28 Jul 2022

The Personal Data Protection Act Revisited

Although the Personal Data Protection Act (“Act“) has been in effect for four years, it seems that its provisions have not yet been fully implemented in practice, nor have all companies in Serbia fully adapted to them.

Non-compliance with the obligations prescribed by the Act especially starts hurting when inspections are carried out by the Commissioner, and a new round is being announced. So, let’s take a moment to revise what companies should pay attention to when it comes to complying with the Act.

Back to basics

The general obligations of companies are contained in the principles of the Act.  Even when the Act does not give an unambiguous answer to a question, it can be found through an interpretation of the principles.  Non-compliance with a principle may lead to misdemeanor liability.

When handling personal data, a company must first make sure that personal data is processed in a lawful, fair and transparent manner concerning the data subject (principle of legality) and that the data is collected for specific purposes, which are explicitly justified (the principle of limitation concerning the purpose of processing).  In addition, the data collected must be appropriate to the purpose of the processing (data minimization principle).  The company must process the data in such a way as to protect against illegal and unauthorized processing, damage, destruction and accidental loss (integrity principle), to keep it in a form that allows identification only within the time required for processing (storage restriction principle).  Finally, the company is obliged to take measures to correct inaccurate data promptly, or to delete them (accuracy principle).

Therefore, the central question is – when is processing deemed legal?  Processing personal data is lawful when it is based on the conclusion and execution of an agreement, compliance with legal obligations, carrying out work in the public interest, the legitimate interest of the handler, and, finally, consent of the data subject.  What features must the consent have for processing to be lawful?  Of course, consent must be freely granted, but it also must be given for a specific purpose.

So what if the data is processed for a purpose other than that for which it was collected?  In that case, the Act stipulates that the company is obliged to assess whether the alternative purpose is the original, especially whether there is a connection between the original purpose and alternative, the circumstances in which the data were collected, the nature of the data, possible consequences of further processing, and the application of appropriate protection measures, such as pseudonymization.

In addition, the company is obliged to take action to inform the individual about who is handling the data, the contact details of the person responsible for personal data protection (if appointed), the legal basis for processing and the purpose, the intention for exporting the data abroad and relevant information related to such treatment.  The individual must also be informed that they have the right to request access to, deletion, or correction of data, the right to object, the right to revoke consent, the right to file a complaint to the Commissioner, and the period within which their data will be kept.

Consequences of non-compliance

  • Misdemeanor liability

The Act envisages fines ranging from RSD 50,000 to RSD 2,000,000 in misdemeanor proceedings for legal entities, including the processing of personal data contrary to the principles and rules on data processing for other purposes.

  • Individual fines

In addition to misdemeanor liability, the Act also provides for fines that can be imposed in addition to fines for certain misdemeanors.  Such fines are imposed by the Commissioner during the inspection.

  • Compensation for damages

The Act provides for the right to compensation for material and non-material damage to the data subject caused by the company by non-compliance with the provisions of the Act.

In addition to the above, it should not be forgotten that non-compliance with the provisions of the Act can lead to reputational risk, which in business models where the relationship of trust with clients is particularly pronounced may be more painful than punishing the highest prescribed fine.