26 Apr 2017

New Data Protection Enforcement: Is Your Business Ready for It?

Businesses beware – imposing fines of up to 10% of the company’s Serbia-originated annual income in respect to enforcing Data Protection compliance will be one of the measures available to the Commissioner as of June 1, 2017, when the new Administrative Procedure Act is set to come into force. The changes to the Administrative Enforcement Procedure are going to allow this Data Protection Authority to enforce its decisions by fining companies in an amount considerably higher than the maximum enforcement-related fine of RSD 200,000.00 (approx. EUR 1,600.00) allowed by the current statute.

This means that all companies will, if ordered so by the Commissioner, have to achieve full compliance with Serbian Data Protection rules within the timeframe that is determined by the Commissioner on case-by-case basis. Since achieving this Data Protection compliance can be a complex process, especially for multinationals that have outsourced some of its functions to foreign group members, it is advisable to reflect on potential issues before the Commissioner takes interest in a particular company.

Listed below are questions that roughly indicate a company’s potential for Data Protection non-compliance, and thus exposure. If you have any questions related to this assessment, please don’t hesitate to contact Nikola Aksić or Dušan Romčević.

DATA PROTECTION RISK ASSESSMENT QUESTIONS

Has a company registered its records that contain personal data with the Commissioner?

Subject to a few exceptions, companies that have records containing personal data are obliged to register these records and related information with the Commissioner. This includes records on customers, job applicants, business partners, etc. Even some records that contain employee-related information have to be registered. The list of companies that have at least partially registered their records can be found on the Commissioner’s web-site2.

Please note that the Personal Data Protection Act defines personal data (and thus records containing personal data) in very broad terms, as it encompasses all information related to a concrete natural person, such as a name, a phone number, an e-mail address, gender, etc.

Does a company export personal data?

Export of personal data in practical terms represents a transfer of personal data to a foreign entity, including transfer of data in electronic form to a foreign computer server. If a company exports personal data to a country that is not a signatory of the Council of Europe’s Privacy Convention3 (e.g. USA, UAE, or China), such export is subject to the Commissioner’s approval and a traditionally lengthy procedure. This Data Protection issue bears special significance for multinationals.

Does a company keep personal data information related to more than 250 persons?

At this moment, Serbian law does not prescribe any special Data Protection obligations for companies that hold records containing personal data on more than 250 persons. However, the Commissioner has proposed changes to the Personal Data Protection Act that would impose such obligations. Since the Commissioner has a significant “prosecutorial discretion”, i.e. he is free to choose the companies he will target, it is safe to assume that these companies will face increased scrutiny.

Please note that the number 250 encompasses not only the data on employees, but also on the customers, suppliers, persons on contact lists, etc.

Does a company adhere to the Data Retention rules/procedures?

Serbian law prescribes rules on recordkeeping, which encompass an obligation to keep records for a certain period of time (depending on the type of a record), to conduct safety measures, and to adopt thereto related bylaws – including the List of Data Categories with the Recordkeeping Timeframe. Data Retention rules/procedures are closely related to Data Protection, and are usually dealt with at the same time.

These rules have not been rigorously implemented so far, mostly due to the lack of adequate fines that are in some cases even caped at RSD 10,000.00 (approx. EUR 80.00). However, in the context of the fines that can be imposed under the new Administrative Enforcement Procedure, it is strongly advisable to now observe these rules more closely.

Suggested Approach

Depending on the answers to the questions above, it might be advisable to perform a Data Protection compliance analysis, and to take measures to achieve compliance in line with the results of this analysis (if necessary). The analysis should cover all aspects of Data Protection-related obligations, and should come up with concrete remedies for any potential issues.

General Compliance

Although this article deals with Data Protection rules, please note that the novelties to the Administrative Enforcement Procedure will affect all areas of regulatory compliance, not only Data Protection. Depending on the core business activity of a company it might be advisable to conduct other compliance analyses, such as those related to specific sectoral rules, anti-money laundering, FX regulations, etc.

If you have any questions related to this topic please don’t hesitate to contact Nikola Aksić or Dušan Romčević.

————————————-

Commissioner for Information of Public Importance and Personal Data Protection, in line with the Serbian Act on Personal Data Protection
http://registar.poverenik.rs/onlineusers/search
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data