Serbia - Data Protection Overview
The main piece of legislation currently regulating personal data protection in the Republic of Serbia is the Law on Protection of Personal Data (Official Gazette of the Republic of Serbia, No. 87/2018 (only available in Serbian here) ('the Law').
1. GOVERNING TEXTS
In November 2017, the Ministry of Justice ('MoJ') published the draft of the Law ('the Draft'). The public debate on the Draft ran from 1 December 2017 to 15 January 2018, and certain proposals by the industry were accepted and implemented in the Draft. The Draft contained, with the exception of certain provisions stemming from the fact that Serbia is not a member of the EU, almost identical solutions as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). It should be noted that the former Commissioner for Information of Public Importance and Personal Data Protection ('Poverenik') (and some of the participants in the public hearing) assessed the Draft as a non-functional document that does not take into account the specifics of Serbia's legal system. Nevertheless, the Draft seems to have made it into the Law for the most part, and the Law is arguably a better starting point for improvement of the data protection area in Serbia as compared to the previous legislation.
On 9 November 2018, the National Assembly of the Republic of Serbia ('the National Assembly') adopted the Law. The Law entered into force on 21 November 2018, but its application started nine months from the date of its entry into force, i.e. on 21 August 2019. During this period, certain relevant by-laws have been adopted, as mentioned below.
The former Poverenik, Mr. Rodoljub Šabić, has, on many occasions, pointed out the drawbacks of the Law, stating that the existing legal framework in the field of protection of personal data is far from adequate especially in terms of its completeness.
With regards to the Law, the former Poverenik has stressed that the content is convoluted, confusing, and therefore likely to be quite difficult to implement in practice.
The newly elected Poverenik, Mr. Milan Marinović, on 2 August 2019 sent an official letter to the president of the National Assembly, requesting the delay of the implementation date of the Law, for an additional period of 1 year, i.e. until 1 September 2020 (only available in Serbian here). The Poverenik said that governmental agencies, controllers, and processors were 'not ready' for the Law i.e. that the agency suffers from a shortage of staff. However, since the National Assembly did not convene in the middle of the summer in order to amend the Law, i.e. to defer its implementation, the Law became applicable as of 21 August 2019.
In addition, Serbian data protection legislation includes the following by-laws:
- Rulebook on the Manner of Prior Review of Personal Data Processing (Official Gazette of the Republic of Serbia No. 35/2009) (only available in Serbian here), which governs the procedure for notifying and approval by the relevant authority of intended personal data processing;
- Decree on the Form for and Manner of Keeping Records of Personal Data Processing (Official Gazette of the Republic of Serbia No. 50/2009) (only available in Serbian here), which regulates the form for keeping records of data, personal data processing, and the manner of keeping records of personal data processing;
- Rulebook on the Form and Manner of Keeping Record of the Data Protection Officer ('DPO') (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which defines the form and manner of keeping record of the DPOs;
- Rulebook on the Form and Manner of Keeping Internal Record of Violations of the Law on Personal Data Protection and Measures Undertaken in the Course of Inspection Supervision (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here) which prescribes the form and manner of keeping internal records of violation of the law and measures undertaken in the course of inspection supervision;
- Rulebook on the Form of Notification on Personal Data Breach and Manner of Notifying the Commissioner for Information of Public Importance and Protection of Personal Data on Personal Data Breach (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which sets out the notification form on personal data breaches and the manner of informing the Poverenik on personal data breaches;
- Rulebook on the Complaint Form (Official Gazette of the Republic of Serbia, No. 40/2019) (only available in Serbian here), which defines the complaint form that a natural person can submit to the Poverenik if he or she considers that the processing of his or her personal data has been carried out contrary to the provisions of the Law;
- Decision on the List of Types of Personal Data Processing Operations for Which an Assessment of the Impact on the Personal Data Protection Must be Performed and the Opinion of the Commissioner for Information of Public Importance and Personal Data Protection Must be Sought (Official Gazette of the Republic of Serbia, No. 45/2019, 112/2020) (only available in Serbian here), which establishes a list of personal data processing operations for which the data controller, before commencing processing, must perform an impact assessment and must seek the Commissioner's opinion;
- Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered That an Adequate Level of Protection of Personal Data is Ensured (Official Gazette of the Republic of Serbia, No. 55/2019) (only available in Serbian here), which determines the list of countries where it is considered that an adequate level of protection of personal data is ensured; and
- Decision on Determining Standard Contractual Clauses (Official Gazette if the Republic of Serbia, No. 5/2020) (only available in Serbian here), which determines the Standard Contracual Clauses ('SCCs') in the contractual relation between a controller and processor ('SCC Decision').
The Poverenik has issued several guidelines, mostly in the form of questions and answers, including:
- Personal Data Protection: Guidelines issued in 2019, concerning video surveillance, processing of sensitive data and other specific matters regulated in the Law (only available in Serbian here); and
- Most frequent questions concerning DPO, issued in 2019 (only available in Serbian here).
1.3. Case law
Although case law is not a source of law in Serbia (since current legislative solutions applicable in Serbia lack clear rules governing important issues such as video surveillance), prior decisions of the former Poverenik are important.
For example, in certain situations, tacit acts of data subjects, after having been provided with the information on data collection and processing, may be considered as consent to such data collection and processing. These 'exemptions' were established through the former Poverenik's practice, and examples have included:
- premises which are under video surveillance: data subjects are considered to have given their consent by walking into premises after reading the clearly visible label or sign stating that the premises are under video surveillance; and
- recorded telephone calls: if data subjects continue with the call after hearing the warning that the call is being recorded, it is considered that they have given consent to such data collection and processing.
2. SCOPE OF APPLICATION
The Law applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Furthermore, the Law applies to the processing of personal data performed by a controller or a processor who has its business seat/place of residence in the territory of the Republic of Serbia, within the framework of activities performed in the territory of the Republic of Serbia, regardless of whether the processing takes place in the territory of the Republic of Serbia.
The Law also applies to the processing of personal data of data subjects with residence in the territory of the Republic of Serbia by a controller or processor who does not have its business seat/place of residence in the territory of the Republic of Serbia, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the territory of the Republic of Serbia; and
- the monitoring of data subject's behaviour as far as their behaviour takes place within the territory of the Republic of Serbia.
The factor which differentiates the data to which the Law applies and to which it does not, is the possibility of identifying a person from whom or in relation to whom such data was collected. This means that data, such as name, telephone number, address, identification number, email, or any other data, through which the relevant natural person (i.e. data subject) could be identified, would be considered as personal data and it would fall under the mandatory protection of the Law. On the other hand, data which does not identify a person represents data to which the Law does not apply. In addition, the Law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
3.1. Main regulator for data protection
The Poverenik is the main supervisor of the Law, whilst the National Assembly acts as lawmaker, and the MoJ acts as the competent ministry for respective law initiative.
3.2. Main powers, duties and responsibilities
The main powers, duties and responsibilities of the Poverenik, as the most important state body in this field are as follows.
- supervises and ensures the implementation of the Law in accordance with its powers;
- takes care of raising public awareness of risks, rules, safeguards, and rights related to processing, especially if it concerns processing data of a minor;
- gives opinion to the National Assembly, the Government of Serbia ('Government'), other authorities and organisations, in accordance with the Law, on legal and other measures related to the protection of the rights and freedoms of natural persons in connection with processing;
- takes care of the controller's awareness and process in connection with its mandatory regulations on the Law;
- at the request of the data subjects, provide information on their rights prescribed by the Law;
- acts on complaints of persons to whom the data relates, determines whether there has been a violation of the Law and informs the submitter on the rules on the course and the results of the proceedings being conducted;
- cooperates with the supervisory authorities of other countries with regard to personal data protection, and in particular by sharing various information and engaging in mutual legal assistance;
- carries out inspection supervision on the application of the Law, in accordance with the Law and the corresponding law introducing inspection supervision, and submits a request for initiating misdemeanour proceedings if it is determined that it could violate the Law, in accordance with the law that regulates misdemeanours;
- monitors the development of information and communication technologies, as well as business and other practices relevant to the protection of personal data;
- drafts and approves SCCs;
- prepares and publishes lists under Article 54(5) of the Law;
- gives a written opinion from Article 55(4) of the Law;
- keeps records of persons for protection of personal data;
- encourages the development of codes of conduct and gives opinions and approval to the codes of conduct;
- performs tasks in accordance with Article 60 of the Law;
- encourages the issuance of a certificate for the protection of personal data and the corresponding trademarks and labels, and sets out the criteria for certification;
- conducts periodic reviewing of certificates;
- prescribes and publishes criteria for accreditation of the certification body;
- approves the provisions of a contract or agreement;
- approves binding corporate rules;
- keeps internal records of violations of the Law and takes measures proclaimed in the performed inspection supervision; and
- performs other tasks in accordance with the Law.
The Poverenik is authorised to:
- instruct the controller and processor, and where appropriate, their representatives, to provide all the information it requires while exercising its authority;
- check and evaluate the implementation of the provisions of the Law and otherwise supervise the protection of personal data by using inspection powers;
- check the fulfilment of the requirements for certification;
- register and publish the code of conduct, to which it has previously given its consent;
- inform the controller or processor about possible violations of this law;
- request and obtain access from the controller and processor to all personal data, as well as information necessary for the exercise of its authority; and
- request and obtain access to all premises of controllers and processors, including access to all facilities and equipment.
The Poverenik is authorised to take the following corrective measures:
- to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of the Law;
- to issue a warning to the controller or processor if the processing violates the provisions of the Law;
- to order the controller and the processor to act upon the request of the data subject in connection with the exercise of their rights, in accordance with the Law;
- to order the controller and the processor to harmonise the processing operations with the provisions of this Law, in a specific manner and within a specified time;
- to instruct the controller to inform the person whom the personal data refers to about the violation of his/her personal data;
- to impose a temporary or permanent restriction on processing operation, including a prohibition on processing;
- to order the correction or deletion of personal data or restrict the performance of the processing operation, and order the controller to inform the other controller, the data subject and the recipients to whom the personal data have been disclosed or transferred;
- to revoke the certificate or to order the certification body to revoke the certificate, as well as to order the certification body to refuse to issue the certificate if the conditions for its issuance are not fulfilled;
- to impose a fine on the basis of a misdemeanour warrant if during inspection a person establishes that there was a breach for which this law prescribes a fine in a fixed amount, instead of other measures, depending on the circumstances of the particular case; and
- to suspend the transfer of personal data to a recipient in another country or international organisation.
The Poverenik is obliged to prepare an annual report on its activities, which contains information on the types of violations of the Law and the measures taken in connection with those violations, as well as to submit it to the National Assembly. This report has to be submitted to the Government and made available to the general public in an appropriate manner.
4. KEY DEFINITIONS
Data controller: A natural or legal person, public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by the law, the controller or the specific criteria for its nomination may be provided for by the Law.
Personal data: Any information relating to a natural person whose identity is determined or identifiable, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data: Any personal data that contains information relating to a data subject's race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Biometric data: Personal data obtained by special technical processing related to physical characteristics, physiological characteristics or behavioural characteristics of a natural person, which enables or confirms the unique identification of that person, such as a picture of his/her face or dactyloscopic data.
Pseudonymisation: Processing in a way that prevents the attribution of personal data to a particular person without the use of additional data, provided that such additional data is stored separately and that technical, organisational and personnel measures are taken to ensure that personal data cannot be attributed to a particular or identifiable person.
Data subject: The natural person whose personal data is processed. A natural person in the context of the Law is the person whose personal data is processed, whose identity is determined or determinable, directly or indirectly, in particular by reference to an identifier such as a name and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data processing: The definition of data processing is very broad and means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. LEGAL BASES
Data processing may be carried out when the data subject provides prior consent to such processing. Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject's will by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data processing may be carried out when necessary for execution of a contract concluded with the data subject or for taking actions, per request of the data subject, before the contract is concluded.
Data processing may be carried out when necessary in order for the controller to comply with its legal obligations.
Data processing may be carried out when necessary in order to protect vital interest of data subject or other natural person.
Data processing may be carried out when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Data processing may be carried out when necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, and in particular when the data subject is a child.
The Law prescribes that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (i.e. lawfulness, fairness and transparency);
- collected for purposes that are specified, explicit, justified and legal and cannot be processed in a manner that is not compliant to such purposes (i.e. purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purpose of processing (i.e. data minimisation);
- accurate and, when necessary, kept up to date. Taking into consideration the purpose of processing, every reasonable step must be taken to ensure that personal data that are inaccurate, are erased or rectified without delay (i.e. accuracy);
- kept in a form that allows identification of data subject only for the time period that is necessary for fulfilment of the purpose of processing (i.e. storage limitation);
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, as well as against accidental loss, destruction or damage, using appropriate technical or organisational measures (i.e. integrity and confidentiality).
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller must implement appropriate technical, organisational and personnel measures to ensure and to be able to demonstrate that processing is performed in accordance with the Law.
Where processing is to be carried out on behalf of a controller, the controller must use only processors providing sufficient guarantees to implement appropriate technical, organisational and personnel measures in such a manner that processing will meet the requirements of the Law and ensure the protection of the rights of the data subject.
The obligation of notification has been abolished under the Law in the sense that the online registry maintained by the Poverenik has ceased to exist.
There are two relevant grounds for exceptions based on which personal data may be transferred to third countries without an approval of the Poverenik: adequate level of protection or adequate or appropriate safeguards.
A transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organisation, without prior approval, may be performed if it is determined that such other country, part of its territory or one or more than one sector of specific activities in that country or that international organisation provides an adequate level of protection of personal data. It is considered that the appropriate level of protection is provided in countries and international organisations that are members of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, i.e. in countries, parts of their territories or in one or more sectors of certain activities in those countries or international organisations for which the EU established that they provide an adequate level of protection.
In this respect, the Government has adopted a Decision on the List of Countries, Parts of Their Territories or One or More Sectors of Certain Activities in Those Countries and International Organisations where it is Considered that an Adequate Level of Protection of Personal Data is Ensured (only available in Serbian here).
In addition, an adequate level of protection is deemed to have been provided if an international agreement on the transfer of personal data has been concluded with another country or international organisation.
Appropriate safeguards include SCCs as a result of the SCC Decision, as well as Binding Corporate Rules, an approved code of conduct or an issued certificate. If a transfer of personal data is planned to a country that is not on the list of countries providing an adequate level of protection, the transfer can only be carried out with the special consent of the Poverenik.
Outsourcing companies need to further strengthen security and privacy and align their practices with the Law. Outsourcing services providers play the role of the data processors and the companies that outsource are the data controllers. The relationship between controller and processor is described under section 7. above.
The controller (and its representative, if determined) is obliged to maintain records of processing activities under its responsibility, which contains the following information:
- the name and contact details of the controller, the joint controllers, the controller's representative and the DPO, if they exist, i.e. if they are appointed;
- the purpose of processing;
- categories of data subjects and categories of personal data;
- categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation, as well as the documents concerning the implementation of security measures, when applicable; and
- general description of prescribed security measures.
The processor (and its representative, when appointed) is obliged to maintain records of all categories of processing activities carried out on behalf of a controller, containing the following information:
- the name and contact details of each processor and of each controller on behalf of which the processor is acting, i.e. the data protection officer, if they are appointed;
- categories of processing carried out on the behalf of the controller;
- transfers of personal data to a third country or an international organisation, provided that the controller explicitly requests it, including the identification of that third country or international organisation, if such transfer of personal data is carried out; and
- general description of prescribed security measures, if possible.
When it is likely that a certain type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, will result in a high risk to the rights and freedoms of natural persons, the controller is obliged to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, prior to the processing.
The controller is obliged to seek advice from the DPO, if one is appointed.
A Data Protection Impact Assessment ('DPIA') is mandatory in following cases:
- a systematic and extensive evaluation of state and personal aspects of natural persons which is performed through automated processing, including profiling, based on which the decisions that produce legal effects for the natural person or in a similar manner significantly affect the natural person are madel;
- processing of a prescribed special categories of data or personal data relating to criminal convictions and offences, on a large scale; or
- a systematic monitoring of a publicly accessible area on a large scale.
The DPIA must contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- a description of measures envisaged to address the risks, including safeguards, as well as technical, organisational and personnel measures to ensure the protection of personal data and to demonstrate compliance with the Law, taking into account the rights and legitimate interests of data subjects and other persons.
If the DPIA indicates that the intended processing actions will produce a high risk if the measures for reducing the risks are not taken, the controller is obliged to seek the Poverenik's opinion prior to commencement of processing.
The controller and the processor are obliged to designate a DPO where:
- the processing is carried out by a public authority or body;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
With regard to the DPO's required qualifications, he/she shall be designated on the basis of professional qualities and, in particular, expert knowledge and experience of data protection law and practices and the ability to fulfil the relevant tasks. The DPO may be employed by the controller or processor, or fulfil the tasks on the basis of a contract.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Poverenik, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the Poverenik is not made within 72 hours, it shall be accompanied by an explanation of the reasons for such delay.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The notification shall at least:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data breach to the data subject without undue delay.
The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in previously mentioned points 2), 3) and 4).
The notification to the data subject shall not be required if any of the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
One of the basic principles of the Law is storage limitation. Personal data has to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
There are no specific retention periods (i.e. specific time limits) for different types of personal data set under the Law. In addition, the Law prescribes that where personal data relating to a data subject is collected from the data subject, the controller shall, at the time when personal data is obtained, provide the data subject with all relevant information, inter alia, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
The Law only prescribes that a minor, who is at least 15 years old, may independently give consent for processing their personal data in relation to information society services. If the minor is below 15 years of age, the consent must be given by the parent holding the parental responsibility, i.e. other legal guardian of the minor. The controller must take reasonable measures to verify whether the consent was given by the parent (i.e. other legal guardian), taking into consideration available technology.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited.
The prohibition does not apply when:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except when it is prescribed that the consent is not a legal basis for such processing;
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, if such processing is prescribed by law or collective agreement that prescribes the application of appropriate safeguards for the fundamental rights and the interests of the data subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person if the data subject is physically or legally incapable of giving consent;
- processing is carried out within the registered business activity and with implementation of appropriate safeguards by a foundation, association any other not-for-profit body with a political, philosophical, religious or trade union aim and provided that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest envisaged by law, if such processing is proportionate to the aim pursued, respecting the essence of the right to data protection and provided that the implementation of suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is ensured;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social protection services, i.e. the management of health or social care systems and services in accordance with laws or pursuant to contract with a health professional, if processing is done by or under the surveillance of health professional or other person subject to the duty to keep the professional secret prescribed by law or professional rulebook;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of a law that ensures appropriate and specific measures to safeguard the fundamental rights and the interests of the data subject, particularly when it comes to professional secrecy; or
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the Law, if such processing is proportionate to the aim pursued, respecting the essence of the right to data protection and provided that the implementation of suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is ensured.
Processing of personal data relating to criminal convictions, offences and security measures may be carried out based on the legal basis prescribed by the Law (listed in the section 5), only under the surveillance of the relevant authority or, if processing is permitted by law, using the appropriate specific measures for protection of rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Processing by a processor shall be governed by a contract or other legally binding act, that is concluded, i.e. adopted in writing, including electronic form, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
The contract or other legally binding act shall stipulate, in particular, that the processor:
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required doing so by the Law. In such a case, the processor is obliged to inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensures that natural person authorised to process the personal data has committed him/herself to confidentiality or is under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to the security of processing under Article 50 of the Law;
- respects the conditions for engaging another processor;
- taking into account the nature of the processing, assists the controller by appropriate technical, organisational and personnel measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down by the Law;
- assists the controller in ensuring compliance with the obligations pursuant to Articles 50 and 52-55 of the Law taking into account the nature of processing and the information available to the processor;
- based on the controller's decision, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless the law requires storage of the personal data; and
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
8. DATA SUBJECT RIGHTS
The controller shall facilitate the exercise of data subject rights. In certain cases, the controller shall not refuse to act on the request of the data subject for exercising his or her rights, unless the data controller demonstrates that it is not in a position to identify the data subject. The controller shall provide information on action taken on a request of the data subject without undue delay and in any event within 30 days of receipt of the request.
The controller is obliged to take appropriate measures to provide to the data subjects and prescribed information, i.e. information concerning the exercise of rights, in concise, transparent, intelligible and easily accessible from, using clear and plain language in particular if the information is intended for a minor. The information is provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is indisputably proven by other means.
The data subject has the right to request from the controller the information whether their personal data is processed or not, access to that data, as well as the following information:
- the purposes of the processing;
- the categories of personal data that are processed;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority (the Poverenik);
- any available information as to their source when the personal data are not collected from the data subject;
- the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The data subject has the right to request from the controller access to personal data.
The data subject has the right to have their inaccurate personal data rectified without undue delay. Depending on the purpose of processing, the data subject has the right to have their incomplete data completed, which includes providing a supplementary statement.
The data subject has the right to have their personal data deleted by the controller in the following cases:
- the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation; or
- the personal data have been collected in relation to the offer of information society services.
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling. The controller can no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. When personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In addition, when personal data are processed for scientific or historical research purposes or statistical purposes the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means.
The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if such decision produces legal effects concerning to the data subject or in a similar manner significantly affects the data subject.
This right does not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is based on a law, if that law prescribes appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- is based on the data subject's explicit consent.
The right to restriction of processing
The data subject has the right to request from the controller restriction of processing, in the following cases:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing and the verification whether the legitimate grounds of the controller override those of the data subject is pending.
When processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
The right to lodge a complaint before the Poverenik
The data subject has the right to lodge a complaint before the Poverenik, if they believe that the processing of their personal data was performed contrary to the Law. Lodging a complaint before the Poverenik does not affect the data subject's right to initiate other administrative or judicial proceedings.
The Poverenik is obliged to keep the data subject informed concerning the status of the proceedings.
The Poverenik may impose a fine on the basis of a misdemeanour order if during the inspection supervision it was established that a misdemeanour for which a fine was prescribed by this law has occurred. The fine imposed may not, in any case, exceed the maximum amounts that can be imposed on the controller or processor for a misdemeanour under the Law, i.e. up to approx. €17,000.
There have been no notable enforcement decisions yet.