Page 1

Republic of Serbia
COMMISSIONER FOR INFORMATION OF PUBLIC IMPORTANCE I
PERSONAL DATA PROTECTION

RULE BOOK
ON THE MANNER OF PREVIOUS VERIFICATION OF PROCESSING WORKS
PERSONAL DATA

April, 2009

Page 2
2
White City
Pursuant to Article 50, paragraph 2 of the Law on Personal Data Protection (“Official
RS Gazette No. 97/08),
Commissioner for Information of Public Importance and Personal Data Protection,
brings

RULE BOOK
ON THE MANNER OF PRELIMINARY VERIFICATION OF DATA PROCESSING OPERATIONS
PERSONALITIES

CONTENTS OF THE RULES
Article 1.
This Ordinance regulates in more detail the manner in which the Information Commissioner of
of public importance and protection of personal data (hereinafter: the Commissioner) performs the previous
checking the actions of personal data processing that the data controller intends to undertake,
in accordance with the Law on Personal Data Protection (hereinafter: the Law).
PRELIMINARY VERIFICATION PROCEDURE
Initiation of proceedings
Article 2
The Commissioner initiates the procedure of preliminary verification ex officio, and on
based on the notification of the data controller that he intends to start processing the data on
persons, ie to establish a data collection.

Article 3
Notification on the intention to process data with data from Article 48 of the Law, controller
data shall be submitted to the Commissioner no later than 15 days before the start of processing, on the form under
entitled: "Application for data processing", which is printed with this rulebook and makes it
component.
The course of the procedure
Article 4
Upon receipt of the notification, the Commissioner will first, based on the submitted data,
assess whether the intended processing of the data could significantly lead to an injury
the rights of the data subjects.
The assessment referred to in paragraph 1 of this Article shall be made by the Commissioner depending on whether
the intended data processing is performed in accordance with the Law and whether it is a data controller
took the prescribed security and data protection measures.

Page 3
3

Article 5
In the case when, based on the submitted data, the Commissioner assesses that it does not exist
the danger that the processing of data will significantly violate the rights of the person to whom they are
data, he will inform the data controller in a timely manner.
In the event that the intended data processing can significantly lead to
violation of the rights of the data subject, the Commissioner will check the actions
processing on the spot, at the data controller, ie processor.
Check actions
Article 6
Preliminary verification of data processing activities is performed by the Commissioner through authorized persons
persons, on the basis of insight into the general acts of the operator, premises and equipment used for processing
data intends to perform as well as on the basis of appropriate documentation of the controller, ie
data processors.
On-site inspection determines:
1) whether the data processing is based on the law and whether it is performed in accordance with the Law
i
2) whether the data controller, ie the processor, has taken all necessary measures
for the purpose of securing and protecting data.
Checking the legality of processing
Article 7
Preliminary verification of the legality of data processing, in terms of Article 6, paragraph 1. point 1)
of this Rulebook, includes checking:
1) the legal basis on which the processing is performed,
2) purposes of the intended processing,
3) types of personal data to be processed,
4) data sources, from whom they were collected,
5) types of processing operations,
6) names and types of collections in which the data are located,
7) use of data: who will be the users of the data, which data, for what purposes
and on what legal basis,
8) data transfer: to whom the data will be transferred, which data, for what purposes and after
what legal basis,
9) the duration of data processing, ie the time for which the data will be
archived with previous anonymization, ie destroyed.

Checking the application of security and data protection measures
Article 8
Prior verification of the application of security and data protection measures, in terms of
Article 6, paragraph 1, item 2) of this Rulebook, it is determined whether they are the operator and the processor
appropriate organizational, personnel and technical measures for data protection
data from possible misuse, destruction, loss, unauthorized access,
unauthorized changes, disclosures and any other misuse of data, as well as measures in
regarding the determination of the obligation to maintain the confidentiality of data by persons employed at
process.

Page 4
4
Article 9
Verification of security and data protection measures refers to verification of application
applicable norms, standards and technical instructions regarding:
• connection and storage of computers with databases and other computers
equipment,
• provision of devices for uninterruptible power supply,
• protection of modem ports (and numbers) from unauthorized local and
remote access,
• providing computer programs and security reporting equipment; and
recording access to work on the computer, to prevent unauthorized amount
and data entry using portable information media,
communication and data printing ports, for protection against
computer viruses and other malicious programs, as well as the provision of equipment
cryptological insurance of special categories of personal data on portable
information storage media and during the transmission of that data
information and telecommunication means,
• application of measures of obligatory notification of the data controller by
data processor, network system administrator, collection administrator
data on any attempt at unauthorized access to data,
• securing the premises in which the computer and telecommunication are located
equipment, in terms of entry control, ie prohibition of access to unauthorized persons
faces,
• application of protection measures against: fire, electric and magnetic field, ionizing
radiation and electricity, moisture, cold and heat, hazardous substances
explosives and flammable substances, dust, earthquakes and others
natural disasters, in terms of premises, devices and equipment,
• providing access to databases, use of usernames, and
appropriate passes,
• providing daily, weekly, monthly and annual data storage on
other portable information media (collection backups) with application
data security and confidentiality measures, in case of destruction of active databases
data, and providing records of those removable media, as well as retrieval
records on copies due to the expiration of the deadline.
Particularly sensitive data
Article 10
With regard to particularly sensitive data, a check will determine whether they are
taken and special data protection measures prescribed by the Government, in accordance with the Law
for this type of data.
Measures of the Commissioner
Article 11
In case the authorized person determines that there is no legal basis for data processing
or that the law does not regulate the most important issues for their processing, such as: purpose
processing, type of data being processed, data users and duration of processing,
The Commissioner will issue a decision temporarily banning such data processing while
does not eliminate the reasons that caused the ban.
The Commissioner will temporarily prohibit the processing of data even if they are not
appropriate organizational, personnel and technical measures have been applied to protect data
from possible abuse, destruction, loss, unauthorized access, unauthorized

Page 5
5
changes, disclosures and any other misuse of data, as well as measures regarding
determination of obligations of data secrecy by persons employed in processing,
until the database controller provides proof that he has taken appropriate action
security and data protection.
In the event that in connection with the processing of data it is determined that there are minor omissions which
will not significantly jeopardize their safety, the Commissioner will order action
appropriate measures while leaving an appropriate deadline to eliminate the shortcomings.
In case the data controller does not eliminate the identified deficiencies in the left
within, the Commissioner shall prohibit the processing of data.
Entry in the Central Register
Article 12
The Commissioner shall enter the notification of the data controller referred to in Article 3 of this Rulebook in
Central Registry.

Entry into force of the Ordinance
Article 13
This Rulebook shall enter into force within 8 days from the day of its publication in the “Official
Gazette of the Republic of Serbia ".
Number: 110-00-6 / 2009-01
In Belgrade,
14.04.2009
COMMISSIONER
Rodoljub Sabic, s.r.

Form: "Data processing application"
Law on Personal Data Protection ("Official Gazette of RS" No. 97/08) - Article 48-51.

Page 6
6

COMMISSIONER FOR INFORMATION OF PUBLIC IMPORTANCE AND PROTECTION
PERSONAL DATA
1. Name of the database
(The name contains the name of the collection determined by the regulation or determined by the operator himself on the basis of
consent of the person or the contractual relationship. For example. Records of issued official identification cards,
Company customer records, visitor records, video surveillance records, etc.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________________ 1

2. Type of processing operation
(Eg data collection, use, recording, transcription, duplication, copying,
search, sort, record, display publishing, etc. - See Art. 3.st.1.
point 3 of the Law)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

3. Types of data
List the types of data contained in the collection, being careful not to enter any
specific data, (such as name, surname, address, e-mail, video surveillance recording,
fingerprint, etc.), but only the type of data , such as name and surname, e-mail address, home
address, telephone number.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

4. Name, title, registered office and address of the operator

1

Note: in case of lack of space, new lines can be added in the electronic version

that is, a new sheet of paper with an indication of the appropriate box for manual filling.

Page 7
7
(Indicate the company and registered office with the address, ie the name and surname with the address of the data controller.
For example. „Market d.o.o. for trade ", Petar Petrović, owner of the dental practice, Street
Belgrade no. 1, Belgrade)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

5. Date of commencement of processing, ie establishment of the data collection
(Indicate the date when the database was established, or when it will be if it has not already been established.
May 15, 2009)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

6. Purpose of processing
(List all purposes for which the data in the collection are processed, eg direct marketing, execution
employment contract or other contractual relationship, the formulation of the purpose established by law. For example.
Direct marketing, product offer of the company and news announcements, inspection supervision,
prevention of transmission of infectious diseases, etc.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

7. Legal basis for processing, ie establishing a data collection
(Indicate on what legal basis you received the data and continue to process them, eg Article ... of the Law ...,
consent of the data subject, contractual relationship, etc.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

8. Category of data subjects
(Provide generic codes for data subjects, eg company employees, company customers,
employees in the body, persons with special authorizations, etc.)

Page 8
8
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

9. Type and degree of data secrecy
(Indicate the level of secrecy determined for the data listed in the collection, as it follows from
an appropriate regulation governing a specific area, e.g. top secret, official secret). If
classified information is not contained in the collection, state that there is no classified information in the collection.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

10. Method of data collection and storage
Indicate how you collected the data and what security method you introduced for protection
data, eg: collection through employment contracts, from another body on the basis of law, through
questionnaires, based on advertising material sent to the company by natural persons to whom
data related. Specify the manner and form of data storage, e.g. paper, tape, compact disc, etc., as
and a generic protection label, e.g. electronic and physical data protection (closer way of protection
describe in point 14.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

11. Data retention and use period
(Specify how long you will store and process the data, after which the data will be archived
with prior anonymization or destroyed. For example. 10 years, until the expiration of the provisions of the contract, permanently, etc.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

12. Name, title, registered office and address of the user

Page 9
9
(The description contains the stated data of legal and natural persons, ie entrepreneurs who independently
perform activities on the market, to which the data from the collection are or will be forwarded. For example.
Medical chambers, health organizations, pension and health insurance funds. If
will not pass on, specify that the data is not passed on to users.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

13. Indication of data entry or export from the Republic of Serbia
With the name of the state, ie international organization and foreign user, legal basis and purpose
input or output. If the data are not presented, ie not entered in Serbia, state that.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

14. Data protection measures taken
(Describe in as much detail as possible the protection of data in the collection, such as the premises in which they are located
data carriers, which are connected to the data collection, as well as computer equipment, which is used for
data processing, are locked outside working hours, and are locked, also at the time when u
they have no employees. The data collection located in the computer system is provided
password system for authorization and identification of program and data users. The system
passwords also allow for later determination, when certain data have been used or entered
in the collection and who did it, as well as the period for which certain data are stored. Data can be processed
only persons who have been authorized for processing by the legal representative of the company or body. Paper carriers
data, which are used to enter data into a computer-controlled database, data listings
from a computer database, as well as floppy disks, magnetic tapes, optical disks, relating to
data collection, are locked outside the working hours in metal fire cabinets. Procedures
and data protection measures are specified in more detail in the act of the data controller on procedures and measures for
personal data protection.)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

Page 10
10
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

15. Request regarding processing
(Taken from Article 48, paragraph 1, item 14 of the Law - data are entered only if there were any)
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

In _______________, on _____________
(place)

(date)

Data submitted by:
_______________________
(person's last name)

________________________________
(function)

_______________________________________________
(contact details, address,
telephone, e-mail address)

