectly, by inspecting the document in
jem is information contained, etc.), or regardless of another property
information (point 1); a natural person is a person to whom the
tak, whose identity is determined or determinable on the basis of a personal name,
unique personal identification number, address code or other
the basis of his physical, psychological, spiritual, economic, cultural
leg or social identity (item 2); data processing is each
action taken on data such as: collection, recording
copying, duplicating, copying, transmitting, searching,
sorting, storage, separation, cross-linking,
nje, upodobljavanje, menjanje, providing, using, putting on
insight, discovery, publication, dissemination, recording, organization,
adaptation, detection, transmission or otherwise
making available, concealing, relocating and otherwise making
not available, as well as the implementation of other actions in connection with the above
data, whether done automatically, semi-automatically
or otherwise (item 3); an authority is a state body, an authority
territorial autonomy and local self-government units, ie
another body or organization entrusted with the exercise of public
puppies (item 4); the data controller is a natural or legal person
nasno authority that processes the data (item 5); data collection
is a set of data that is automated or non-automated
and are available on a personal, subject or other basis, independently
from the manner in which they are stored and the places where they are stored (item 6).
Article 8 of the LPP prescribes that processing is not allowed if: physical
the person did not give consent for processing, ie if the processing is performed without
legal authority (item 1); is performed for a purpose other than that for
which is determined, regardless of whether it is done on the basis of consent
persons or legal authorization to process without consent, unless
performs for the purpose of raising funds for humanitarian needs from the article
12. item 2a and Article 12a of this Law (item 2).

112

Page 112

Personal data protection:

Law on Pension and Disability Insurance (“Official Gazette
snik RS ", no. 34/03, 64/04 - decision of the USRS, 84/04 - dr. law, 85/05,
101/05 - dr. Law, 63/06 - USRS Decision, 5/09, 107/09, 101/10, 93/12,
62/13, 108/13, 75/14, 142/14 and 73/18) prescribes: the fund maintains the parent company
records on insured persons, contributors and copensioners of rights from pension and disability insurance (Article 125.
article 1); fund automatically electronically from official records
of state bodies and organizations takes over the following data: 1)
unique personal identification number of citizens, surname and name and history of
change of this data with the date of change, record number for
non-citizens, name of one parent, gender, gender reassignment, day, month and
year of birth, citizenship, day, month and year of conclusion,
sno termination of marriage, day, month and year of death; 2) municipality, place
and address of permanent or temporary residence, temporary residence in
abroad, the history of residence or stay with
volume of completed applications, possession of biometric documents ...
Data is downloaded electronically by connecting databases
official records of bodies and organizations referred to in paragraph 1 of this Article, without
consent of the person, and data protection is provided in accordance with
and the general act of the Fund (Article 127); entered in the registry
data on: 1) insured persons; 2) beneficiaries of pension rights and
disability insurance; 3) taxpayers of pension contributions
physical and disability insurance (Article 128); data entered into the master
records in the manner prescribed by this law shall be kept in electronic form
form, in accordance with the law. At the request of the insured, the Fund issues these
reprint of the data referred to in paragraph 1 of this Article (Article 147). Data contentthey are also used in statistical records for statistical research.
The Fund shall publish the data referred to in paragraph 1 of this at least once a year
member. The data contained in the registry records are provided to others
state bodies and organizations, ie local
self-government, in order to perform the entrusted tasks at their request,
legal entities through which payments are made to users, as well as
legal entities for whose account the payment of pension is suspended, in
in accordance with the business cooperation agreement. Data protection from matical records are provided in accordance with the law and regulated by the general
by an act of the Fund (Article 149).
Article 146, paragraph 3 in conjunction with paragraph 1 of the Criminal Code (“
Official Gazette of RS ", no. 85/05, 88/05 - corrected, 107/05 - corrected, 72/09,
111/09, 121/12, 104/13, 108/14 and 94/16) stipulates that it will be officially
a person in the performance of the service, what personal data are collected,
process and use on the basis of the law of unauthorized acquisition, he announced
another or use for a purpose for which they are not intended, punish up to three
years in prison.

Page 113

6. Cases of grave breaches of rights

113

Given all the above circumstances, the Commissioner has grounds for
suspicion that in the actions of one or more unidentified officials of the Republic
which pension and disability insurance fund has all the elements
of the criminal offense under Article 146, paragraph 3 in connection with paragraph 1 of the Criminal Code, ie yes
is a complete collection of data containing names, surnames and
housing for pension beneficiaries (elderly, disabled and family
nih) of this fund ceded to unauthorized persons and used in
purposes for which the data are not intended, and for that act it is to an official
in the performance of the service, a sentence of up to three years in prison, and from the same
reasons and files this criminal complaint.
B ROJ: 072-04-6823 / 2018-07 OF 3. 12. 2018

114

Page 114

Personal data protection:

6.2. "SELECTED DOCTOR" APPLICATION
The Commissioner for Information of Public Importance and Data Protection
On July 20, 2018, he sent a letter about the person to the Higher Public
Prosecutor's Office in Belgrade, Special Department for High Technology
crime, in which he pointed out that the Ministry of Health
of the Republic of Serbia announced that on May 30, 2018, the
plant application called "Chosen Doctor", which should
to enable the scheduling of medical examinations for citizens at their own
selected doctors, as well as insight into their previous medical preregarding, and their health insurance status. As the owner of the application
cation is a private company, registered as d. about. o., whose
the status is problematic and whose subjectivity is unclear. Access
data from health documentation in the application enabled
is only based on a valid LBO, which is an unsafe form
processing, which allowed each user of the application to use
at the request of another's LBO, he obtains information about that person. Namely, to the valid ones
LBO other people anyone can come by a simple search on
internet, using CROSO, and internet tools that, based on
Luna's
algorithm,
huge THE
number
of valid LBOs.SENT TO THE HIGHER PUBLIC PROSECUTOR'S OFFICE
AND
FROM Agenerate
LETTER aFROM
COMMISSIONER
IN B EOGRAD :

Commissioner for Information of Public Importance and Data Protection
on the person (hereinafter: the Commissioner) initiated, upon release in
operation of the mobile application "Selected Doctor", and in accordance with the authorizations
from Article 54 of the Law on Personal Data Protection (“Official Gazette
snik RS ", no. 97/08, 104/09 - dr. law, 68/12 - US decision and 107/12, in
hereinafter: ZZPL), the procedure for monitoring the implementation and
ZZPL by the Ministry of Health of the Republic of Serbia, Sorsix
International DOO, Institute of Public Health of Serbia "Dr Milan Jovanović Batut ”and the Republic Health Insurance Fund.
The Ministry of Health of the Republic of Serbia announced, on May 30, 2018,
launch of a mobile application called "Selected Doctor",
which should enable the scheduling of medical examinations of citizenswith their chosen doctors, as well as insight into their previous
medical examinations, and their health insurance status.
The mobile application in question can be downloaded free of charge at
Google Play, and tens of thousands have done the same to date
citizens. As the owner of the application, it was originally marked
Sorsix International, which, according to information from its website,
registered in Nis, in Milorada Veljkovića Špaje Street No. 1.

Page 115

6. Cases of grave breaches of rights

115

Registered on the website of the Business Registers Agency (APR)
is a company with a similar name - Sorsix International DOO Nis, which
as of May 30, 2018, it was registered at the stated address, a
then she was moved to the address Macvanska number 1 in Nis.
After installing the application, according to the instructions, either
it is necessary to enter the personal number of the insured (LBO), and, if it is
correct, enter the mobile phone number to which the user wants to
gets a verification code to access the data. After entering the correct one
LBO number and verification code, the user accessed his user
account, on which he receives information about his name and surname
nu, lists of previous examinations, name of the institution, name and surname
your chosen general practitioner and the chosen specialist
what (gynecologist, pediatrician, dentist), dates and exact timesno examinations performed, examination code, terms in which it can
schedule a medical examination, and health insurance status.
Access to data from health records, only on the basis of
valid LBO, is an unsafe form of processing, which allows
Thank you to every user of the application to use someone else's LBO to get
is information about that person. Namely, to valid LBO other persons anyone
can come by a simple search on the Internet, using CROSO,
and Internet tools that, based on the Lun algorithm, generate
man number of valid LBOs. The Commissioner demonstrated this
at a press conference, which you can get acquainted with at https: // bit.
ly / 2uBPJjQ.
By inspecting the document entitled “Privacy Policy” (“Privacy Policy
”), which was available at the same address, and which was
captured the terms of use and privacy policy, it was found that
users consent to the processing of their data to non-existent
company, called the Chosen Doctor App LLC.
After the Commissioner, on 31 May 2018, announced that
there are problems with the identity of the owner of the application, MiniThe following day, the Health Service issued a statement stating
It was “one letter and one technical error that were
kings ”and that the inscription Izabrani Doktor DOO is a technical error, which is
already replaced by Sorsix International LLC. Also, the Ministry of Health
vlja in his statement states that "the application does not store (store)
personal data".
Following this announcement by the Ministry of Health, the text of the document
was originally modified, and on the same day removed from the Internet, and
to date not available.
In this document, the content of which we obtained from the cached memowebsite, it is written that the application, ie the
to process user data (health data, contacts,

116

116

Personal data protection:

location, SMS messages, etc.) not only for the purpose of scheduling medical appointments
reviews for the purposes of direct marketing and user profiling.
to applications. We enclose the text of this document with this act.
In addition to the fact that the Ministry of Health has
misleading that the application does not store their personal data
and that its purpose is only to schedule medical examinations, on
in the same way, the provisions of the Law on Public Procurement, which speak of
permissibility of personal data processing. Processing of health data
the state of citizens, as particularly sensitive data on personal
According to the LPP, it can be done only on the basis of written consent
person or legal authority, which is not the case here. Also, on thisthe manner in which the provisions of the Health Insurance Act were violated
which regulate the processing of data contained in the registry
RHIF, as well as the provisions of the Law on Information Security.
Since the opening of the monitoring procedure, the application has suffered more
changes, the most significant of which is that, as its owner, instead
of the company Sorsix International DOO, designated the Ministry
Health of the Republic of Serbia, with the indication that the application
integral part of the Integrated Health Information System
audience of Serbia (ISIS).
However, given that the operator of ISIS, in accordance with Article
44, paragraph 4 of the Law on Health Documentation and Records in
in the field of health, is not the Ministry of Health, but the
but the health of Serbia "Dr Milan Jovanović Batut", the question arises
legality of data processing, ie unauthorized access to
from the complete health system of the Republic of Serbia.
The Ministry of Health and the Institute of Public Health of Serbia "Dr.
Milan Jovanović Batut ”are not in the process of supervision, despite the
of the placed act and urgency, responded to the Commissioner to the set
issues in the supervision process, which further indicates possible illegal
toast in action.
In contrast, the HIF, by its act of 7 June 2018,
informed the Commissioner that “[...] the development of the application was carried out in accordance with
by the instruction given to the expert service by the Ministry of Health.
The Republic Fund was in no way involved in these affairs
and is not aware of what the Ministry provided from the data
to the company in question ... "
The commissioner also did not receive an answer to the questions asked
nor from Sorsix International DOO, which has been unsuccessful on several occasions
attempted delivery of written acts. Namely, the Commissioner is still on June 5, 2018.
passed decision 072-04-3181 / 2018-07, which the same economybanned the processing of personal data through this application.
which, but it could not be submitted, about which we submit evidence.

Page 117

6. Cases of grave breaches of rights

117

Also, by inspecting the APR website, it was determined that, during
the oversight process initiated by the Commissioner, Sorsix International
The LLC had neither a legal representative nor contact details.
Namely, the director Jelena Krstić resigned from this position
14 May 2018, and the new director Dragan Šahpaski, a citizen of the Republic
Macedonia, he was appointed to that position only on July 16, 2018.
The only contact information for this company is
can find on the internet is a landline number on the former
seat addresses.
Based on all of the above, and the evidence attached
mo, the Commissioner has a well-founded suspicion that a serious compromise is underway
collection of personal data of the citizens of the Republic of Serbia,
not the records of the RHIF, and the Integrated Health Information
system (ISIS). These databases contain particularly sensitive
data of the entire population of the Republic of Serbia, which are processed
by law, which have been made available to unauthorized persons
for the purpose for which they are not intended. Subject data are processed,
on the basis of the law, for the purpose of health insurance and health
protect citizens, and they are, using the promoted application,
company whose status is not fully defined.
dream (change of address, absence of legal representative, absence of
contact details), for the purposes of direct marketing and profiling
citizens. We support this suspicion with a verifiable fact
that the terms of use and privacy policy of the application, which
this is unequivocally confirmed, after the opening of the
they are still not available on the Internet. It attracts special attention
the fact that the company in question is related to another
companies headquartered in Australia, the United States and
audience of Macedonia.
In view of all the above, I propose that the Higher Public Prosecutor
- Special Department for High-Tech Crime, in accordance
with legal competencies, review the submitted documentation
and examine the merits of the suspicion expressed by the Commissioner, which indicates
organized commission of a criminal offense under Article 146, paragraph 1 in connection with
paragraph 3 of the CC, which may have unforeseeable consequences for
and cause compromise of the entire health system
Republic of Serbia.
B ROJ: 073-14-1110 / 2018-02 from 20 7 2018

118

Page 118

Personal data protection:

6.3 PRIVATIZATION AGENCY - COMPROMISATION
PERSONAL DATA 5.190.397 APPLICANTS
APPLICATION FOR EXERCISE OF RIGHTS
ON FREE ACTIONS
Commissioner for Information of Public Importance and Protection of
personal data submitted a request to initiate a misdemeanor
proceedings against the Privatization Agency and responsible persons
in a legal entity because the Privatization Agency, in its
letter rooms in Belgrade, Terazije number 23, in the period from
on an unspecified date during February 2014 until December 12, 2014.
year, did not, in accordance with Article 47, paragraph 2 of the LPP, undertake
personnel, organizational and organizational measures for the protection of
of the applicants for exercising the right to free of charge
actions, in accordance with established standards and procedures, which are
necessary to protect data from loss, destruction,
permitted access, alteration, publication and any other
use, resulting in personal data for a total of 5,190,397
persons, namely their name, parent's name, surname, JMBG and serial
application number, on the internet domain of the Privatization Agency
its available
to an indefinite
numberOF
of MISDEMEANOR
persons.
I Z REQUEST
FOR INITIATION
PROCEEDINGS:
Based on the application submitted electronically, the Commissioner
came to the knowledge that the internet domain of the Agency for Privatization
at www.priv.rs/upload/company/contract/BES/dump_
web_prijave_10062013.txt, finds an active link through which you can
open or download a text document named "dump_
web_prijave_10062013 ”, with a capacity of 1.2 GB, which contains personal data
for a total of 5,190,397 (five million one hundred and ninety thousand three hundred
ninety-seven) persons. The contents of this file cannot be accessed
the need for programs from the standard Office package (Word, Notepad, etc.),
but only with the use of one of the specialized software for opening
of large-volume text documents.
In the process of supervision over the implementation and execution of ZZPL, which
conducted by the Commissioner in the Privatization Agency, it was determined that
in the mentioned file there are data on the identity of the holders of the right to
payment shares, as well as persons to whom the application for exercising the right to
free shares rejected, in accordance with the Law on the Right to Free
shares and monetary compensation that citizens receive in the private
(Official Gazette of RS, No. 123/07, 30/10 and 115/14), and which

Page 119

6. Cases of grave breaches of rights

119

this agency disposes of the data in accordance with its legal authority.
Due to omissions made during the configuration of the web server,
on which this content was located, and which is in the possession of the Agency for
validation, the above data have been made available indefinitely
number of Internet users.
In the procedure, it was determined that the Privatization Agency, as a
lac of personal data, did not, in accordance with Article 47 of the LPP, undertake
technical, personnel and organizational data protection measures, in
du with established standards and procedures, which are necessary to
data is protected from loss, destruction, unauthorized access,
changes, publications and any other abuse.
In the stated manner, a serious violation of the right to protection of
such as the personality of the citizens of the Republic of Serbia, given that
a mythical collection that contains personal data of almost all adults
citizens of the Republic of Serbia, namely their name, parent's name, surname,
JMBG and serial number of the application for exercising the right to free shares.
Due to failure to take appropriate data protection measures up to this
personal data collections could in the period from an unspecified day
during February 2014 (which was stated in the attached
minutes of 17 December 2014, based on the statement of Zoran Andrić, Director
ra of the Sector for Information Technologies of the Privatization Agency),
until 12 December 2014 to be accessed by any Internet user,
sew an insight into it or take it completely.
No special professional knowledge in the field of
informatics, because this text document was made
Internet indexing, so that every Internet user
by simply entering your own or someone else's JMBG into an Internet browser
(e.g. Google) could access this document, view it, and
take it over, which is documented in the act of the Commissioner number 164-0000764 / 2014-07 dated 12 December 2014, which we enclose.
Given that the data collection, which contains JMBG almost
all adult citizens of the Republic of Serbia, made available to
to a certain number of persons by the act of not taking protection measures by
Privatization Agency, this is the most quantitatively
greater breach in the privacy of the citizens of the Republic of Serbia,
lute relativized significance of JMBG, as individual and unrepeatable
marks of identification data on citizens, in accordance with the Law
on the unique personal identification number of citizens ("Official Gazette of RS", no.
53/78, 5/83, 24/85 and 6/89 and "Official Gazette of RS", no. 53/93, 67/93,
48/94 and 101/05 - dr. the law).
For all the above reasons, the offense committed by the Agency for
privatization is a unique case of data compromise

120

Page 120

Personal data protection:

about the personality of almost all citizens of one state, so it is aggravating
circumstance in the context of liability, which the court must take into account
in the form of deciding in misdemeanor proceedings.
In the supervision procedure, it was determined that the responsible person in the Agency for
privatization at the time of the violation, in the period from February
2014. to 27.06.2014. was Vida Uzelac, and in the period from June 28, 2014 to 12.
12. 2014. Mariana Radovanović.
Law on Privatization Agency ("Official Gazette of RS", no.
38/01, 135/04, 30/10 and 115/14) prescribes in Article 2, paragraph 2 that the
it has the status of a legal entity, with rights, obligations and responsibilities
determined by this law and the statute.
The Law on the Right to Free Shares and Cash Compensation
nor are they realized in the privatization procedure prescribed in Article 2, paragraph 1, yes
rights in accordance with this law are exercised by persons who meet the following
conditions: 1) that they have reached 18 years of age by the end of 31 December
brom 2007 and that on the day of acquiring the status of right holder they were
entered in the voter list of the competent municipal bodies; 2) to be on
the day of entry into force of this Law, citizens of the Republic of Serbia; 3) yes
were resident in the territory of the Republic of Slovenia on 30 June 2007.
the public of Serbia, ie the status of a temporarily displaced person from Kosovo
and Metohija; 4) that the right to shares without compensation are not in any way
achieved, in whole or in part, in accordance with the Law on
transformation ("Official Gazette of RS", No. 32/97 and 10/01) or
Law on Privatization and 5) that they are registered in the register of holders
rights managed by the Privatization Agency (hereinafter: the Agency),
in accordance with this law.
Published text document, however, next to the carriers
rights to free shares, includes persons who are not holders of this
rights (persons whose applications have been rejected), which means that he
puts records of holders of rights to free shares, but
applicants' application for exercising the right to free of charge
actions.
Article 5 of the same law prescribes that the records of right holders
managed by the Agency as a public and electronic database.
The publicity of the records of right holders is enabled by obtaining
such as the number of free shares on request, after entering personal data
(name, parental name, surname and JMBG) in the application on the internet presentation of the Privatization Agency, at www.priv.rs/
Free + actions / 131 / Check + status + of + carriers + p% D1.shtml, which is also
in operation today.
In the described way, the publicity of the records of holders of
va to free actions, which cannot be identified with the described

Page 121

6. Cases of grave breaches of rights

121

by making complete online records of the applicant
ca application for exercising the right to free shares.
Article 42 of the Constitution of the Republic of Serbia ("Official Gazette of RS", no
98/06) prescribes that the protection of personal data is guaranteed; to
collection, holding, processing and use of personal data
they live by the law; that the use of personal data is prohibited and punishable.
outside the purpose for which they were collected, in accordance with the law, except
for the purposes of conducting criminal proceedings or protecting the security of
the public of Serbia, in the manner prescribed by law; that everyone has the right to
be informed of the collected personal data, in accordance
with the law, and the right to judicial protection for their abuse.
Article 3 of the LPP stipulates that personal data is any information
information relating to a natural person regardless of the form in which
is also expressed on the information carrier (paper, tape, film, electronic
ski media, etc.), by whose order, in whose name, or for whose account
the information is stored, the date the information was created, the
information storage, the way in which information is
but, through listening, watching, etc., that is, indirectly, through insight into
document in which the information is contained, etc.), or regardless of
another property of information (point 1); a natural person is a human being
refers to data whose identity is determined or determinable on the basis of
personal name, unique personal identification number of citizens, address code
or other characteristic of his physical, psychological, spiritual, ecoeconomic, cultural or social identity (point 2); operator
data is a natural or legal person, ie a public authority
generates data (point 5).
Article 47, paragraph 2 of the LPP stipulates that the controller and processor
to take technical, personnel and organizational protection measures
data, in accordance with established standards and procedures, which are
necessary to protect data from loss, destruction, inadmissibility,
access, change, publication and any other abuse,
as well as to determine the obligation of the persons employed in the processing to keep
confidentiality of data.
Article 57, paragraph 1, item 11 of the Law on Public Procurement stipulates that the money will be paid
fine the operator for a misdemeanor from 50,000 to 1,000,000 dinars,
a processor or user who has the status of a legal entity if he acts
contrary to the obligation to take measures referred to in Article 47, paragraph 2 of this Law.
Article 57, paragraph 3 of the LPP stipulates that for the misdemeanor referred to in paragraph 1.
of this Article to punish a natural person, ie a responsible person
person, state body, ie body of territorial autonomy
units of local self-government are also fined from 5,000 to
50,000 dinars.

122

Page 122

Personal data protection:

In view of the above, the Commissioner submitted this request to
initiating misdemeanor proceedings. 2
B ROJ: 164-00-00764 / 2014-07 from 26 1 2015 3

2 By the Decision of the Misdemeanor Court in Belgrade 13 Pr no. 163010/15 dated 21 November 2016
the misdemeanor procedure against the Privatization Agency was suspended, because
it ceased to exist, as well as against the accused Vida Uzelac due to the
stump of absolute obsolescence of misdemeanor prosecution. The procedure is also
placed against the accused Marijana Radovanović, by the decision of the Misdemeanor
court in Belgrade 13 Pr no. 31088/16 of 30 December 2016 due to the occurrence of the absolute
obsolescence of misdemeanor prosecution.
3 Note: In connection with the actions described in the above request to initiate
of the misdemeanor procedure, the criminal report was filed by the Privatization Agency,
which was acted upon by the Higher Public Prosecutor's Office in Belgrade, but the criminal
column not started. Higher Public Prosecutor's Office in Belgrade, by letter from KTN vtk
700/14 of 22 March 2017 informed the Commissioner that it was not possible to
the identity of the person in whose actions the elements of criminal
unauthorized access to a protected computer, computer network and
electronic data processing from Article 302 of the Criminal Code, unauthorized collection
personal data from Article 146 of the Criminal Code and negligent work in the service from Article 361.
CC, so the case was placed in the records until the statute of limitations or identification
is the executor.

Page 123

7. Normative activities of the Commissioner

Page 125
124

7. Normative activities of the Commissioner

125

7.1. OPINION ON THE DRAFT PROTECTION LAW
PERSONAL DATA 4
The Commissioner for Information of Public Importance and Data Protection
he received such a person on July 11, 2018 from the Ministry
Justice Draft Law on Personal Data Protection for Giving
opinions in accordance with Article 46 of the Rules of Procedure of the Government (link letter
no. 011-00-395 / 2015-05 of 9 July 2018).
The Commissioner for Information of Public Importance and Data Protection
Thus, he was acquainted with the content of the Draft Law on
you personal data and, in this regard, prepared an opinion in
in principle and on individual provisions of the Draft Law.
Completed form "PFE" with the explanation of the Commissioner no
may submit with this opinion as the submitted
The draft law does not regulate issues that significantly affect
work of this body. This applies, inter alia, to nonthe quality of the decision regarding the competence of the Commissioner (see
opinion in principle, as well as on individual members, for example,
of Art. 45, 59–62, 67, 72–73, 78–79, 82 and 87 of the Draft Law). Later onThe child of the proposed solutions is that it is not possible at this moment
assess the required number of employees in the professional service of the
as well as the need for training, equipment and more.

I.
Opinion
in principle
The
Commissioner,
first of all, states that the Draft Law has been prepared
based on the text of the Draft Law on Personal Data Protection o
which, according to the conclusion of the Committee on the Legal System and State Bodies
of Serbia, 05 no. 011-11658 / 2017 of 28 November 2017, conducted by the public
device in the period from 1 December 2017 to 15 January 2018.
Having in mind the similar, or almost identical content of the two documents,
considering that the intention is to harmonize the regulations with the General
the Data Protection Regulation 5 , as well as the “Police Directive”, 6
4 On 3 January 2018, the Commissioner also gave an opinion on the earlier version of the text of the Draft
of the Law on Personal Data Protection in the framework of a public hearing
lo Ministry of Justice
5 Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons
in relation to the processing of personal data and the free movement of such data.
as well as repealing Directive 95/46 EC (General Protection Regulation
data) dated 27 April 2016.
6 Directive 2016/680 of the European Parliament and of the Council on the protection of individuals
in connection with the processing of personal data by the competent authorities for purposes

126

Page 126

Personal data protection:

hereinafter, the Commissioner will refer to that text of the Draft Law,
as well as the opinions submitted by the Commissioner to the Ministry
volume of 3 January 2018 (link no. 073-11-1889 / 2017-02).

Subject of the Draft Law
The draft law regulates the general regime of personal data processing
- principles, rights and protection of natural persons, obligations of the operator and
data transmission, supervision, the Commissioner, legal remedies,
integrity and sanctions, etc. The draft law also contains provisions on special
types of processing.
The draft law specifically regulates the processing which, as determined by the
paragraph 1, paragraph 2 of the Draft Law, is performed by “competent authorities for
chasing, investigating and detecting crimes, prosecuting perpetrators
criminal offenses or the execution of criminal sanctions,
protection from threats to public and national security, as well as
free flow of such data. "
Reading of the Draft Law which alternately states the rules and
exceptions, and then special exceptions, are very difficult, which also affects
understanding of obligations, especially bearing in mind that it is special
kind of processing.
This remark was made by other participants in the public debate, as well
and the European Commission in a preliminary opinion from April 2018, in
emphasizing that special attention must be paid to the clarity of
what laws, which provide citizens with important rights, since it is
data protection is a fundamental right in the European Union.
In the above opinion of the Commissioner on the previous version of the draft
of this law, the Commissioner concluded that “without challenging the importance of
and public and national security, and the processing of related data,
the manner in which this was done by the Draft Law is not appropriate. Adea more comprehensive solution, more acceptable from the point of view of development methodology
draft, it would be that this type of processing (processing performed by the authorities
authorities for the prevention, investigation and detection of criminal offenses…)
di within the section on special processing cases, so as to be determined
issues that may be regulated differently by the law governing the
the work of the above-mentioned bodies and thus exempt them from the general regime. "
Bearing in mind that within our legal system, the processing of
data on the person to whom the Police Directive refers
regulation of several special laws, nomotechnical approach for

prevention, investigation, detection or prosecution of criminal offenses or commission
criminal sanctions and on the free movement of such data.

Page 127

7. Normative activities of the Commissioner

127

determined by the Ministry of Justice, the Institute for Data Protection
such a person stands out from the context in which, by the nature of things,
belongs without identifying in a precise way the rudata processors for designated, special purposes, or
sno regulations establishing their authorization to process.
This was not done by the provisions of Article 4, item 26 of the Draft Law,
which the meaning of the term "competent authority" is trying to determine on
extremely inadequate way - by listing the jobs that are terminated
coincide with the possible processing purposes specified in Article 1.
paragraph 2 of the Draft Law.
Article 3 of the Draft Law does not contain any processing that would
to the question of the scope of its application with regard to Article 1, paragraph 2.
Draft law.
In addition, due to the nature of the Directive as an instrument of
which is also a consequence of the choice of direct translation of the provisions of the Police
directive, many provisions are very general for one national law,
and thus vague, giving wide discretion in their application (primeasure works Article 8 para. 2 and 3 or Art. 9. and 10).
Further, in the provisions of Art. 78 and 79 of the Draft Law (Commission Affairs
ie inspection and other powers of the Commissioner) are not
significant differences in the tasks and powers of the Commissioner
come out of two parallel regimes of personal data protection which
this draft law tries to institutionalize, so to speak, examples
for this reason, the "verification of the Commissioner" from Article 35 of the Draft Law is not specified
neither as a job (Article 78), nor as an authorization (Article 79) of this body.
There are no sanctions for certain obligations of the "competent authorities", which
At the same time, it points to the need for a more systematic approach to
ma data processing, precise determination of the body to which it refers
this special protection regime, as well as amendments to other laws.
Without systematic editing of this processing, the illusion is created that it is
The Police Directive was transposed into the legal system of Serbia, while,
at the same time, the text of the law that should regulate the general
processing of personal data is uselessly burdened.
How are the shortcomings of the Draft Law regarding implementation
Police directives cannot be removed by correcting individual ones
provisions of the text of the Draft Law, the Commissioner will not comment further
provisions, ie parts of the provisions of the Draft Law concerning processing
data by "competent authorities" "for special purposes".
The draft law, modeled on the General Regulation, contains several
short provisions on special cases of processing contained in
special chapter of the Draft Law.
In this regard, the Commissioner points out that the adoption of an important law
it should not be just fulfilling obligations to an international one

128

Page 128

Personal data protection:

organization, but also a re-examination of the needs of society to this
matter edit.
Hence, the moment of adoption of the law should be used for regulation
issues that have proven to be significant in practice. Among other things, on
this conclusion is also stated in the General Regulation in the part that refers to special ones
types of processing, such as an identification number.
Article 87 of the General Regulation emphasizes that this issue can be discussed in more detail
governed by states, not that a provision of a national regulation should enumerate
which laws apply, because it is clear that in one legal system
apply all applicable regulations, except when precisely prescribed to
certain regulation does not apply.
It is therefore important to arrange for the prohibition or at least restriction of
work of JMBG over the Internet, as well as to prohibit the copying of personal
documents, except when expressly provided by law.
The content of the provisions that refer to other types in this part
processing, are the subject of the Commissioner's opinion on individual provisions of the
line of law.
It is important to point out that the Draft Law does not provide for the regulation of video
-supervision, which the Commissioner pointed out in his opinion on the previous draft
of the law.
Video surveillance is an unregulated area in Serbia, and since
adoption of the Law on Personal Data Protection, 2008,
The ment of the Ministry of Justice was that it would be a matter of special order
of the law. The consequence is, unfortunately, the use, and often the abuse of
part-supervision in Serbia. In its opinion on the previous draft law of the
nik emphasized the necessity of editing this special type of processing with new ones
Law on Data Protection, and as a counter-argument of the Ministry of
it was stated that the General Regulation does not contain provisions on video surveillance.
However, the fact that something is not explicitly stated in the Opregulation, it is not an obstacle for the state to prescribe it in the national law.
konu. For example, the German Personal Data Protection Act,
adopted after the adoption of the General Regulation, contains provisions on video surveillance
in a public space.
Right now is the opportunity to edit the increasingly present video surveillance. U
otherwise, there is a risk that the area will remain undeveloped.
In support of the argument that video surveillance should be regulated by this law,
The fact that the adoption of a special law in this area would
demanded additional costs from the Serbian budget, because it would cause additional ones
costs of financing the work of a special working group or engagement
persons who are not officials of the Ministry or other bodies. The same
at times, such a law would contain a very small number of provisions.
Since video surveillance, as a special form of data processing
personality, thematically fits perfectly into the matter covered by the Draft

Page 129

7. Normative activities of the Commissioner

129

law, the opportunity would be taken to, without prejudice to the provisions of
own laws, such as the Law on Traffic Safety
on the roads or the Law on Private Security, edit the issue
video surveillance in the work and living space, as well as in a public place.
With regard to the status issues of the Commissioner, the Draft Law refers to
provisions of the Law on Free Access to Information of Public Importance
tea, which is also subject to amendment, and in this connection, the
nik emphasizes that it is necessary that the content of these changes and additions be
available as soon as possible, and that it is necessary to
carrying these two laws synchronize. Some status issues
fiancé, as they concern the application of this law, as is the question
authorized persons for supervision, may not be subject to any other law.

Contents of the Draft Law
In the opinion section in principle, the Commissioner makes particular use of
to point out the following: the procedure for protection of rights before the Commissioner,
rules of adjudication, inspection of the Commissioner and
setting conditions and the procedure for imposing administrative measures.
In particular, the Commissioner considers it particularly important to consider
the need to regulate the processing of data on deceased persons. On the one hand,
It should be borne in mind that the processing of data on the deceased is not a matter of
in the privacy and protection of personal data, the future
that these are personal rights, as well as the fact that this matter is not the subject
General regulations. However, on the other hand, the fact is that the processing
data on deceased persons is very important and to omit the arrangement
these matters resulted in the impossibility of pursuing an interest
individuals, as well as unregulated relations, and the legal uncertainty of all who
they process data on the deceased, often completely unwanted.
Inadequacy of the regulation of the procedure for protection of rights before the
which was considered in the direct communication of the Commissioner with
representatives of the Ministry of Justice.
Article 82 of the Draft Law stipulates that the data subject
relations has the right to submit a complaint to the Commissioner, if he considers that it is
processing of personal data carried out contrary to the provisions
of this law, in accordance with the law which regulates the inspection at dawn.
Namely, according to Article 52 of the Law on Inspection Supervision:
"Every person has the right to file a complaint against the manager
inspection, inspector, or official authorized to perform
inspection if he considers them to be their illegal or
improper action, ie negligent work, violated rights
or freedom.

130

Page 130

Personal data protection:

Complaint filed against a person authorized to conduct inspections
tional supervision is considered and the decision regarding it is made immediately
the head of the person to whom the complaint relates, ie the
for supervising the work of the inspection and the body in charge of
its appointment or an authority or body authorized by that authority.
Consideration of the complaint ends and a decision on the complaint is made in
within 15 days of receiving the complaint and then delivering it to the applicant.
Complainant who is dissatisfied with the decision on the complaint
may address the Coordination Commission on this occasion within
15 days, which in this regard undertakes appropriate activities from the circle
the work he does. "
The Law on Inspection Supervision therefore regulates the complaint as
means by which citizens address the body regarding non-professional
leg, improper and illegal work of an individual of that organ as a person
authorized to perform inspection supervision. Therefore, the consequence of
insisting on the solution contained in the Law on Inspection Supervision
is the inability of a person to exercise the protection of the rights whose exercise he is
regulated by the Draft Law.
It is necessary to make a distinction between the protection procedure
rights of persons and the procedure of supervision over the implementation of the law. In both cases,
I, having in mind the capacity of the competent authority, these procedures should
be specially arranged.
The principle was not taken into account during the drafting of the law
procedures.
ne bisNamely,
in idem Article
- not twice
about the same,
the consequences
of comparatively conducted
78, paragraph
1, itemnor
6 stipulates
that the Commissioner
decides on complaints and notifies the complainant of the course and
the results of the proceedings conducted in accordance with Article 82 of this Law,
which provides for the right to complain to the Commissioner. Paragraph 2 of this Article
the obligation of the Commissioner to inform the complainant is envisaged
on the course of the proceedings, the results of the proceedings, as well as on the right of the person
to initiate an administrative dispute, while Article 83 prescribes a deadline for the Commissioner
of 90 days to act on complaints.
Therefore, in such a procedure, provided that it is regulated from the already

fighting reasons, the Commissioner would decide on the violation of rights, but also
obligations of the operator. Regarding the decision of the Commissioner, on these rights and
obligations can also be decided by the Administrative Court on lawsuits.
However, at the same time, Article 84 of the Draft Law provides for
the possibility of litigation if the data subject
considers that, contrary to this law, the controller or processor
by processing his personal data he violated the right prescribed
by this law. So, in the same situation. This protection is achieved by
in civil proceedings, and jurisdiction is established for higher courts.

Page 131

7. Normative activities of the Commissioner

131

Body before which the procedure can be conducted (Commissioner, Administrative
court, higher court) has no obligation to notify or check with other
authority, the fact whether any procedure is being conducted, which is logical
but because court proceedings before a court of general jurisdiction do not depend on
court proceedings before a court of special jurisdiction, such as the Administrative
the court. As for notifying the Commissioner, this is the procedure
the body is not specified in the Draft Law.
This not only calls into question legal certainty
in the abstract sense, but also in the individual concrete case. Important
is to point out that legal uncertainty exists independently of the dispositive
decisions of the body given that the reasoning of the decision and interpretation
Individual provisions can be different and even contradictory.
The previous draft law did not contain any procedural provisions
on the Commissioner's oversight procedure, and amended by the Commissioner's comment
is paragraph 2 of Article 77 of the Draft, which reads:
“In exercising his powers, the Commissioner shall act in accordance with
the law governing the administrative procedure and the law governing it
inspection supervision, unless otherwise provided by this Law. "
However, such a provision does not solve the problem of law enforcement
(see also the commentary on Article 77 of the Draft Law) when the Draft Law
the procedure for protection of the rights of the data subject is not regulated, a
the institutes provided for in this draft do not exist in the General Law
administrative procedure, nor in the Law on Inspection Supervision.
The draft law does not contain any provisions on authorized persons
Commissioner, which is necessary for the supervision procedure to be possible
to implement. Also, the provisions on the persons authorized to supervise the
are necessary for the performance of the authorization in connection with the conditions and
by issuing a misdemeanor order prescribed by the Law on Misdemeanors.
The Law on Inspection cannot be applied to the work of the Commissioner.
supervision in full, nor is it possible to apply the regulations without
special arrangements for supervision by the Commissioner, inter alia,
bearing in mind the role of the Coordination Commission formed by the Government on
based on Article 12 of the Law on Inspection Supervision, as it would be
something was also contrary to the provisions of the General Regulation on
bodies (Article 52), but also the provisions of the Draft Law (Article 74).
Neither this draft law, nor the previous one, provides for an imposition
administrative measures, nor regulates the competence of the body, nor the
these measures. Unfortunately, the practice so far indicates that
sanctions for violation of the Law on Data Protection, ie the rights of persons,
they are mostly absent, or symbolic. Overload of misdemeanors
courts and a large percentage of statutes of limitations are just one of the arguments that
support the need to harmonize national regulations with the General
decree and in the part related to administrative measures.

132

132

Personal data protection:

The fact that prosecutions for the commission of a crime of unauthorized
there is almost no data collection, it affects everyone who has it
intending that data on citizens of Serbia, as well as data on other persons,
cream processes even for illicit purposes. Just the awareness of that yes
there are handlers and processors who calculate the penalty in advance
will pay, and continue to illegally process personal data
whose value for the economy and for the whole society is becoming higher,
urged the drafters of the General Regulation to give special
table in Article 83 of the General Regulation and Art. 148, 150 and 151 of the Preamble.
The Republic of Serbia has introduced administrative measures in the Law on
competition (“Official Gazette of RS”, No. 51/09 and 95/13), which
determined by the Commission for Protection of Competition
and an independent organization exercising public authority in accordance with
by this law. Therefore, the provisions on administrative measures in the Draft Law do not
would set a precedent in the field of administrative law, and is necessary
to harmonize the Draft Law with the General Regulation.

II. Opinion on individual members
The statement on its content is given in the part of the opinion on the Draft Law
Article 1 of the Draft Law regulates the subject of the law and the opinion of the
in principle.
forehead. Article 4 of the Draft Law contains definitions that need to be
Article 3 of the Draft Law - see opinion on the Draft Law in
but edit, and add some in accordance with the Unified Methodological
rules for drafting regulations ("Official Gazette of RS", No. 21/10).
Item 8 gives the definition of "operator", which prescribes that
the law determining the purpose and manner of processing “may determine the
blacksmith or prescribe conditions for its determination ". A provision is needed
amended so that instead of the word “can be determined” the words “determined
is "," and instead of the word "prescribe" there are the words "are prescribed".
Item 26 prescribes the definition of “competent authorities”, and
com b) it is determined that it can also be legal entities authorized by law.
This definition is not precise and is a consequence of a literal
smaller definitions from the Police Directive (see
reference to the Draft Law in principle).
In addition to these definitions, it is necessary to prescribe
terms, as well as expressions whose meaning is important for understanding and
menu law.
This applies, for example, to the terms: archiving in the public interest.
are, scientific and historical research, as well as statistical purposes (Article 6.

Page 133

7. Normative activities of the Commissioner

133

article 1); historical purposes (Article 7, paragraph 3); criminal offenses (Article 19, para
1.); submission, realization or defense of a legal request (Articles 17, 30,
31, 44, etc.); deletion of data or copy of data (Article 45, paragraph 4.
point 7); personal data protection person (Article 56); group rublacksmiths (Article 59); code of conduct (Article 59); charity
(Article 94)
Also, the definition of the term "cryptosecurity", which is
necessary to regulate in this law or refer to the appropriate
finicity contained in another law. Missing "icon" definition
which are also mentioned in the Regulation in the Preamble, and not only in the individual ones
provisions, especially bearing in mind the basic meaning of this word in
language.
and for the possible application of this provision, it is necessary to edit the meaning
Article
6 of the
Draft
Lawinterest,
regulates
the admissibility
of processing
the term
archiving
in the
public
scientific
and historical
research for other purposes,
as well as statistical purposes, individually.
forehead. Article 8 of the Draft Law should be amended so that this law
Article 7 of the Draft Law - see opinion on the Draft Law in
determine, or make identifiable, the period within which data may be kept
are processed exclusively for the purposes of archiving in the public interest, scientific
or historical research and for statistical purposes. This is conditioned
principles of processing (Article 5 of the Draft Law), on the one hand, and obligation
the controller to provide the person with certain information about it (Articles 23, 24 ...),
on the other.
Regarding paragraph 2 of this article - see the opinion on the Draft Law
in principle.
forehead. Article 10 of the Draft Law - see opinion on the Draft Law in
Article 9 of the Draft Law - see opinion on the Draft Law in
on forehead.
on forehead.
Article 11 of the Draft Law - see opinion on the Draft Law in
Article 12 of the Draft Law - delete paragraph 3.
on forehead.
Article 13 of the Draft Law - see opinion on the Draft Law in
editing the text to make it clear whether, in the case of both
Article
of the Draft
Law
- in paragraph
2, legal
parents
jointly16exercise
parental
rights,
the processing
of
possible with the consent of one parent or is necessary
given the consent of both parents.
due to the vague wording that the person is "legally incapable". About point 6.
Article 17 of the Draft Law should be reformulated in paragraph 2, item 3.

134

134

Personal data protection:

and the expression "filing, pursuing or defending a legal claim" see commentary on Article 4 of the Draft Law.
on forehead.
Article 18 of the Draft Law - see opinion on the Draft Law in
to “in relation to criminal convictions and criminal offenses” as
Article
19 of of
thepersonal
Draft Law
special
conditions
for data processing
a special
category
data regulates
in terms of
Article
10. General
regulations. It is necessary to regulate the provision bearing in mind, among other things,
that the processing of this data may be carried out in accordance with Article 12, and not
based on it, as well as that the law should clearly prescribe processing
of these personal data given that admissibility by law
it also means that it is not the subject of a ban, but a specific norm by which
gives the possibility of processing may be omitted from a law. Next, how
stated in the commentary to Article 4, it is necessary to determine the meaning of
raza “punishable acts” in paragraph 1. Finally, it is not clear which organ is considered
as a ‘competent authority’ within the meaning of the same paragraph, and which
powers of that body.
Paragraph 2 shall be deleted as it is not a matter of this law.

Article
20 of
thesubject.
Draft Law
- deletefrom
paragraph
4.
the rights
of the
data
As follows
the provisions
21the
of data
the Draft
Law
other things, the manner of
of thisArticle
Article,
subject
mayregulates,
exercise among
his or her
by submitting a request to the data controller, by submitting a complaint
To the Commissioner and by filing a lawsuit in court. From the provisions of the Draft Law
the legal nature of the procedure conducted by the data controller is not clear.
on the occasion of the submitted request, which is certainly not good from the point of view
the legality of the work of the operator, which must have known and
ambiguous obligations regarding the rules of procedure upon the request given to him
is filed. This is at the same time significant from the point of view of the principle of equality.
bones and legal certainty, so it is necessary to amend the Draft Law in
in that sense.
Paragraph 4 stipulates that the operator is obliged to inform the person
to which the data refer to the “right to complain to the Commissioner, ie
a lawsuit in court ”. As provided by later provisions, upon complaint
The Commissioner, as a procedure, may also be instructed by the controller to
at the request of the data subject, which could
leads to a situation where the same person does not win in different proceedings
equal protection or that different persons on the occasion of the same
that operator in these proceedings receive different protection, which is
contrary to the principle of legal certainty. Proceedings before the Commissioner after
"Complaints" must be regulated as a procedure according to the rules of administrative
procedure since it is a procedure of protection of the rights and interests of persons,
rather than protecting legality.

Page 135

7. Normative activities of the Commissioner

135

Article 79 of the General Regulation regulates the right to an effective
sko) means against the operator or processor, but it is not clear whether
this provision refers to the establishment of a parallel protection system,
with the procedure before the Commissioner, or to the protection of the rights of persons whose
the violation occurred in violation of the obligations of the controller or processor,
prescribed by the General Regulation. In this regard, it is necessary to consider that
whether the intention is to establish two parallel protection regimes, having
in view of the fact that he is against the decision of the Commissioner on the "complaint", provided that
this procedure is regulated, it is possible to conduct an administrative dispute.
Paragraph 9 of the same Article determines the authority of the Commissioner to
The information provided to the data subjects, which
are represented by standardized icons displayed in the electronic
form and regulates the procedure for their determination. The term "resident
standardized icons "is not clarified in the provisions of the articles of the General Regulation,
but it is in paragraph 60 of the Preamble. Therefore, the draft law should regulate
the meaning of the term, as stated in the opinion on Article 4 of the Draft Law.
The Commissioner points out that the General Decree gives this competence
To the European Commission, as the holder of executive power in the European Union
and, in order to align the Draft Law with the General Regulation,
to observe the mentioned provision so that the Government has the envisaged authority.
Paragraph 10. - delete.
on forehead.
Article 22 of the Draft Law - see opinion on the Draft Law in
Article 23 of the Draft Law - delete paragraph 5.
on forehead.
Article 24 of the Draft Law - see opinion on the Draft Law in
on forehead.
Article 25 of the Draft Law - see opinion on the Draft Law in
on forehead.
Article 27 of the Draft Law - see opinion on the Draft Law in
on forehead.
Article 28 of the Draft Law - see opinion on the Draft Law in
about personality, ie. the obligation of the controller to delete the data
of the
Draft
Lawthe
refers
to theinright
to the
delete
data acts, ie.
is, so Article
the law 30
should
also
regulate
manner
which
operator
the way in which data is deleted when it comes to automated and unauthorized
tomatized processing, bearing in mind that the action of deleting data in
the non-digital form actually means the destruction of data.
Paragraph 6 - delete.
among other things, “for the purpose of filing, exercising or defending the legal
Article
31inofthis
theregard
Draft see
Law
the right
to limit4processing
requests
”, and
theregulates
commentary
on Article
of the Draftin,Law.
Paragraph 4. delete.

136

Page 136

Personal data protection:

on forehead.
Article 32 of the Draft Law - see opinion on the Draft Law in
Article 33 of the Draft Law - delete paragraph 3.
on forehead.
Article 34 of the Draft Law - see opinion on the Draft Law in
on forehead.
Article 35 of the Draft Law - see opinion on the Draft Law in
Article 36 of the Draft Law - delete paragraph 5.
on forehead.
Article 39 of the Draft Law - see opinion on the Draft Law in
the Draft
Law -indelete
paragraph
3.
an actArticle
without40a of
relevant
provision
the penal
provisions.
It is anticipated that
Article
the Draft Law
regulates
the obligationsmeasures"
of the operator in general
obligation
to 41
takeof"technical,
personnel
and organizational
to ensure that processing is carried out in accordance with that law and be in
opportunities to illustrate this, taking into account the nature, extent of the
and the purpose of processing, as well as the probability of occurrence and the level of risk
rights and freedoms of persons. Because personnel measures are an integral element
organizational measures, which is confirmed in the General Regulation by provisions
relating to technical and organizational measures should be omitted
the word "personnel".
Paragraph 2 of the same article should specify the obligation to review
and updating the measures referred to in paragraph 1 of that Article so that the law
but when this review and update is necessary.
Also, paragraph 3 states that, “if it is in proportion to the processing
data ”, the measures referred to in paragraph 1 of that Article shall include the application of appropriate
internal acts of the controller on data protection. Thus determined both
the link does not constitute a clear rule of conduct and should be
you stated the provision so that the law determines when the operator
should adopt an internal act on personal data protection, ie. when
is the adoption of that act "in proportion" to the processing of data.
Paragraph 5. - delete.
relations to integrated and incorporated privacy, new concepts
Article 42introduced
of the Draft
refers toRegulation
protection-measures,
in fact
data protection
byLaw
the General
privacy bybut
design
i they are
ambule of the General Regulation, the fact that protection measures are a general concept, as
privacy
by default
. Given theofimportance
of the
these
concepts,
78 be amended so that,
and the content
in particular
paragraph 2,
rubrum
of theparagraph
article should
For example, it reads: “Integrated privacy and incorporated privacy
".
Regarding the expression "personnel measures", the previous remark is valid, that they are
personnel measures by the nature of organizational measures, so the word "personnel"
should be deleted.

Page 137

7. Normative activities of the Commissioner

137

Paragraph 3 is unclear. The term “participation of a natural person” is necessary
will be determined by law so that the provision makes sense and can be
menu in practice.
their responsibility in the event that they are the ones who determine the purpose
Articleof43data
of the
Draft Law
provides
for joint
operators
and method
processing.
However,
bearing
in mind
that and
the joint
blacksmiths can also be established by law (eg in the case of voters
lists), this article should be supplemented by a provision that will refer to
that situation.
appoint its representative in the Republic of Serbia. It should be
Articleof44
thebyDraft
the obligation
of the operator to
the content
theofact
whichLaw
the stipulates
operator appoints
his representative
or the manner of editing the content of the act.
due to the standard contractual clause, which refer to the obligations from para. 3.
45 of the Draft Law in paragraph 11 authorizes the Commissioner to
and 7.Article
that member.
Standard contractual clauses drawn up by the Commissioner
they would put a legal institute that does not exist in the law of the European Union.
Namely, standard contractual clauses are determined directly by the European one
commission, or adopted by the supervisory body in accordance with the
consistency under Article 63 of the General Regulation, and then the Commission. According to
therefore, the solution contained in the Draft Law, which provides that the Commissioner
(itself) draws up standard contractual clauses in accordance with Article 45.
of the same law (processor!), is not adequate to the institute that exists in
European law and in that sense, so that it would not happen that under
House of Harmonization with EU Law introduces an institute into the legal system
bears the same name, but is fundamentally different from the European institute
rights, it is necessary to amend this provision.
Given that the consistency mechanism, which is
General Regulation, it is not possible to transpose it into our legal
stem, The draft law should provide for the possibility of use
standard contractual clauses adopted by the European Commission in
in accordance with the General Regulation.
In this regard, other provisions of the Draft Law should be amended
refer to "standard contractual clauses", for example Article 78.
paragraph 1, item 10 and Article 79, paragraph 2, item 1.
Paragraph 12. - delete.
authorized by the controller or processor to access personal data
Article
46 of that
the Draft
Law stipulates
that the
processor
sti, cannot
process
data without
an operator's
order,
unless itand
is another person who
such processing prescribed by law.
It is unclear which circle of taxpayers this provision covers, especially
I will take into account the fact that the explanation with this article states that it is prescribed

138

Page 138

Personal data protection:

that the processor may process personal data only on the order of the
vaoca, except in the case when he is obliged to such processing by law.
It is therefore necessary to review and correct this provision.
If the provision also applies to other persons, the
the difference between the authorization and the order, and then harmonize this article with
Article 50, paragraph 5 of the Draft Law, as well as Article 95, paragraph 1, item 23,
which provides for a misdemeanor sanction in case the data is
operate without an order or contrary to the order of the operator, while the authorization
not mentioned at all.
For the purpose of specification, the provision of paragraph 9, item 2 needs to be amended as follows
47 ofbythe
to thethat
records
of processing
operations.
to be Article
determined
lawDraft
whenLaw
it is refers
considered
the processing
is not
occasional.
Paragraphs 2, 5 and 6 are deleted.
on forehead.
Article 48 of the Draft Law - see opinion on the Draft Law in
Regarding the term “personnel measures”, there is a previous note, so the word
Article
50 ofbe
the
Draft Law refers to data security. In pofirewood
”should
deleted.
Paragraph 5 should be harmonized with Article 46, as well as Article 95 of the Draft
of the law.
Paragraph 6. - delete.
on forehead.
Article 51 of the Draft Law - see opinion on the Draft Law in
in case of security breach. The provision needs to be supplemented with a paragraph
Article
of the Draft
refers to informing
thebody,
Commissioner
relating
to the52authority
of theLaw
Commissioner,
or another
to
enacting a bylaw that would refer to the manner of notification
Commissioner, as well as on the notification form.
Paragraph 8. - delete.
in case of security breach. With comments that are, as in the case of a member
Article
53 of the
Draft Law stipulates
the with
obligation
to inform persons in
52, refer
to bylaws,
ie supplementing
the article
a paragraph
to the authority of the body for the adoption of bylaws, should be regulated
decision and the content of the operator's decision not to inform the persons to whom
daci relations, or the basis for editing the form and content of the decision.
Attitude. 5. - delete.
there personality data. In order to specify the competencies of the Commissioner,
Article
54 of the
Draft Law
paragraph
5 should
be reworded
inrefers
order to
to the assessment of the
laid the legal basis for the adoption and publication of the act of the Commissioner
on the list of types of processing operations for which an impact assessment must be performed
from paragraph 1 of that article, ie for which an impact assessment is not required.
Paragraphs 7, 8 and 10 - delete.

Page 139

7. Normative activities of the Commissioner

139

opinions of the Commissioner. In paragraph 7, item 3, delete the word "personnel".
Article
55 of
regulates the obligation to obtain the previous one
Paragraphs
2, the
3, 8Draft
and 9 Law
- delete.
The provision of paragraph 10 should be reformulated in order to be appropriate
the legal basis for enactment and publication was thus established
by-law of the Commissioner on the list of types of processing operations on which
his opinion must be sought.
The provision of paragraph 11 which establishes the duty of the authority
proposing the adoption of laws and other regulations based on
which contain provisions on the processing of personal data, that in progress
their preparations seek the opinion of the Commissioner, should be singled out in
a special article, given that it is a special type of obligation, and
the manner and procedure for performing that duty.
there personality data. Regarding the meaning of the word “person for the
Article
of the
Draft Lawonrefers
to the
of persons for
personal
data 56
”- see
commentary
Article
4 ofdesignation
the Draft Law.
In paragraph 2, item 2 and 3 are not precise in the parts relating to
"Systemic surveillance of a large number of persons" and processing "on a large scale".
Paragraph 10 regulates the obligation of the controller and the processor to submit
personal contact information for personal data protection. With that
in this regard, Article 78 of the Draft Law should be amended in the relevant part
on the processing of personal data for the protection of personal data from
not the Commissioner.
for the protection of personal data. It remains unclear whether even under
Article
58 of
the Draftother
Lawobligations
regulates which
"least"
conditions
could
determine
of thatobligations
person, andthe
who
couldperson has
to determine them.
Paragraph 1 should be specified in item 2, which stipulates that the person for
data protection is accompanied by the application of regulations which, inter alia,
bear on the "question of division of responsibilities." The cited formulation should
specify that the subject of the obligation - the issue of division of responsibilities was clearly defined.
Paragraph 1, item 4, which provides that this person shall cooperate with the
and “consults with him on matters relating to the processing of
du ", the word" counseling "should be changed as the term does not fit
meaning from Article 39 of the Regulation.
Paragraph 3. - delete.
In this regard, it should be emphasized that the definition of a “group of
Article”as
59 well
of theasDraft
Law refers
theclear
“Code
of Conduct”
and, accordingly
blacksmiths
the“ codex
”. It istonot
whether
this "group"
includes only
operators from the Republic of Serbia.
Paragraph 2 should be deleted as it is not clear to which operators or
The Law on Personal Data Protection does not apply. Taken over

140

Page 140

Personal data protection:

is literally from the General Regulation which, given the division of competences
between the Member States and the European Union, cannot regulate
way of overall data protection.
Paragraph 5 provides that the Commissioner shall deliver an opinion on
of the proposed code with the law, and is obliged to “register” the code
and publishes ”, but does not provide for the manner and procedure of giving an
nja, as well as the registration procedure, nor the manner of publication, so it is in
in that sense it is necessary to supplement the said provision in order to be able to
conducted.
Paragraph 6. - delete.
The member needs to be amended.
Article
60 1ofprovides
the Draft
regulates the
supervision the
overapplication
the application
the Code.
Paragraph
forLaw
the possibility
of supervising
of theofCode
may be performed by an entrepreneur or a legal entity accredited for
performing supervision in accordance with the law governing accreditation.
The norm regulated in this way is incomprehensible and inapplicable since
it refers to the application of the Law on Accreditation ("Official Gazette
RS ", No. 73/10), while from the remaining provisions of the same article it follows that
accreditation is granted by the Commissioner (and not by the national accreditation body,
whose work is regulated by the mentioned law). At the same time, the Law on Accreditation
which regulates accreditation as a procedure for determining whether a person
meets the requirements for performing conformity assessment work, but does not
supervision.
However, in Article 78 of the Draft Law, which exhaustively lists
the affairs of the Commissioner, the affairs referred to in Article 60 of the Draft are not listed
law, so the question of competence for accreditation for
overseeing the application of the code of conduct. If it were Pofiancé, Article 78 should be amended, and the accreditation procedure should be regulated
by this law.
Attitude. 8. - delete.
certification procedures.
Article
61 ofofthe
Law does
refersnot
to regulate
the possibility
of establishment
This article
theDraft
Draft Law
the procedure
for issuing
nor does it determine which authority is competent to establish that
as a result, the provisions of the said article are unenforceable and
however, they should be corrected, taking into account the competencies as well
rights and obligations, can be determined only by law, not bylaws
act. In this regard, it should be clarified what is considered to be
stamps and markings ”.
Paragraph 10. - delete.
on the accreditation of certification bodies. The member is necessary to
Article
62 of the Draft Law refers to “certification bodies”
change
and supplement.

Page 141

7. Normative activities of the Commissioner

141

The article stipulates that the certification body is accredited "in
in accordance with the law governing accreditation ", while the jurisdiction
for the implementation of the accreditation procedure by any provision of the Draft
the law is not determined explicitly, but is indirectly concluded on
basis of the provisions of paragraph 2 of this Article, from which it follows that, since
the certification body can be accredited only if the Commissioner
proves that it meets the conditions prescribed by that provision, the
the one who conducts the certification procedure.
However, Article 78 of the Draft Law does not list these matters,
so the question of the competence for accreditation of certification
those bodies. If it were the Commissioner, Article 78 should be amended and the
accreditations should be regulated by this law.
Otherwise, the important legal institutes provided by the General
ba - code of conduct and certificates on personal data protection
- will not be effectively applicable in our country.
Paragraph 9. - delete.
data transfer, that any transfer of personal data to which the
63orofpersonal
the Draft
Law
in paragraph
1, as
a general principle
yes inArticle
progress
data
thatregulates
are intended
for further
processing
can only be executed if the handler and processor comply with
conditions prescribed by that chapter of the law (Chapter V), and everything works
providing a level of protection for natural persons equal to that
guarantees this law.
The word "chapter" should be deleted, because it is necessary for the operator
and the processor as a whole act in accordance with the law, and that
the totality of data transmission does not depend only on whether it is applied
provisions of the chapter relating to data transmission, from that to
whether the controller and the processor process the data in accordance with this
by law.
Paragraph 2. - delete.
levels of protection and determines when the condition is considered appropriate
64 of is
the
Draft Law
regulates
the and
transfer
on the basis of the appropriate
level Article
of protection
fulfilled,
namely:
in states
international
organizations that are members of the Council of Europe Convention for the Protection of Individuals
in relation to the automatic processing of personal data and in countries, on
parts of their territories or in one or more sectors
activities in those countries or international organizations
which the European Union has determined to provide an appropriate level
protection (paragraph 2) and if it is with another State or international
an international agreement on data transfer was concluded by the organization
(paragraph 4).
In paragraph 3, the Government is empowered to establish that the State, part of its
words, field of activity or legal regulation or international

142

Page 142

Personal data protection:

the organization does not provide an adequate level of data protection, except
in the case of the members of the Convention and the criteria provided for
are taken into account on that occasion.
It follows from the above provision that the Draft Law establishes
on the assumption that states and international organizations provide
appropriate level of data protection until the Government determines otherwise
(unless they are members of the Convention).
Such a regime is different from the transmission regime regulated by the
Regulation and is based on establishing the existence of an appropriate
data protection leaders in each country individually.
In order to eliminate this obvious illogicality and to harmonize
line of the law with the General Regulation, as well as for the purpose of linking the provisions of Article
at 64 and Article 65, paragraph 1, in Article 64, paragraph 3, after the word “international
organization ", the word" no "should be omitted.
international agreement ". Regarding point 2 - see comment
Article
of the
Draft
item3 1,
should
read “confirmation
to Article
45 65
of the
Draft
Law,Law
andin
inparagraph
relation to2,item
- see
the comment
on
Article 67 of the Draft Law.
Paragraph 3 refers to the possibility of providing appropriate measures
protection with the special approval of the Commissioner. In addition to the need to
to mullize a provision, in order to be precise, rules should also be established
approval procedure.
In paragraph 4, paragraph 2 of that article is omitted, instead of paragraph 3, as
reference provision for special approval of the Commissioner on the basis of which
appropriate protection measures can be provided.
on forehead.
Article 66 of the Draft Law - see opinion on the Draft Law in
provides for the competence of the Commissioner. As in the case of standard
Article
67 of
theArticle
Draft 45
Law
rules and
clauses
referred
to in
of regulates
the Draft binding
Law, thebusiness
Draft Law
a legal institute that does not exist in European Union law would be put in place,
having regard to the provisions of Article 47 of the General Regulation and the
referred to in Article 63 of the General Regulation.
As this obligation cannot be transposed into our legal system
The draft law should provide for the possibility of using
binding business rules in accordance with the General Regulation.
In this regard, other provisions of the Draft Law should be amended
refer to "binding business rules", for example Article 78.
paragraph 1, item 18 and Article 79, paragraph 2, item 8.
Paragraph 5. - delete.
given the vague wording that the person is "legally incapable".
Article
69 8.
of-the
Draft Law should be reformulated in paragraph 1, item 6.
Paragraph
delete.

Page 143

7. Normative activities of the Commissioner

143

on forehead.
Article 70 of the Draft Law - see opinion on the Draft Law in
on forehead.
Article 71 of the Draft Law - see opinion on the Draft Law in
gender cooperation in connection with data protection, is performed by the Commissioner, so in
72 ofthat
thethe
Draft
Law regulates
activities
that, within
the
point Article
2 stipulates
Commissioner
shallthe
take
appropriate
measures
with data protection authorities in other Member States
ma and international organizations to provide international
legal assistance in the application of data protection laws
information, including notification, referral to
protection and legal assistance in exercising supervision, as well as the exchange of
provided that appropriate data protection measures have been taken
persons and fundamental rights and freedoms.
Rights and duties of the Commissioner within the framework of this international law
assistance should be determined by this law.
a public body that supervises the application of that law.
Article
of the
Law
the Commissioner
as an independent
However,
the73
Draft
LawDraft
places
thedesignates
Commissioner
in charge,
in addition to supervisory activities, other activities, such as, for example,
carrying out certain regulations, keeping records, giving opinions or
authorities during the preparation of laws and other regulations based
laws, which contain provisions on the processing of personal data,
international legal assistance, etc. Therefore, the provisions of paragraph 1 of this Article
the line of the law should be amended to reflect the real role of the
nika. In this regard, these provisions should also be aligned with the provisions
Article 4, item 22 and Article 78 of the Draft Law, and thus Article 51.
paragraph 1 of the General Regulation by which it was used instead of the word "supervision"
the word "monitoring".
Paragraph 3 refers to the Law on Free Access to Information from
of public importance on the occasion, among other things, of the professional service of the Commissioner.
Bearing in mind that the persons authorized to supervise the application
of the Law on Personal Data Protection, as well as special powers
these persons cannot be the subject of the Law on Free Access to
formations of public importance, all issues related to professional
the Commissioner regarding the application of the law on data protection
persons must be the subject of this law.
The consequence of not regulating this issue is that the supervision of
of this law will not be possible, and thus the protection of personal data
in Serbia.
and at the same time envisaged restrictions in its activities. With that
the Draft of
Law
refers
to the independence
thebeCommissioner
in thisArticle
regard,74
theofprovisions
other
prescribing
laws should of
also
borne in mind

144

Page 144

Personal data protection:

conflict of interest, for example by the Law on the Agency for Combating
rupture or planned novelties in this area.
Paragraph 5. - delete.
nika. In this sense, in relation to the provisions of the Law on Free Access
Article
of the Draft
Law refers
to the conditions
for condition
the election
the
According
to75
information
of public
importance,
an additional
is of
provided
- yes
has the necessary expertise and experience in the field of data protection
about personality. This provision should be specified by prescribing criteria
juma to assess the fulfillment of this condition.
As with the content of Article 73 of the Draft Law, and for the opinion
it is necessary to keep in mind the announced changes and additions to this article
Of the Law on Free Access to Information of Public Importance and
compliance with Article 53, paragraph 1 of the General Regulation, which provides
obligation to provide a transparent procedure for the selection of persons renika.
fiancé, his deputy and all employees in the service to
Article
of the Draft
Lawofinallgeneral
provides for
thelearn
obligation
of
they keep
the76
professional
secret
the information
they
in the course
of their work
functions or jobs. Obligation to maintain secrecy, for state
employees and state employees has already been determined by the Law on Civil Servants.
to employees, which also applies to employees in the professional service
Commissioner, provided that the law explicitly requires that it be mentioned
obligation is performed in accordance with a special law, as well as to
keeping and keeping secrets, as well as measures for protection of secrets, are regulated by special ones
regulations.
Therefore, a solution that provides that all data obtained in both
the conduct of the affairs of the authorities has the status of a professional secret
it is not legally viable and should be omitted or amended accordingly
The Law on Civil Servants, especially bearing in mind that on
this general provision is subject to the penal provision referred to in Article 95, paragraph 3.
ka, ie provisions on local and actual competence of the Commissioner and
Articleapplied
77 of the
Draft
LawTherefore,
contains the
powers”
​of the
regulations
by this
body.
the“general
words "their
authority"should be replaced by the words" affairs within its competence ". Rubrum
member, which reads "General Powers" should be replaced by the name which
accurately reflects the content of this article - actual and local jurisdiction.
Paragraph 2 regulates that the Commissioner acts in accordance with the law which
regulates the administrative procedure and the law governing the inspection
supervision, unless otherwise regulated by this law. This law does not
it is necessary to regulate the supervision procedure, as well as the position of authorized persons for
supervision of the Commissioner as the application of the Law on Inspection
supervision, without these special provisions, contrary to the
the body responsible for personal data protection.

Page 145

7. Normative activities of the Commissioner

145

With regard to local jurisdiction, Article 3 should be kept in mind
regulation (territorial clause), as well as the possibility of
from the competence of the bodies on the territory of diplomatic and consular
representative offices.
duties of the Commissioner. The member's room should be adjusted to the content.
Article
78 of the
Law determines
the tasks of
The provisions
of Draft
this Article
need to be reviewed
andthe Commissioner, more precisely
provisions of the Draft Law, ie with the following remarks
fiancé, as well as with the objections of this body to individual members,
for example, Art. 55, 60, 61, 62, 65, 67, 72, 73, 79, 82. of the Draft Law.
Without a special regulation of the Commissioner as a body, in terms of
prescribed by the Draft Law, and in particular with regard to
The application of this law is not possible.
Paragraph 1, item 3 stipulates that the Commissioner gives the opinion of the
Assembly, Government, other authorities and organizations, in
in accordance with the regulation, on legal and other measures related to
protection of the rights and freedoms of natural persons in connection with processing. Not clear
is the application of which regulation is referred to by the cited provision, so it is necessary
to specify it in that sense, or the procedure of giving, ie
to regulate the opinion of the Commissioner by this law.
In accordance with the above, it is necessary to consider amending certain

daba paragraph 1. point. 10–18.
Item 19 established that the Commissioner keeps internal records of Fr.
violations of that law and measures taken in the course of inspection
ra undertaken in accordance with Article 79, paragraph 2 of the same law. However,
the content and manner of keeping records have not been determined.
Paragraph 4 provides for the possibility for the Commissioner to "request" compensation
necessary costs, or to refuse to act on the complaint, if
the lawsuit is manifestly ill-founded, excessive, or excessively repeated.
The amount of compensation for necessary expenses, or the method of determining that amount,
it is not determined at all by the Draft Law. As far as the obligation of the
of the complaint, it is necessary to clearly define this obligation in the Draft Law.
powers of the Commissioner. Some of the powers listed in paragraph 3.
of the Draft
Law
inspection
and other
of thisArticle
Article79
coincide
in whole
orrefers
in parttowith
the
fiancé from Article 78. This, for example, refers to: authorization
from item 1, which corresponds to the job from Article 78, paragraph 1, item 11; authorized
the decision referred to in item 2, which corresponds to the job referred to in Article 78, paragraph 1, item 12;
the authorization referred to in item 5, which partially corresponds to the work referred to in Article 78.
paragraph 1. item 14. etc.
The ratio of this repetition is unclear , and the explanation given with Art. 78. i
79. The draft law does not correspond to the content of these articles, which
the line of the law makes it confusing and inapplicable. This applies independently

146

Page 146

Personal data protection:

from the fact that Art. 78 and 79 of the Draft Law, conceived in the image of
Art. 57 and 58 of the General Regulation.
Paragraph 1, item 9 prescribes the authority of the Commissioner to pronounce
a fine on the basis of a misdemeanor warrant if, during
of the inspection, it was determined that a violation had occurred. Having in
in view of the provision of Art. 168–170. Of the Law on Misdemeanors, which refer to
conditions and manner of issuing a misdemeanor order, as well as the content of
violation order, it is clear that without arranging the professional service of the Commissioner
and persons authorized to perform supervision, application of penal provisions
not possible.
The provision of paragraph 3 of the same article stipulates that the supervision
the powers of the Commissioner prescribed by that Article shall be exercised by the court, in
in accordance with that law. However, the jurisdiction of the court is provided
provisions of the Draft Law only as a legal remedy
natural person in connection with the processing of personal data
bear to that person or the interests of the controller or processor in accordance with
Article 83 of the Draft Law, and not to the procedure of supervision over the execution
powers of the Commissioner.
on forehead.
Article 80 of the Draft Law - see opinion on the Draft Law in
defining it as a legal remedy that can be used by a person who
Article
the Draft Law
considers
that82theofprocessing
of hisregulates
personal the
dataright
wasto complain to the Commissioner,
but the provisions of this law, in accordance with the law governing
spectral control. In this regard, see the opinion on the Draft Law
in principle.
He has the right to complain provided for in this draft law
a completely different legal nature from the right to file
complaints about the work of officials prescribed by Article 52 of the Law on
specimen supervision, and could not relate to the protection of rights
persons regarding the processing of data by the controller or processor,
and it needs to be specifically regulated by this draft law.
From the General Regulation, as well as Art. 78 and 79 of the Draft Law it is clear that
regulates in particular the procedure for the protection of the rights of data subjects.
which he considers to have been violated by one of his rights
regulated by this act, before the Commissioner and the procedure of protection of
this action of operators and processors, regardless of the rights of
nachnog person.
Therefore, the protection of a person’s rights would be governed by the
of the Law on General Administrative Procedure, and not the rules of the Law on Inspection.
supervision.
Thus, the right to a “complaint” would be exercised according to
administrative procedure, provided that the draft law should prescribe,

147

7. Normative activities of the Commissioner

147

among other things, deadlines for submitting requests to initiate proceedings
Commissioner, as well as statutes of limitations.
disputes, to be supplemented by paragraph 3, which reads:
Article
offinal
the Draft
Law
in accordance
with
the and
Lawthe
oncompetent
"Against83the
decision
of is
therequired,
administrative
court, the
party
the public prosecutor may submit a request to the Supreme Court of Cassation for
review of the court decision. "
the rights the exercise of which is governed by this draft, and in this
Article
84 of the
the possibility
Draft Lawofprovides
judicialand
protection
paragraph
1 opens
parallel for
protection
legal of an individual
security. In this regard, see the opinion on the Draft Law in principle.
When there is the same factual and legal situation of two or two bodies
organizational units of the same body may not bring different ones
decisions, because it undermines legal certainty. The Republic of Serbia is already
convicted before the European Court of Human Rights for this and
tila significant damages and costs.
The situation is not identical, but the analogy is more than obvious.
For the reasoning of the Court, see the Vinčić case and the mockery of the
44725/06, 49388/06, 50034/06, 694/07, 757/07, 758/07, 3326/07,
s3330/07,
avki ro iv
Srbije (Petitions
Nos. 44698/06,
44700/06,
5062/07,
8130/07, 9143/07,
9262/07,
9986/07,44722/06,
11197/07,
11711/07, 13995/07, 14022/07, 20378/07, 20379/07, 20380/07,
20515/07, 23971/07, 50608/07, 50617/07, 4022/08, 4021/08, 29758/07
and 45249/07 of 1 December 2009).
The adopters of the General Regulation themselves have considered
not the possibility that there are different decisions on the same thing, in particular
bearing in mind that a person whose rights have been violated may lodge a complaint
different supervisory authorities in different Member States
cama, and paragraph 144 of the Preamble is related to that.
In this regard, the provision should be deleted, which of course does not affect
exercising the right of persons to adequate judicial protection against
processor or processor prescribed by Article 79 of the General Regulation, and in part
contained in Article 86 of the Draft Law.
In this regard, the words "in accordance with the law" should be added. U
Article
of the Draft
Law regulates
the representation
of persons
to whom
regarding
the 85
possibility
of representing
persons
in court proceedings,
should
have
in the form of Article 85, paragraph 2 of the Law on Civil Procedure, which reads:
a powerful person of a natural person can be a lawyer, a blood relative in the
niji, brother, sister or spouse, as well as a representative of the legal service
to assist a local government unit that is a law graduate
with passed bar exam.
Regarding the "complaint" procedure, see the opinion on the Draft
of the law in principle, as well as to the article. 82. according to Article 47, paragraph 3 of the Law on

148

Page 148

Personal data protection:

the general administrative procedure stipulates that a proxy may be
anyone with full legal capacity, except for persons engaged in
dripisarstvo. The body shall deny this person representation by a decision
tiv when an appeal is allowed which does not delay the execution of the decision and o
it informs the party. Therefore, there is no obstacle to being a representative
some organizations, as long as it is not a criminal offense of overwriting
referred to in Article 342 of the Criminal Code.
penalties, and not, as regulated by Article 83 of the General Regulation, general conditions
Article 87
of the Draftmeasures.
Law regulates
conditions
for imposing
for imposing
administrative
In thisthe
regard,
see opinions
on thefines
Draft
of law in principle. It is necessary to adequately regulate the procedure and
the ability of the body to determine administrative measures, in order to ensure
compliance with the obligations prescribed by law. At the same time,
the provisions of Article 78 of the Draft Law regarding the competence of the
nika. Article 90 of the Draft Law should be supplemented with paragraph 2, which reads:
Processing the unique personal identification number of citizens in a way that is done
publicly available on the internet is prohibited.
In this connection, Article 95, paragraph 1, should be amended.
authorities may also process it in order to raise funds for
94 of the Draft Law allows the data processed by the
nitaryArticle
purposes.
In order for the provision to be applicable, it is necessary
volume of the law to determine the meaning of the term "humanitarian purposes".
in connection with the previous comments the provisions should be supplemented to the following
Article 95 of the Draft Law determines fines for misdemeanors and in
the way.
Paragraph 1 after item 31) shall be supplemented with a new item 32) which reads:
"Make the unique personal identification number of the citizen publicly available at
Internet (Article 46, paragraph 2); "
The existing point 32) becomes point 33).
steps initiated under the applicable law on personal data protection.
Article"data
97 ofpresentation
the Draft Law
refers to need
the application
of the
The words:
procedures"
to be replaced
bylaw on
"Procedures for applications for a license to
data ”.
Add paragraph 2, which reads:
“Preliminary inspection procedures are initiated under the Law on
personal data which until the day of entry into force of this law are not
the terminated ones are suspended. "
necessary to reformulate, and all the provisions contained in the Draft Law
Article 99 of the Draft Law refers to bylaws that are

Page 149

7. Normative activities of the Commissioner

149

which should prescribe by-laws should be considered,
measure for the sake of Art. 52, 53 and 55.
daba other laws relating to the processing of personal data with
Article
Draft
Law setsfor
outfulfillment
the obligation
to obligation.
harmonize certain
provisions
of 100
this of
lawthe
and
the deadline
of that
The obligation of the Ministry of Justice (as the body that is
competent for the preparation of regulations on personal data protection) to
takes care of the execution of the prescribed obligation, and thus harmonizes with the member
2 paragraph 2 of the Draft Law.
At the same time, it is necessary to prescribe the consequence of non-compliance
provisions of other laws.
This provision should be amended to include, in addition to the law,
tila and special rules of the church and religious communities.
tak application of the law from the date of entry into force, which is, bearing in mind
Article
of the
prescribes aofperiod
of six are
months
deadlines
for 102
bylaws,
as Draft
well asLaw
the complexity
the matter,
short.for
The Commissioner proposes that after Article 94 of the Draft Law be added
new art. 95–101. which reads:

"Video surveillance
General obligations
Articledata
95 via
A data controller who processes personal
video surveillance in accordance with this law, is obliged to point out publicly
notice to perform video surveillance.
The notification referred to in paragraph 1 of this Article must be prominently displayed.
place, in a way that allows persons to engage in video
-monitors meet before the start of video surveillance, and at the latest in
the moment the video surveillance starts.
The notification referred to in paragraph 1 of this Article must contain the following
data:
1) textual notification that video surveillance is in progress and art,
that is, a graphic symbol of video surveillance;
2) the name of the operator who performs video surveillance; i
3) contact details in order to obtain information regarding the
home which is done through video surveillance.
The video surveillance system must be protected from unauthorized access.
puppies.

150

Page 150

Personal data protection:

Video surveillance access to official
and business premises
Article 96
The data controller can perform processing
via video surveillance
personal data on access to official or business premises
words and premises (hereinafter: business premises), if any
necessary for the security of persons and property, entry or exit control
from the business premises or, if due to the nature of the business, there is a possible
risk to employees and other users of that space.
The data controller makes the decision to introduce video surveillance from
paragraph 1 of this Article, which must be in writing and must contain
reasons for introducing video surveillance, unless the introduction of video surveillance
not prescribed by a special law.
If the office space is located in a residential building, then
video surveillance is not allowed to record internal
residential buildings that are not connected to the entrance to the
stor, nor entrance to private apartments.
Access to the video surveillance system footage from the paragraph is prohibited
1. of this Article through internal cable television, public cable
television or other means of electronic communications
however, such recordings may be transmitted, either at the time of their creation
or thereafter. Video surveillance in the business premises

Article
97
The data controller may perform video
surveillance
in the business
if necessary to protect the safety of persons or property
no or classified information and trade secrets.
Video surveillance in business premises is not allowed in changing rooms
and sanitary facilities.
The data controller is obliged to do so before making a decision on the introduction
video surveillance referred to in paragraph 1 of this Article, consider other
can achieve the same purpose, and which are less invasive by private
employees and other persons.
The decision on the introduction of video surveillance referred to in paragraph 1 of this Article, if
the introduction of video surveillance is not prescribed by law, the operator reports
data.
The decision must be in writing and must contain the reasons for
its introduction, in particular:

Page 151

7. Normative activities of the Commissioner

151

1) A description of the measures previously considered with a view to compliance
same purposes;
2) Explanation why the measures referred to in item 1 of this paragraph are
you know as inadequate or insufficient and why they are business
space and work processes subject to video surveillance.
The data controller is obliged to do so before making a decision on the introduction
video surveillance referred to in paragraph 4 of this Article, inform the
dikat at the operator.
The data controller is obliged that the person working in the business premises
ru inform about the introduction of video surveillance in writing before the start
performing video surveillance, in accordance with Article 95, paragraph. 1. of this law.
The data controller is obliged to provide proof of fulfillment of the obligation
va 5. of this article is kept in its documentation.
The provisions of para. 6, 7 and 8 of this Article shall not apply to business
service of state bodies responsible for defense affairs, national
national and public security and protection of classified information.
Data controller performing video surveillance in the business premises
ru, may by video surveillance cover a public space that is in
in the immediate vicinity of that business premises, only if it is necessary from
the reasons stated in paragraph 1 of this Article.

Video surveillance records
On video surveillance referred to inArticle
Article98
96, paragraph 1 and Article 97, paragraph 1 of this
the law, regardless of whether video surveillance is prescribed by law or not
introduced on the basis of the decision of the data controller, records are kept on
manner prescribed by Article. 47. st. 1. of this law.
Personal data from the records referred to in paragraph 1 of this Article shall be kept
proportionate to the purpose, and for a maximum of one year from the date of inception.

Video surveillance in residential buildings
Article 99
In residential buildings, video surveillance
of entrances can be performed
exits from the building as well as common parts of the building in a way that does not
performs video surveillance of entrances and exits from private apartments.
A decision is needed to introduce video surveillance in a residential building
assembly of the housing community, which must be in writing and must
contain the reasons for the introduction of video surveillance, as well as the manner of
part of surveillance, if the introduction of video surveillance is not prescribed by law.

152

Page 152

Personal data protection:

The decision referred to in paragraph 2 of this Article shall be made if the members
new housing community assemblies, and at least 60% of all owners
apartments or other special parts of the building.
Access to the video surveillance system referred to in paragraph 1 of this Article is prohibited
via internal cable television, public cable television, internet or other means of electronic communications by which such
recordings can be transmitted, either at the time of their creation or thereafter.

Video surveillance of private apartments and houses
Articlethat
100perform video surveillance
Owners of private apartments or houses
entrance to an apartment or house in order to protect their own safety and property
no, for these reasons, I can cover public space by video surveillance
which is in the immediate vicinity of that apartment or house.
Video surveillance referred to in paragraph 1 of this Article may not be installed
so that it records the entrance and exit, that is, the outside or the inside
other apartments and houses.
Owners of private apartments or houses referred to in paragraph 1 of this Article
They are obliged to display the information in a visible place at the entrance to the apartment or house.
in accordance with Article 95 para. 2 and 3 of this law.
The provisions of paragraphs 1, 2 and 3 of this Article shall also apply to private tenants.
apartments and houses or persons who use it on another legal basis
private apartments and houses they do not own.

Video surveillance of public areas
Article
101
Introduction and performance of video
surveillance
of public areas
in the public interest it is regulated by law.
The law determines the purpose of data processing, the controller and the manner
informing persons residing in a public area, the manner of
and retention period. "
The existing art. 95–102. Draft laws become Art. 102–109.
In Article 95 of the Draft Law (which becomes Article 102) it is necessary to
make an amendment in accordance with the objection to Article 95 of the Draft Law and
after point 32) which becomes a new point 33) add new points. 34) - 40)
which read:
34) “does not point out the notification that video surveillance is performed and does not
you video surveillance system from unauthorized access, on the contrary
Article 95 of this Law;

Page 153

7. Normative activities of the Commissioner

153

35) processes personal data by performing video surveillance
enters the business premises and office space, contrary to Article 96.
of this law;
36) processes personal data by performing video surveillance in
letter space, contrary to Article 97 of this Law;
37) processes personal data by performing video surveillance in
buildings, contrary to Article 98 of this Law;
38) process personal data by performing video surveillance of private
apartments and houses, contrary to Article 99 of this Law;
39) keeps data after the expiration of the term contrary to Article 100 of this Law;
40) processes personal data by performing public video surveillance
area, contrary to Article 101 of this Law. "
Finally, it is necessary to perform legal-technical editing of the text
Draft Law, as well as Explanations.
B ROJ: 073-12-1090 / 2018-02 7. 8. AT 2018.

154

Page 154

Personal data protection:

7.2. OPINION ON THE DRAFT LAW ON CENTRAL
POPULATION REGISTER
I Z OPINIONS P OVERENIKA:
Establishment of a single population database, as
which is provided by this draft law, potentially introduces into our
legal system the most massive and most extensive centralized processing
personal data performed by a government body in the Republic of Serbia. Taquality, in itself, and especially having in mind the
electronic) way of processing, poses a serious risk to the rights of everyone
persons whose data will be processed within the system of the Central
population gistra. From the above, it logically follows that editing
Central Population Register matter of particular interest
public, and it was necessary to be in the process of preparing this law
ensure appropriate public participation and pay due attention
all aspects of the processing of personal data which must be
women by law.
In this context, the Commissioner is forced to note that the Miniold age, although it was obliged to, in accordance with Article 77, paragraph 3 of the Law
on public administration, publish a source document containing a
problems in the relevant field and their causes, objectives and expectations
effects of law-making, as well as the basic principles for
relations in that area, including the rights and obligations of the subjects
to which the law applies (starting points), it did not do so.
In addition, judging by the content of the Report on
public hearing published on its Internet preonly formally conducted a public hearing, announcing the public
nor the invitation to participate in the public debate and the text of the Draft Law only
on his website and holding a round table floor
entitled “Presentation of the Draft Law on the Central Register of
innovation ”.
Lack of starting points and public debate to provide
effective public participation in the process of preparation of the Draft Law,
In the opinion of the Commissioner, it is significantly reflected in the text submitted
acts and individual solutions that that act (does not) contain, and in which they are reflected
lack of a well-thought-out concept of establishment and functioning
Central Population Register, although the Commissioner, at a meeting
with representatives of the Ministry, pointed out aspects of processing
personal data that must be regulated by law, as well as
the ability to review the working versions at the time.

Page 155

7. Normative activities of the Commissioner

155

In the first place, in order to determine the subject of the law in a clear and
transparent way, it is necessary that the introductory part of the Draft Law
definitions of “population” and “Central Register of
news ”, which will explain their meaning in that law.
Then, the provisions of Art. 3 and 4 of the Draft Law, which refer to the purpose
the establishment and purpose of the Central Registry need to be
you and correct taking into account that: 1. the words "purpose" and "purpose"
represent synonyms; 2. the purpose of processing personal data within
Central Population Register, ie. public interest intended to
to be achieved by establishing that register, the draft law must be
specifically defined, explicit and justified, and the formulations precise and
which is why the tasks listed in Article 4, indent 3 of the Draft Law
it is necessary to re-examine and concretize. We also point this out
that, according to Article 3 of the Draft Law, the "purpose" of establishing the Central
register the existence of a single, centralized and reliable state
database, which allows the competent authorities and organizations
and legal and natural persons entrusted with public authority
that the data necessary for the performance of tasks within its competence
egg from the Central Registry and to be based on data from the Central
registry provide reliable data in databases provided by the competent
authorities keep on the basis of other regulations, as the original official recordciju. However, how is the data to be contained in the Central Registry
taken from the original official records, it is unclear in what way
the Ministry will ensure the accuracy, timeliness and reliability of the data
in the Central Register. The only mechanism provided in this regard
The Draft Law is partially regulated by Article 7, paragraph 3 of the Draft Law.
on, which stipulates that the Ministry, at the suggestion of the person to whom
the data from the Central Registry relate, or the receiving authority which
in performing tasks within its competence, it notices discrepancies in the data
from the Central Registry, notify the source authority for undertaking
measures to verify the accuracy of the data and the possible implementation of
ka for his change. The Ministry, therefore, has no responsibility
for the accuracy, timeliness and reliability of the data contained in the Central
register, it is already left to the eventual “disagreement in the data
"indicates the person to whom the data relate and the receiving authority, to whom
they were given the right to submit a "proposal" to the Ministry. Moreover, the rules
acting on the “proposal” of the person, or the receiving authority, are not
the Draft Law, nor does it provide for the responsibility of the receiving
for not submitting a "proposal", which is practically a burden of security
accurate data in official records, including Central
population register, transferred to an individual - a natural person to whom
these data refer to, without at the same time prescribing the obligation to act according to
"Proposal", nor the procedure for exercising the right.

156

Page 156

Personal data protection:

At the same time, in a situation when the individual has no knowledge of inaccuracies /
inaccuracy of data, which can occur due to lack of access
Central Registry, as well as due to the lack of motivation for
submission of the “proposal” to the Ministry, the Central Registry remains
as an inaccurate, out-of-date and unreliable collection of personal data as
which are the original records from which this data was taken. Draft forthe law does not provide any guarantee that the centralization of official
records lead to the accuracy and timeliness of data. In addition, legal
basis for the exchange of data from official records which, in accordance with
separate laws are governed by the competent authorities, as well as technical issues and
exchanges, are already regulated by the Law on General Administrative Procedure and the
on e-government, so the question of justification
the establishment of the Central Population Register in a manner
and under the conditions provided by the Draft Law. It is precisely this statementwhose reason is more why the starting points were necessary, in order to
was the clear purpose of such an extensive base.
The provision of Article 8 of the Draft Law stipulates that the
de “performs technical support activities in the establishment and management of
central register, tasks related to storage, implementation of measures
protection and security of data and security in the Cencentral register, as well as other activities determined by law ”. From the above
It follows that the Ministry is the controller (Article 6 of the Draft Law
na), and the Government Office a data processor. However, the Protection Act
personal data, it is prescribed that the data processor is physical
or a legal entity, ie an authority, which on the basis of law or
contract with the operator performs certain tasks related to processing.
As the Government Service does not have the status of a legal entity, nor is it an authority,
that service cannot be a processor of personal data, so it is in that
in the sense of Article 8 of the Draft Law needs to be corrected. In this regard, dethe fines of the processor has not been amended by the new Law on Data Protection.
such a person ("Official Gazette of RS", No. 87/18) whose application
postponed for nine months from the entry into force of this law.
Also, the provision of Article 9 of the Draft Law stipulates that
personal data kept in the Central Register shall be used in accordance with
du with the law. Such an indeterminate formulation in terms of use
data is not acceptable, but is needed by the draft law to clear
and an unambiguous way to regulate the use of data from Central
register or refer to the application of the law governing the matter.
Furthermore, by the provision of Article 10 of the Draft Law,
11 original records and data on physical
which will be taken from these records to the Central Registry,
while Article 11 of the Draft Law specifies which data on
these persons contain the Central Register. Although the data would be enumerated

Page 157

7. Normative activities of the Commissioner

157

in Art. 10th and 11th bills had to be correlated, they didn’t.
Namely, Article 10 of the Draft Law envisages the takeover of several
category of personal data than will, according to Article 11 of the Draft
of the law, be contained in the Central Register. Not even the text of the Draft
of the law, nor the explanation given with the provisions of Art. 10 and 11 of the Draft
laws do not contain an explanation of such a solution, so we emphasize that
these provisions need to be reviewed and corrected.
Also, Article 10, paragraph 5 of the Draft Law stipulates that it is closer
the manner of establishing and maintaining the Central Registry, taking over and
data exchange, access, protection and use of data
ka in the Central Register, as well as other issues of importance for management
The Central Registry is regulated in more detail by the Government. As the provision of Article 42.
The Constitution stipulates that the processing of personal data is regulated by law,
the said provision needs to be clarified so that it is clear from it
that the Government regulates technical issues in more detail by a sub-legal act
with the maintenance of the Central Registry.
Furthermore, the provision of Article 12, item 4) of the Draft Law needs to be
nor, so that the log records, other than the data referred to in point 4),
it must also contain the legal basis for joining a certain group
data.
It is also necessary to amend Article 14 of the Draft Law and regulate it
a complete decision-making process that allows the authorities to
access to data from the Central Registry, as well as legal remedies
which may be used by a body deemed to meet the
pillar, but he is denied it.
The provision of Article 15 of the Draft Law stipulates that the right to insight
in the data of the Central Register there is a natural person to whom the data are transferred
relations, "in accordance with the law." From the above formulation it is not clear on
the application of which law is referred to, and in that sense the provision is stated
need to be supplemented. It should also be borne in mind that, in accordance with
of the Law on Personal Data Protection, the person to whom the data are transferred
relations has certain rights in relation to the processing of personal data
(right to notice, insight and copy of data), as well as rights on the occasion
performed insight into the data (right to correction, supplementation, updating,
deletion, interruption and temporary suspension of data processing).
Paragraph 3 of the same article stipulates that for the purposes of use
for statistical, scientific and research purposes within the Central
gistra forms a special database, with anonymized data. Listed
the provision needs to be amended in such a way as to be determined
who and in what way anonymizes the data, which data the special contains
anonymized database and more.
In addition, the provision of Article 16 of the Draft Law stipulates that
data in the Central Register are kept permanently, with the exception of data,

158

Page 158

Personal data protection:

among other things, about deceased persons who have been kept for 10 years.
Bearing in mind that the Central Registry is a collection of data on
to natural persons, and given the notorious fact that everyone will
a natural person will die at some point, and that information about that person will be
kept for 10 years, it is unclear for which data a permanent
vanje. It remains unclear what is the moment / event from which
heard a period of 10 years, as long as the data on deceased persons are kept. This one
The provision also requires a definition of the population to which
correctly indicated.
Finally, we point to the provision of Article 18 of the Draft Law, which
it is envisaged that the Central Registry will be located in the State Center
for data management and storage, which provides physical protection
data in accordance with the law governing the field of electronic
administration, electronic identification and information security,
since the legal status and other issues of importance for the work of the State
centers are not regulated at all, which the Commissioner pointed out to the
and when giving an opinion on the Draft Law on Electronic
administration, Article 18 of the Draft Law is unacceptable from the
security of personal data.
The draft law, although providing for certain obligations for the Ministry,
as well as for receiving bodies and authorized persons of the body, does not contain
no provisions that would sanction non-performance of those obligations and
violation of the provisions of the law.
B ROJ: 073-11-1697 / 2018-02 from 20 11 2018

Page 159

7. Normative activities of the Commissioner

159

7.3. LETTER FROM THE COMMISSIONER TO THE NATIONAL ASSEMBLY
OF THE REPUBLIC OF SERBIA ON THE OCCASION OF THE BILL
ON THE CENTRAL REGISTER OF OBLIGATORY
SOCIAL SECURITY
Commissioner for Information of Public Importance and Data Protection
about the person, by inspecting the section “laws in procedure” at the official
internet presentation of the National Assembly of the Republic of Serbia,
that the Government of the Republic of Serbia has determined the text of the Draft Law
on the Central Register of Compulsory Social Insurance and submitted
to the National Assembly for adoption.
The established Bill envisages extensive data processing on
personal data, including particularly sensitive data referred to in Article 16.
Law on Personal Data Protection (data on national
language and language), but the proposer of that act is not in the process of preparation
Draft Law, in accordance with the Rules of Procedure of the Government, obtained an opinion
Commissioner.
As this body is not enabled to timely, with respect to
what its competencies, declare on the subject text of the Proposal
Law, finding it necessary to point out that the Draft Law
holds certain decisions that are in conflict with the Constitution and the Law on
protection of personal data, the Commissioner points out the following.
Article 42 of the Constitution of the Republic of Serbia guarantees the protection of personal data.
. Paragraph 2 of the same article stipulates that the collection, holding,
processing and use of personal data is regulated by law. Therefore, weThe minimum issues that must be regulated by law are: the purpose of processing
personal data, types of personal data, manner of use
personal data and retention periods. By-law
only technical issues related to processing operations can be edited
data. Also, when preparing a law that may affect
tea on the protection of personal data and the protection of the rights of persons in connection with
processing of personal data should be borne in mind prescribed by law
conditions for the permissibility of personal data processing. Namely, in accordance
provisions of Article 8 of the Law on Personal Data Protection, may be
process only data whose processing is allowed and which is necessary,
suitable and proportionate processing purposes.
In that sense, it is necessary to correct certain articles of the Proposal
law, in order to be harmonized with the Law on Personal Data Protection.
First of all, how is the processing of personal data performed by the authorities
authorities within its competence may be established only by law,
it is necessary to prescribe by law the content of all records / registers
ra / reports whose management is envisaged by the Bill, and which

160

Page 160

Personal data protection:

they also contain personal data. The solution envisaged by
that the content of these records / registers / reports be regulated
legal acts, as provided, for example, provisions
Article 12, paragraph 5 of the Draft Law (content of the single application),
Article 20, paragraph 3 of the Draft Law (content and manner of
taka) etc.
We especially point out the provision of Article 26 of the Draft Law, which
prescribe the types of data contained in the Register of Employees,

them, appointed, appointed and engaged persons with the user
public funds (Article 26, paragraph 1 of the Draft Law), which
seen processing as many as 92 different data, of which more than 80 data
about personality.
In accordance with the above, the purpose of establishing
of the Register of Employees, Elected, Appointed, Appointed and
engaged persons with users of public funds referred to in Article 26, paragraph
1. Bill, and thereafter, in accordance with the principles of restriction
processing in relation to the purpose of processing and the principle of proportionality
Thus, determine what types of personal data are necessary in order to
achieved the specific purpose of processing and in the Draft Law exhaustively
list only those types of personality data.
In particular, it should be borne in mind that the data referred to in Article 26, paragraph 1, item
90–92. The draft laws represent particularly sensitive data on
personality (nationality, language in which the basic
or secondary school) for which stricter conditions are
working. Thus, the provisions of Article 16, paragraph 1 of the Law on Data Protection on
It has been established that, among others, data on national affiliation
and language may be processed only with the consent of the person, except when
the law does not allow processing even with consent. Contents of consent
and the manner of obtaining consent for the processing of personal data
The provisions of Art. 10 and 15 of the Law on Personal Data Protection
sti. In that sense, the word "optional" in the wording of Article 26, paragraph 1, item
90–92. The draft law, as well as the wording from paragraph 2 of the same article, in
which provides that the data referred to in Article 26, paragraph 1, item 90–92. Beforethe laws are processed “in accordance with the law governing protection
personal data ”are not acceptable, as data on
national affiliation and language can be processed only with a valid
the consent of the data subject. Otherwise, the processing of these
data is prohibited, in terms of Article 8 of the Law on Data Protection
about personality. It follows from the above that the data on national
and the language of the employees, elected, appointed, appointed and
engaged persons with users of public funds had to, in particular
in this case, to process on the basis of the written consent of the person to whom it is
data relates, given after being informed by the data controller

Page 161

7. Normative activities of the Commissioner

161

on all relevant aspects of processing set forth in Article 15 of the Law
on the protection of personal data, which the controller must be able to
to present in each specific case. Due to the fact that
consent, in order to be a valid legal basis for the processing of this data,
must be free, ie that the data subject has the
the ability to refuse consent, as well as to revoke it, whereby it cannot
bear no harmful consequences, the question arises as to the
de these data and calls into question the unity of the Registry, because these would
data processed only for persons who have given their consent to such
processing, until eventual revocation of consent.
Bearing in mind that the Draft Law on the Central Register of Social
insurance, if adopted without the necessary corrections, from
of the above reasons may have a significant risk of
protection of the right to protection of personal data and protection of the rights of persons in
in connection with the processing of personal data, the protection of which is within the scope of this
bodies, we ask the National Assembly to take measures within its
him in order to the text of the Bill on the Central Register of Social
insurance harmonized with the Law on Personal Data Protection.
B ROJ: 073-12-1545 / 2018- 02 of 10. 10. 2018

162

Page 162

Personal data protection:

7.4. PROPOSAL FOR ASSESSMENT OF THE CONSTITUTIONALITY OF THE LAW
ABOUT THE SECURITY INFORMATION AGENCY

Commissioner for Information of Public Importance and Data Protection
on personality submitted to the Constitutional Court of the Republic of Serbia
constitutionality, inter alia, of Article 20c paragraph 2 in the part that reads:
"With the prior written consent of the person, given" and "on a form
the director of the Agency "and paragraph 5 in the part which reads:" and they use only in
the purpose for which they were collected ", 7 of the Law on Security-Information
Agency ("Official Gazette of RS", No. 42/02, 111/09, 65/14 - US, 66/14
o 36/18). 8
AND ON THE EXPLANATION OF THE COMMISSIONER:
Article 42 of the Constitution of the Republic of Serbia guarantees the protection of
as a person. Collection, holding, processing and use of data
about the person are regulated by law. Paragraph 4 of the same article stipulates that
everyone has the right to be informed about the collected data about their own
persons, in accordance with the law, and the right to judicial protection because of them
abuse.
By the decision of the Constitutional Court of Serbia from the session of May 30, 2012,
published in the “Official Gazette of the RS”, No. 68/12 of 18 July 2012,
it was argued that bylaws could not be a valid legal basis for
personal data processing. Citing the provisions of Article 3, Article 18.
st. 1 and 2, Article 42 and Article 97, item 11, the Court stated that “in the opinion of the Court,
it follows that only the law can regulate the collection, holding, processing
and the use of data. "
7 Article 20c paragraphs 2 and 5 of the Law on Security and Information Agency reads:

Security checking can be performed only with the consent of the
snos lica, a u u em o unjavanja i o isivanja u i nika o i en ification o acima, on a form valid by the irek or Agency.
After a while, people who are safe and safe are recorded and guarded
š i e in accordance with the law governing the ajnos o a aka and the law koit regulates the protection of the person, and is used only for the purpose for which
8 He is a Commissioner, from the aspect of his competence in the field of free access
are roaring.
information, in this proposal he also asked for an assessment of the constitutionality of the provisions of the article
7. paragraph 4 and Article 15g paragraph 1 in the part that reads: “and the designation of the degree of secrecy, in
in accordance with the provisions of the law governing the confidentiality of data ", para. 2 and 3 of the Law
on the Security Information Agency, but that part was not published in this one
publication as it relates only to the protection of personal data.

Page 163

7. Normative activities of the Commissioner

163

It follows from the above that it is clear that the processing of personal data does not
may be regulated by an act of the head of a body,
bearing in mind that the application of Article 20c of the Law on Security
agency presupposes the processing of particularly sensitive data.
such as data on health, sex life or
convictions of persons, as well as that it is not an individual act of the director
Agencies whose adoption would, as a measure guaranteed by the constitution
law, had to be preceded by a decision relating to
protection of the right to privacy as a restricted right, importance
the purpose of the restriction, the nature and extent of the restriction, the relationship of the restriction
with the purpose of restriction and whether there is a way to
nullity is achieved by a minor restriction of rights, in accordance with Article 20.
paragraph 3 of the Constitution.
Paragraph 2 of the same article of the Law in the part referring to the previous
the number of persons wishing to enter into an employment relationship or to continue
home in the Security-Information Agency for security check,
is not in accordance with Article 42, paragraph 4 of the Constitution, given that
sne checks presuppose the processing of personal data and others
persons, and not only the one who wants to have an employment relationship with the body.
From the point of view of the basic principles of personal data protection,
as well as generally accepted rules of international law, in the case of
security checks of a person, as a procedure prescribed by law,
personal data processing cannot be based on the previous one
consent of that person as giving consent would be fictitious
no. In order for consent as the consent of the person to be the basis for
Due to personal data, it must have certain attributes, which in between
the rest means that it must be free, ie given voluntarily
and unequivocally, on the basis of prior information on the
de and the scope and type of data to be processed. In particular
In this case, the consent of the person can only refer to the establishment of a working class
relationship, and for which the law prescribes the processing of personal data, a
not to consent to the processing of personal data. This is because
that data cannot be an end in itself but is the processing of data on
personality is a necessary condition for establishing such a relationship.
As the above provision prescribes that without the consent of the person
the establishment of an employment relationship is not possible at all
will, it is a conditional consent to the processing of personal data,
and what is actually contradictio in adjecto .
In this regard, the processing of personal data is necessary for someone
a person could establish an employment relationship in the Security-Information
agency or continue to work in it can be regulated only by law,
and the person whose data are processed for this purpose has the right to, as is
guaranteed by Article 42, paragraph 4 of the Constitution, shall be notified of the collected

164

Page 164

Personal data protection:

information about his personality, in accordance with the law, as well as the right to court
protection due to their abuse.
Article 20c paragraph 5 of the Law on Security-Information Agencyrestricts the further processing of personal data outside the
nasal checks of a person who wants to establish an employment relationship or yes
continue working in the Security Information Agency, on the contrary
explicit provision of Article 42, paragraph 3 of the Constitution, according to which the change
purposes possible for the purposes of conducting criminal proceedings or protecting
security of the Republic of Serbia. The provision of the Constitution in question determines
is that the law prescribes only the manner of such use of data, and not
and the possibility of limiting it.
B ROJ: 073-17-924 / 2018-02 OF 14. 6. 2018

Page 165

7. Normative activities of the Commissioner

165

7.5. PROPOSAL FOR ASSESSMENT OF THE CONSTITUTIONALITY OF THE LAW
ABOUT THE NATIONAL DNA REGISTER

Commissioner for Information of Public Importance and Data Protection o
submitted a proposal to the Constitutional Court of Serbia for a review of constitutionality
Article 10, paragraph 3 of the Law on the National DNA Registry and proposed that
The Constitutional Court of the Republic of Serbia, following the conducted procedure,
and determine that Article 10, paragraph 3 of the Law on the National DNA Registry
it is not in accordance with the Constitution. He also suggested that the Constitutional Court
the public of Serbia, in accordance with its powers under Article 105 of the Law
on the Constitutional Court to give an opinion and indicate to the National Assembly of the Republic
Serbia on the need to adopt a new law on national DNA reor the need to amend the Law on National DNA
history, in accordance with domestic and international standards in the field
protection and processing of data in the DNA registry, and primarily in accordance with
case law of the European Court of Human Rights.
I The Rationale P OVERENIKA:
Data that can be obtained by analysis of biological material,
including DNA profiles, are data that should be treated as
particularly sensitive personal data, because they are unique and
variable, and thus health data can be obtained
condition and ethnic origin of the person. Regulation (EU) 2016/679 of 27 April
2016. on the protection of persons in connection with the processing of personal data and o
free movement of such data and the repeal of the
Directive 95/46 / EC of 24 October 1995 (General Regulation on data protection
personality), it is prescribed, inter alia, that genetic data are
extremely sensitive personality data generated by biological analysis
sample. Given the huge amount of personal data that can be
obtain and detect by analysis of biological material, and which are very
sensitive (ethnic origin, health status), it is clear why
operation of this data must be in accordance with the highest standards
protection of personal data, both domestic and international,
and in particular in accordance with the case law of the European Court of Human Rights,
bearing in mind that Serbia is a signatory to the European Convention on Protection
human rights and fundamental freedoms, which consequently means to practice
European Court of Human Rights, in accordance with Article 16, paragraph 2 of the Constitution
Of the Republic of Serbia is part of the legal order of the
is and is directly applicable.

166

Page 166

Personal data protection:

The provisions of Article 18 of the Constitution of the Republic of Serbia guarantee: 1) yes
human and minority rights guaranteed by the Constitution are directly
Yikes; 2) The Constitution guarantees it, and as such, human rights are directly applied
and minority rights guaranteed by generally accepted rules of
gender law, ratified international treaties and laws. Forthe law may prescribe the manner of exercising these rights only if it is
this is expressly provided for in the Constitution or, if necessary for
resolution of a particular right due to its nature, whereby the law in no
the case must not affect the substance of the guaranteed right; 3) provisions on
human and minority rights are interpreted in favor of
democratic society, in accordance with the applicable international
human and minority rights standards, as well as the practice of international
institutions that oversee their implementation.
The provisions of Article 20 of the Constitution of the Republic of Serbia guarantee that: 1)
human and minority rights guaranteed by the Constitution may be
if the restriction is permitted by the Constitution, for the purposes for which the Constitution
releases, to the extent necessary to satisfy the constitutional purpose of the restriction
in a democratic society and without interfering with the essence of the guaranteed right;
2) the achieved level of human and minority rights cannot be reduced
cotton wool; 3) in restricting human and minority rights, all state
authorities, and in particular the courts, are obliged to take into account the
which is limited, the importance of the purpose of the restriction, the nature and extent
restrictions, the relationship of restrictions to the purpose of restrictions and whether
there is a way to achieve the purpose of the constraint by a minor constraint
rights.
The provisions of Article 42 of the Constitution of the Republic of Serbia stipulate that:
1) protection of personal data is guaranteed; 2) collection, statethe processing and use of personal data are regulated by law; 3)
the punitive use of personal data outside the purpose is also prohibited
for which they were collected, in accordance with the law, except for management purposes
criminal proceedings or security protection of the Republic of Serbia, at
manner provided by law.
By the decision of the Constitutional Court of Serbia from the session of 30 May 2012,
in the “Official Gazette of the RS”, No. 68/12 of 18 July 2012, unequivocally
It has been confirmed that bylaws cannot be valid legal
basis for processing personal data.
The provision of Article 10, paragraph 3 of the Law on the National DNA Registry
it is prescribed that the manner of keeping the Register and more detailed conditions for exchange and
the transfer of data from the Register is prescribed by the Government, within one year
days from the date of entry into force of that law.
Despite a very clear norm in Article 42 of the Constitution, as well as a clear and
the clearly expressed position of the Constitutional Court that data processing is regulated
exclusively by law, the legislator has prescribed that the conditions for

Page 167

7. Normative activities of the Commissioner

167

the exchange and transfer of data from the DNA registry shall be
Government act, although the exchange and transfer of data
her data processing action. The Commissioner further indicates that he is in
Council of Europe Recommendation no. (92) 1 on genetic privacy, period
8, among other things, stated that any processing of DNA profiles in
the purpose of the investigation and prosecution of the offenses
lisana by law.
In this sense, it is absolutely unacceptable and inadmissible to
It prescribes regulations on the manner of keeping the national DNA registry
The Government by a sub-legal act, as prescribed by Article 10, paragraph 3.
Law on the National DNA Registry. Needless to comment yes
this is particularly unacceptable and inadmissible in a situation where
processing of such sensitive data as genetic data
which can reveal a wealth of information about a person, including health
but the situation and ethnic origin, and not only in the formal legal sense.
slu. Such a legal solution can have unforeseeable consequences
basic human rights guaranteed by the Constitution.
Therefore, the Commissioner proposes that the Constitutional Court, after
procedure shall issue a decision determining that Article 10, paragraph 3 of the Law on
national DNA registry ("Official Gazette of RS", No. 24/18) is not
in accordance with Article 42 of the Constitution.
However, this is not enough to protect the rights of individuals in accordance
with domestic and international human rights standards, a
in particular in accordance with established standards regarding
data in the DNA registry established before the European Court of Human Rights
ska rights. Namely, it is necessary to regulate the following issues by law:
1) the conditions under which data are entered and deleted in the DNA rehistory, taking into account that a distinction must be made
among suspects, accused and convicted persons, and on the type and
the gravity of the crime committed;
2) deadlines for keeping all data in the DNA registry that cannot be
unlimited as prescribed by the provisions of Art. 41, 43, 44,
45 and 46 of the Law on Records and Data Processing in the field
internal affairs ("Official Gazette of RS", No. 24/18);
3) conditions under which data processing in the DNA register is performed,
including the conditions under which the entry and deletion of
such from the Register of Minors and Victims of Enforcement
criminal offense;
4) Exchange of data from the DNA registry with other countries and interpeople's organizations that can take place only on the basis
of the law, ie. ratified international agreements, which have
force of law and are part of the internal legal order, with
clear rules under which conditions such processing is performed.

168

Page 168

Personal data protection:

Regarding the standards that must be observed when arranging
of the matter on DNA registries, see the judgments of the European Court of Justice for
human rights S. and Marper v. the United Kingdom (applications
No. 30562/04 and 30566/04) of 4 December 2008 and Aycauger v.
ske (application number 8806/12) dated 22 June 2017.
The Commissioner notes with regret that all these problems have been
to the authorized proposer of the law, when giving a formal opinion
opinions on the Draft Law on the National DNA Registry, but almost
none of the Commissioner's suggestions is an authorized proposer of the law
took into account, which is why the stated opinion of the Commissioner with this proposal
submitted to the Constitutional Court of the Republic of Serbia, with the help of which
can analyze all the shortcomings of the adopted law.
Therefore, the Commissioner proposes that the Constitutional Court of the Republic of Serbia, at
pursuant to Article 105 of the Law on the Constitutional Court, to give an opinion and
the National Assembly of the Republic of Serbia to process the matter
ka in the DNA register is not regulated in accordance with the Constitution of the Republic of Serbia,
achieved level of human rights in the Republic of Serbia, domestic and
international standards in the field of personal data protection,
and in particular in accordance with the standards set before the
human rights home; and to point out that a new
to or amend the existing National DNA Act
in full compliance with the provisions of Articles 18, 20 and 42 of the
of Serbia.
Finally, the Commissioner appeals to the Constitutional Court of the Republic of Serbia to
without delay, as soon as possible, take a decision on this
due to the application of the Law on the National DNA Registry
may have unforeseeably harmful consequences under the Constitution and the law
guaranteed human rights, which in turn can significantly
protect the reputation of the Republic of Serbia before international institutions for
protection of human rights, in particular before the European Court of Human Rights.
The fact that the taxpayers of the Republic of
The image of Serbia can be significantly damaged by the payment of material and
non-pecuniary damages to persons whose rights have been violated and endangered due to
inadequate and unconstitutional legal framework, ie. of the law.
B ROJ: 073-14-537 / 2018-01 OF 3. 5. 2018

Page 169

7. Normative activities of the Commissioner

169

7.6. LETTER FROM THE COMMISSIONER TO THE NATIONAL ASSEMBLY
OF THE REPUBLIC OF SERBIA ON THE OCCASION OF THE BILL
ON PERSONAL DATA PROTECTION
AND WITH LETTER P OVERENIKA:
On September 25, 2018, the Government of Serbia determined and submitted it to the People's Party
Assembly Draft Law on Personal Data Protection.
The proposer of the law, ie the Ministry of Justice,
of the Proposal sought the opinion of the Commissioner for Information from
of public importance and protection of personal data on the Draft Law on
protects personal data and the Commissioner gave the requested opinion no.
073-12-1090 / 2018-02 dated 7 August 2018. That opinion is distinct
negatively, points to numerous shortcomings, illogicalities and
consistencies, which make the law practically inapplicable. Remarks
Unfortunately, the commissioners were almost completely ignored.
What is particularly worrying in the established Bill and what is
the evil to address the deputies directly is a fact
that Article 40 of the above-mentioned proposal, which regulates the
to protect personal data, the deleted word "by law". In the Draft
Article 40 correctly stated, in accordance with all domestic and international
international standards in the field of human rights protection, to
may be limited by law if those restrictions do not interfere with the substance
fundamental rights and freedoms and, if necessary, is proportionate to
nu measure in a democratic society. Without any sense and reasonable
explanations, the word "by law" has been deleted from the text of the Bill.
I warn the deputies that such a solution leads to
stic collapse of the legal system, is in stark contrast to
Constitution, law and international documents and conventions and
seriously violates the rule of law. It is almost superfluous
to point out that such a solution is in complete disagreement with the spirit
democratic society, and that there are harmful consequences for fundamental rights
and the freedoms of citizens inconceivable.
First of all, Article 42 of the Constitution of the Republic of Serbia guarantees the
so about personality. Paragraph 2 of the same article stipulates that the collection,
holding, processing and use of personal data is regulated by law.
Consequently, the conditions under which the rights guaranteed may be limited
They can be prescribed by the Constitution only and exclusively by law.
Furthermore, the General Data Protection Regulation (GDPR) itself, to which
the proposer of the law is invited in the explanation, in Article 23 he insists on

170

Page 170

Personal data protection:

that restrictions on rights can be exercised only on the basis of legal,
ie. legislative measures ( legislative measure ).
In addition, in addition to the form in which restrictions are prescribed, the law
it must also have a certain quality, which has long been very clearly defined
but in the case law of the European Court of Human Rights. Namely, in Article 8 of the European
Convention on Human Rights, which guarantees the right to
family and private life is prescribed to limit
they must be in accordance with the law.
In the practice of an institution that protects the rights from the Convention, the European
Court of Human Rights, the term law refers to the domestic law of
signatories to the European Convention on Human Rights. The law
Drzin must be compatible with the notion of the rule of law, and one
one of the most important elements of the law must be its predictability.
This means that the law must guarantee adequate legal protection from
arbitrary interference of state bodies with the rights referred to in Article 8, paragraph 1.
mulation "in accordance with the law", according to the court's interpretation, means that it is
everyone has adequate access to the law in order to gain
no insight into which legal rules can be applied to a given set of
. Second, it implies that the law be formulated in sufficient
measures precisely, so that the individual can manage his own according to it
behavior. The individual should be able to anticipate, and in
foam that is reasonable in the circumstances, the consequences of
nje. (See the judgments of the Sun. Times of the United Kingdom of 24.
April 1979, Silver et al. ro iv Uje injenog Kraljevs va predstavke
5947/72; 6205/73; 7052/75; 7061/75; 7107/75; 7113/75; 7136/75 from
March 25, 1983, Valenciala Con reras ro iv Shania petition no
58/1997/842/1048 of 30 July 1998 and the judgment of Malone ro iv Uje injeBased on the above, I appeal to all MPs not to
nog
Kraljevs
va petka
broj 8691/79) odarguments
2.8.1984.regarding
yr.).
biasedly consider
the Commissioner's
this proposal
law (the Commissioner’s opinion is available on his official website
-presentation), ie at least as a minimum of minimum amendments
provide an appropriate correction of Article 40 of the Draft Law.
B ROJ: 073-14-1602 / 2018-01 from 22 10 2018

Page 171

8. Annex - General Regulation on Protection
personal data (answers
frequently asked questions)

Page 173
172

8. Annex - General Regulation on Personal Data Protection

173

8.1 FREQUENTLY ASKED QUESTIONS REGARDING THE APPLICATION
GENERAL DATA PROTECTION REGULATIONS (GDPR)

On the adoption of the General Regulation on the Protection of the Commissioner for
formations of public importance and protection
a large number of people in connection with the rim of this race in the Republic of Serbia
and by harmonizing the equal system with the equal ekovinas of Europe
union.
Having in mind the importance of the General Regulation, the Commissioner made a letter
Most often, the people who spoke about it were the ones who spoke about it. 9

What
is Regulation
the General
Regulation
(GDPR)?
General
(European
Parliament
and Council of the European Union)
on the protection of persons in connection with the processing of personal data and free
the movement of such data and the repeal of Directive 95/46 / EC,
was adopted in 2016. In English General Data Protection Regulation
- GDPR.
The solutions contained in the General Regulation are a continuation of
on which the Directive is based, with the proviso that, after the twentieth
breathing practices of its application, certain solutions are modernized and introduced
new, in order to increase the legal certainty of individuals regarding
work of their data, in order to strengthen confidence in the
data processors and to the smooth movement of data on
traditional, as well as in the digital market, of which, in turn,
the data controllers themselves also benefited, in the form of better ones
business results.
It should contribute to that: a single, ie harmonized legal
framework and harmonized application of regulations throughout the EU; onebusiness conditions for all economic entities operating on the market
EU; greater control of individuals over data relating to them;
higher level of protection in case of data protection breach; more clearly defined
the obligations and responsibilities of the controller and data processor; beforemore detailed rules in case the data is exported outside the EU and so on.
A regulation is a legal regulation of direct application in the Member
European Union.

9 This appendix on frequently asked questions and answers about the General Regulation

on data protection was made by the Sector for Harmonization - the Office of the Commissioner.

174

Page 174

Personal data protection:

What
doestothe
General
According
Article
2 ofRegulation
the Generalregulate?
Regulation, this regulation applies to processing
personal data performed in whole or in part by the
matically and on non-automated processing of personal data that make up
part of a data collection or are intended for a data collection.
The general regulation does not apply to the processing of personal data
which is not subject to the direct competence of the European Union such as
the competence of the authorities with regard to the prevention or detection of criminal offenses
acts, conducting investigations, prosecutions for criminal offenses or executions
criminal sanctions, including the protection of public safety.
This substance is subject to another regulation (see Directive
vu (EU) 2016/680 on the protection of individuals with regard to the processing of data on
by the competent authorities for the purposes of prevention, investigation,
the prosecution or prosecution of criminal offenses or the
and the free movement of such data).
The General Regulation also does not apply to the processing of personal data.
performed by a natural person on an exclusively personal or domestic basis
activities. An example of such processing is the phone book or
nick for birthdays.
A special rule regime applies to cases of data processing
for the purpose of archiving in the public interest, scientific or historical
search, as well as for statistical purposes, as well as when it comes to
the right to access information, or in general the relationship of the right to
protection of personal data and freedom of expression.

What
innovations
are prescribed
the field
data protection?
The General
Regulation
prescribes ainnumber
ofof
novelties
in relation to the
tivu 95/46 / EC. The reason for this is, first of all, the fact that the processing
data from the period of the nineties, so long before social networks
and mass use of smart technologies and conventional automation
important way of processing data, has changed significantly.
Newspapers can be divided into several parts - for individuals, for
blacksmiths and processors, for data protection authorities and other newspapers.

Newspapers for the individual and his rights
In terms of newspapers for individuals, it is important to point out that one of
basic objectives of the General Regulation empowerment of the individual whose data
process. Therefore, all of the previously existing rights of persons in relation to processing

Page 175

8. Annex - General Regulation on Personal Data Protection

175

personal data are still valid, and two special rights are added to the list
- the right to forget and the right to data portability. Also, General
The regulation specifically regulates the processing of data on minors in
formation society.
• Right to be forgotten (Article 17)
- The right to be forgotten, or the right to be forgotten, is
its formal framework by the decision of the European Court of Justice in 2014.
years. In an internet environment, the right to forget represents
in fact the right of a person not to be searchable by name and
winter, as well as according to any other personal data. Word
is about the possibility of removing search results according to a certain
personal data, while the content of the subject pages
it still remains on the Internet in the function of exercising freedom
expressions.
• Data Portability (Article 20) - Persons whose
The data being processed can easily transfer the data that one
the handler processes them for another handler. The condition is to
processing is based on the consent of the person or is necessary for
performance of the contract, as well as that the processing is performed automatically.
• Minor (Article 8) - When it comes to the provision of services
information society (social networks, etc.), a minor
the person may consent to the processing of his data if
is at least 16 years old. Member States may, for these purposes,
to predict a lower age limit, provided that
such a limit is not lower than 13 years. Otherwise, consent
for the processing of personal data for a minor must provide
holder of parental rights.

Newspapers for data controllers
The General Regulation abounds with new obligations for data controllers.
Many of them, although not prescribed by Directive 95/46 / EC, have
but are accepted in some Member States. The purpose of these
is to prevent the violation of the right to protection of personal data
sti. Among the numerous newspapers, it is necessary to single out a few.
• Reporting a breach of data security (Article 33) - As soon as
the data subject learns that personal data have been
(accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or access to personal information
which have been transferred, stored or otherwise processed
ni), must inform the supervisory authority for the protection of
so no later than 72 hours after learning of that data breach

176

Page 176

Personal data protection:

on identity, unless the data controller can prove, in
in accordance with the principle of liability, that the breach of
is unlikely to pose a risk to rights and freedoms.
of individuals. In certain cases, the operator has
obligation to notify the data subjects as well.
• Personal Data Impact Impact Assessment ( Personal Data Impact
becomes a mandatory prerequisite for starting data processing
Assessment
) (Article
35) -pose
Dataaprotection
about a person
who could
higher riskimpact
for assessment
vatnost. An assessment is always necessary in case of
systematic and extensive processing in order to assess personal aspects
a person based on automated processing, including
hearing and making profiles, and what is the basis for decision making
which produce legal effect in relation to a natural person or
in a similar way they significantly affect an individual. This proceis also necessary in the case of mass processing of special
category of personal data or data relating to
criminal and misdemeanor convictions; or extensive systematic
supervision of publicly available space. If you would estimate
impact on data protection has shown that, in the event that
the blacksmith does not provide risk mitigation measures,
la to high risk, then the operator is obliged to contact
supervisory body and to provide it with, inter alia, information
on the purpose and means of processing, protective measures, implemented
impact assessments and so on.
• Data Protection Officer (Article 37) - General Regulation
and the obligation to appoint a data protection officer at all times
when processed by a public authority, other than courts
within their jurisdiction, when the basic activities
of the operator or processor consist of processing operations which
due to their nature, scope and / or purpose, they require regular and
systematic mass monitoring of data subjects, or
the core business of the operator or processor consists of
processing of special categories of data and personal data
relating to criminal and misdemeanor convictions.
• Codes of conduct - Associations and other bodies representing
categories of handlers or processors may make
dex to clarify the application of the General Regulation, taking into account
taking into account the special characteristics of the different processing
not the needs of small and medium enterprises. Codes of conduct
the application of the Fairness Regulation can be specified
and transparency of processing, legitimate interests of the operator
in special contexts, the collection of personal data,

Page 177

8. Annex - General Regulation on Personal Data Protection

177

pseudonymization, informing the public and individuals,
rights of persons and so on.

Newspapers for data protection authorities
Data protection authorities are being given a new role. In addition to the role of yes
supervise the application of the General Regulation and in this connection
measures for deleting data, these bodies also have an advisory role.
This novelty is precisely a consequence of the basic goal of the General Regulation, and that is
that there is no violation of the right to protection of personal data. Newspaper
about which, perhaps expectedly, the most question was about the possibility
imposing administrative penalties on operators and processors in
amounts up to 20 million euros.
Regardless of the choice of the name of the body - the commissioner as it is in
Slovenia, Germany, Hungary or the United Kingdom or an agency,
as in Croatia, Spain - this body must enjoy
independence and independence both in decision-making and in regular work,
including financial and human resources. Dedicated to this aspect
women are given special attention in the General Regulation.
Since this is a government body, these bodies will also have a person to
personal data protection.
The specificity of the General Regulation also refers to the formalization of
actions of these bodies in the EU.

Other newspapers
Numerous novelties refer to concepts or certain phenomena
do data, such as genetic data or profiling, or are
relate to the regulation of cooperation of personal data protection bodies.
Only some of them are presented below.
• Profiling - any form of automatic data processing o
personality consisting of the use of personal data
to assess certain personal aspects related to the physical
face, especially for analyzing or predicting aspects of the relationship
with work performance, material condition, health, personal
preferences, interests, reliability, behavior, location
or by the movement of that individual.
• Pseudonymization - processing of personal data on
a way that personal data can no longer be linked
with the specific data subject without the use of
additional information, provided that such additional

178

Page 178

Personal data protection:

keep the information separate and apply technical
and organizational measures to ensure that data on
persons cannot be associated with a natural person whose identity
titet determined or can be determined.
• Biometric data - personal data obtained separately
technical processing in relation to physical properties, physiological
characteristics or characteristics of physical behavior
persons who enable or confirm a unique
of that natural person, such as photographs of the person or
dactyloscopic data.
• Genetic data - personal data related to heredity
women or acquired genetic traits of the natural person they give
unique information on the physiology or health of that
zichkog lica, and which were obtained primarily by biological analysis
sample of that individual.
• Restrict processing - marking stored data
about the person in order to limit their processing in the future.
• One-Stop-Shop mechanism - if the operator performs processing
personal data in several EU Member States, General Regulation
stipulates that the operator shall primarily cooperate with the
authority located in the same Member State in which it is located
business seat of the operator, in order to achieve compliance.
The supervisory authority of that country becomes the "lead supervisory authority" for
all data protection issues.
• Certification refers to an individual operator or processor.
watch. The purpose of certification is to be able to prove that
work performed by the operator or processor in accordance with the General
regulation. The certificate is issued to the operator or processor at
for a maximum of three years and may be renewed under the same conditions
if the relevant requirements are still met. For certification
the operator or processor contacts the certification
to bodies accredited by the competent institution
(supervisory body and / or accreditation body depending on the
from an EU Member State).

Should
Serbia
harmonize
regulations
with
the General Regulation?
Of course,
the reasons
are both
formal and
essential.
Formal reasons are reduced to the obligations that Serbia has towards
The European Union and the obligations that Serbia has imposed on itself. On thename, as a candidate for membership in the European Union, Serbia is in
obligations to align its legislation with the acquis.

Page 179

8. Annex - General Regulation on Personal Data Protection

179

Article 81 of the Law on Ratification of the Stabilization and Association Agreement
association between the European Communities and their Member States,
on the one hand, and the Republic of Serbia, on the other hand, from 2008
("Official Gazette of RS - International Agreements", No. 83/08), Serbia
obliged to harmonize its legislation relating to protection
personal data with Community legislation and other European
international and privacy regulations, as well as to form
an independent supervisory body with sufficient financial and human resources
with in order to effectively monitor and guarantee the implementation of the national
legislation on personal data protection.
The protection of personal data is an issue that is harmonized in
the process of accession to the European Union and within the framework of Chapter 23 (Judiciary
and fundamental rights), as well as Chapters 24 (Justice, Freedom and Security).
Furthermore, Serbia has committed itself to harmonizing regulations in this area.
sti. Action plan for Chapter 23, which the Ministry of Justice has yet
April 2016 prepared and announced to draft a new Law on
protection of personal data in accordance with compliance tables and
recommendations of the expert, the Draft Law (model law) of the
for information of public importance and protection of personal data and
Proposal for a Decree after its adoption (page 222), while as a deadline
the drafting of the new law was scheduled for the end of 2016 (page 360).
However, in the process of harmonization, the essential reasons are more important
which influenced the adoption of the Regulation in general, and are therefore significant
and as reasons for the adoption of a new law on personal data protection
in the Republic of Serbia. These are the following reasons:

1) Better protection of the eye and its rava on the waterfront and
i u o a placed
aka o licnos
i
Theš decree
the individual
in the center of personal data protection.
. The person to whom the data being processed relates has a right to know
who, why and what data about him processes, and the General Regulation tightens
conditions for data processing and introduces new rights within the
naca, such as stricter criteria for consent of persons to processing
or stricter obligations of operators regarding notification of
di, or a new right of an individual to data portability from one to
another operator.

2) Legal certainty for all those who process o a ke in the Republic
In Serbia,
or processors
Operators
notthey
onlyare
geteither
more handlers
responsibilities,
although in some countries
EU regulations, they have existed for a long time, but the Regulation imposes an obligation on everyone

180

Page 180

Personal data protection:

who want to process data that in their business relations with other
data protection, and in particular liability in connection with
data. From a technical point of view, new or stricter obligations have to
the goal is to prevent the violation of rights at all.

3)
Strengthens
and encompasses
the data
role of
the bodyauthorities
for the protection
of the individual
Although
the possibility
of personal
protection
to
says a fine in a high amount, this document actually introduces
new obligations of these bodies, more precisely imposes the obligation of closer cooperation with
handlers and puts it in the role of not only the oversight body
by applying the law, but also in the role of advisor.

4) Imposes the obligation of ruš vu and enables the enjoyment of rava on the waterfront and shield
andout
in ohere
a aka
personality
i
It isnose
important
to point
thato all
EU members
are also members
European Convention on Human Rights of the Council of Europe, of which
and the Republic of Serbia. With regard to the right to privacy (Article 8 of the
Convention), the European Convention imposes an obligation on each member state
individually not only to refrain from endangering and violating someone
the right to privacy than to provide conditions for this right not to be
tano enjoys. Based on the Decree, when preparing the laws they have
impact on the protection of personal data authorities should take
take into account the effects of such a law on the right to privacy, and states
the members are left to decide whether to envisage this action as
mandatory.

Does
General
Regulation
apply
in Serbia?
Articlethe
3 of
the General
Regulation
prescribes
that it applies to processing
personal data within the activities of handlers or processors
established in the European Union, whether or not
to carry out in the Union or not, therefore, regardless of whose personal data
processed. Further, the General Regulation applies to data processing
about a person performed by a controller or processor who does not have a seat in
EU, and processes the personal data of persons in the EU, if they are activities
processing related to:
A) by offering goods or services regardless of whether the person to whom
the data related should make the payment,
B) monitoring their behavior, provided that their behavior
takes place within the Union.

Page 181

8. Annex - General Regulation on Personal Data Protection

181

It is important to point out that it does not matter whether the person to whom the data is referred
relations has the citizenship of some of the EU member states or not, this is
applies to all persons who are in the Union.
Article 3 also stipulates that the General Regulation applies to processing
personal data performed by a controller not established in the Union,
but where the law of a Member State applies on the basis of
in international public law. That would be diplomatic, for example
representative offices.
For legal entities from Serbia, the answer to the question of whether the General
It will depend on whether they offer goods or services
in the territory of the EU or monitor the behavior of individuals who
are in that territory.
Two judgments of the European Court of Justice can be helpful in
territorial application of the Regulation - Google ro iv

š i u oThe
a aka
o ličnos
anije (2014)
and Weltimmo
ro the
iv PoveGoogle
casei Šconcerned,
among
other things,
question of whether the then
renika
za
zaš
i
u
o
a
aka
i
slobo
u
informacija
Mađarske
(2015).
Directive (95/46 / EC) applies to an American company located in Spain
it did not even have a branch where personal data is processed, but only
Google Spain, a legal entity engaged in marketing. This fact
as well as the commercial nature of the company's work, the Court considered it sufficient
to conclude that the Directive also applies to Google and thus
to the Agency. It should be added that this case is significant due to the
the so-called right to be forgotten.
The Weltimmo case is perhaps more explicit in terms of finding a connection
between the operator abroad and the decision of the national
personal data protection. A site that was registered in Slovakia
was engaged in the sale of real estate in Hungary and offered these services in
in the Hungarian language.
However, without a court decision regarding a specific case of protection
personal data that would follow after the beginning of the application of the General
regulation, it is not possible to specify the territorial scope of this regulation.

What are the obligations of the operators if it is applied
General
regulation?
In case the
operator estimates that the General Regulation applies to
its business, it is necessary to fulfill the obligations whose scope, and thus
and the financial aspect of the adjustment depends on the processing of the
data in question, as well as which personal data are processed. Recommended
In that case, the provisions of the General Regulation should be studied in detail, but
and relevant documents of the competent bodies of the European Union, such as

182

Page 182

Personal data protection:

European Commission, European Data Protection Supervisor or
European Data Protection Board, a newly formed body
what regulations. Also, the work of the former Working Group should be kept in mind
Article 29, a body established by Directive 95/46 / EC.
Several commitments need to be emphasized.
In case the General Regulation applies, it should be established
"Representative" in the EU Member State in which the persons to whom
the data relate. Given that it is possible that persons are in
several member states, then the question is where the predominant activity is
operator. Certainly the decision, in case it is possible to establish a
representatives in several countries, also depends on the estimated costs of
appointing a representative, as well as knowledge of the legal regulations of that country.
Furthermore, if the data processing involves the processing of a special
data categories, including, for example, biometric data, which
serve for unique identification (e.g. fingerprint), data
relating to personal health, union membership, etc., then would
the data controller was to designate a data protection officer. This one
the obligation also exists in the case of so-called mass data processing.
Furthermore, it is possible that there will be an obligation to conduct an impact assessment.
tea on data protection.
One obligation from the list should not be a problem for
any operator from Serbia, and concerns the obligation to establish and
records of personal data processing. From the point of view of the locals
regulations, it should already be fulfilled, bearing in mind that it is about
almost identical to the obligation prescribed by the Law on Data Protection
on the personality of the Republic of Serbia.

Where
can I find
of the
General is
Regulation,
aspossible
well as other
useful
sources?
The application
of the
the text
General
Regulation
certainly not
without
getting
acquainted with
the text of that legal act, which is available in the original version at
EU website in the languages ​of EU member states, https: //
ec.europa.eu.
The Commissioner provided an unofficial translation of the text of the General Regulation
and published it on his website www.poverenik.rs in part
which refers to regulations in the field of personal data protection.
Note: with individual articles of the General Regulation it is recommended
reading the relevant parts of the Preamble which is an integral part of it and
it also provides additional interpretation or reasons for the chosen formulation
specific provisions.
Also, relevant internet presentations can be helpful.
bodies of the European Union, such as the European Protection Supervisor

Page 183

8. Annex - General Regulation on Personal Data Protection

183

European Data Protection Supervisor (EDPS), European Committee
for Data Protection - European Data Protection Board starting with
work on May 25, 2018.
Internet presentations of the competent data protection authorities
Member States of the European Union are an excellent source of information, especially
bearing in mind the numerous and diverse activities of individual organs.
For example, the Information Commissioner of the United Kingdom,
although negotiations are under way on the country's withdrawal from
Union, has published manuals for the implementation of certain
gave guidelines on the General Regulation. The State is equally active.
of the Commission for Information and Freedom of France - Commission
National of Informatics and Liberties - CNIL. Relevant sources are
and the Information Commissioner of Slovenia, as well as the Agency for the Protection of Personal Data
Croatian data.

Page 184

CIP - Cataloging in a publication
National Library of Serbia, Belgrade
342,738 (497.11)
PROTECTION OF PERSONAL DATA: ATTITUDES AND OPINIONS
Commissioner. Publication no. 4 / [editor Slavoljupka
Pavlović]. - Belgrade: Information Commissioner from
of public importance and personal data protection, 2019
(Belgrade: Official Gazette). - 183 pages. ; 23 cm
Circulation 600. - p. 9–10: Introductory word / Slavoljupka
Pavlović.
ISBN 978-86-919155-9-9
1. Pavlović, Slavoljupka [editor] [author of additional text]
a) The right to protection of personal data - Serbia
COBISS.SR-ID 273022220

