It seems that the protection of personal data has never been more important, and the exposure of personal data is increasing, taking into account the rapid development of digital technologies. More and more business owners are orienting their business, or at least part of it, to digital technologies and the Internet, as it is indisputable that these tools are one of the most prevalent in business development. Nevertheless, the development of these tools inevitably opens up the issue of personal data protection, which issue is increasingly prevalent and raises numerous doubts. What you need to know about the protection of personal data, how to harmonize your business in this area, as well as what are the examples from practice in which personal data is most often violated, read below.
Digitization and business
Starting from reading newspapers in the morning on Internet portals, using Google maps to navigate around the city, to online ordering of various types of goods and services, each of us uses digital technologies on a daily basis. Digital technologies make it significantly easier for us to undertake various life activities and contribute to faster, easier and more efficient business operations of various economic entities. The fact is that digital transformation is taking place in various spheres, and that it also brings with it a lot of challenges, the most influential of which is the one related to the processing of personal data of platform users. Although it is inevitable that digitization is necessary for the development of business, it is also necessary for the business to comply with the regulations on the protection of personal data. Therefore, it is important to keep in mind how personal data is collected, processed and stored.
The protection of personal data in Serbia is governed by the current Personal Data Protection Act, which was adopted in 2018, and which literally adopted the provisions of the EU General Data Protection Regulation (GDPR). The fact in question has caused numerous criticisms, but the law has remained the same until today, starting with its application in August 2019. However, the current law defines numerous concepts and obligations that must be undertaken in business, for the purpose of effective protection of personal data. Learn more about what is considered personal data, as well as what constitutes personal data processing below.
The Personal Data Protection Act as a legal framework
First of all, personal data is defined as any data related to a natural person whose identity is determined or determinable, directly or indirectly. Therefore, it is not necessary that the identity of the person is considered certain through the data, but it is sufficient that it is determinable, and that based on it, the identity of the person can be concluded. The law lists some of the data that can be considered personal, such as name and identification number, location data, identifier in electronic communication networks, or one or more features of the physical, physiological, genetic, mental, economic, cultural and social identity of a certain person. The processing of personal data means any action performed on the data, whether automated or non-automated. Such actions are, for example, collection, recording, classification, grouping, i.e. structuring, storage, adaptation or modification, disclosure, inspection, use, disclosure by transmission, i.e. delivery, duplication, dissemination or otherwise making available, comparison, restriction, erasure or destruction .
An exception to the application of the law is the situation in which the processing of personal data is carried out by a natural person for personal needs, that is, the needs of his household. Also, the Law applies only to the processing of personal data carried out by the handler, i.e. the processor who has its headquarters, i.e. residence in the territory of the Republic of Serbia, within the framework of activities carried out in the territory of the Republic of Serbia, regardless of whether the processing is carried out in the territory of the Republic of Serbia. The law also applies to the processing of personal data of the person to whom the data refers who has a residence, i.e. residence in the territory of the Republic of Serbia by a handler, i.e. a processor who does not have a seat, i.e. residence or residence in the territory of the Republic of Serbia, if the processing operations are related to the offer of goods or services to the person to whom the data refer in the territory of the Republic of Serbia, regardless of whether that person is required to pay compensation for these goods or services or to monitor the activities of the person to whom the data refer, if the activities are carried out on the territory Republic of Serbia. Therefore, the Law also establishes its application to handlers or processors who do not have their residence or seat in the territory of the Republic of Serbia, which in certain cases also creates an obligation to appoint a representative in Serbia. A representative is a natural or legal person with a residence or headquarters in the territory of the Republic of Serbia who, in accordance with the Law, is authorized to represent the handler or processor in relation to their obligations.
Processing principles – guidelines that must be followed
Recognizing and protecting the importance of personal data, the Law defines certain principles that are mandatory when processing personal data. Thus, the Law first of all provides that personal data must be processed legally, fairly and transparently in relation to the person to whom the data relates. Therefore, processing is permitted only in compliance with legal provisions and with transparent notification of processing. Furthermore, the Law decisively foresees the principle of limitation of purpose, i.e. prescribes that data must be collected only for purposes that are concretely determined, explicit, justified and legal and still cannot be processed in a way that is not in accordance with those purposes. In this sense, during each processing, it is necessary to determine the purpose of the processing, which is essentially justified and legal. In addition, personal data that is processed for a specific purpose cannot be processed for other purposes for which it was not previously determined that it will be processed. One of the essential principles is the principle of data minimization, which establishes the obligation to process only those data that are appropriate, essential and limited to what is necessary for the purpose of processing. In the aforementioned manner, the Law limits the processing of the number of personal data, providing that handlers and processors must take care to achieve the necessary purpose by processing as little personal data as possible. Thus, when you order food through a certain digital platform, you disclose personal data such as name (in addition to gender), address and phone number, while it is absolutely unnecessary to disclose your unique identification number (JMBG), given that the purpose (delivery of food to your address) can be achieved even without this information.
The following principle stipulates that the data must be accurate and, if necessary, updated. The principle of limited storage of data means that they must be stored only for the period necessary to achieve the purpose. Finally, as important as the other principles, but one of the key ones is the principle of integrity and confidentiality. This principle implies that data must be processed in a way that ensures adequate protection of personal data, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage by applying appropriate measures. Therefore, it is necessary to implement appropriate measures in order to ensure adequate protection of personal data and prevent unauthorized or illegal processing, an example of which you can read below.
Cases of unauthorized and illegal processing of personal data
In practice, there are often situations of unauthorized and illegal processing of personal data. Such an example is exactly hacker attacks, which are becoming more frequent with the development of digital technologies. If such situations occur, it is necessary to determine as soon as possible whether there could be a violation of personal data, and if so, which ones exactly, then the number of persons whose personal data were violated, and take appropriate measures to prevent further violations . In any case, the operator is obliged to inform the Commissioner for Information of Public Importance and Protection of Personal Data about a violation of personal data that may cause a risk to the rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours from knowledge of the injury. Therefore, the deadline of 72 hours, which is extremely short, which indicates the need for urgent action, is not preclusive, that is, it is possible to inform the Commissioner even after the specified deadline, but in that case the operator is obliged to explain the reasons for not acting within that deadline.
The operator is obliged to inform the person to whom the data refer if the violation of personal data may cause a high risk to rights and freedoms. Therefore, if there is a violation of personal data, it is absolutely necessary to notify the Commissioner, while the obligation to notify the persons to whom the data refer exists only if such a violation can cause a high risk to the rights and freedoms of those persons. The legislator did not define what is meant by a high risk to the rights and freedoms of natural persons, so when determining whether a certain violation can produce such a level of risk as a result of which the persons affected by the violation must be notified, it is necessary to first of all consult the practice of the Commissioner.
Regarding the legality of personal data processing, the Law provides in which cases the processing is considered legal. In this sense, the processing is legal only if one of the following conditions is met:
1) the person to whom the personal data refers has consented to the processing of his personal data for one or more specially determined purposes;
2) processing is necessary for the execution of a contract concluded with the person to whom the data refer or for undertaking actions, at the request of the person to whom the data refer, before the conclusion of the contract;
3) processing is necessary in order to comply with the legal obligations of the operator;
4) processing is necessary in order to protect vital interests of the person to whom the data refer or another natural person;
5) processing is necessary for the purpose of performing tasks in the public interest or exercising the legally prescribed powers of the operator;
6) processing is necessary in order to achieve the legitimate interests of the operator or a third party, unless those interests are overridden by the interests or fundamental rights and freedoms of the person to whom the data refer that require the protection of personal data, and especially if the person to whom the data is relate to a minor.
In accordance with the above, it is extremely important that before the processing of personal data the business is fully harmonized and situations in which illegal processing of personal data is carried out are avoided. The most common cases of illegal processing of personal data are in the case of processing personal data during the online purchase of goods. The practice of the Commissioner shows that the illegal processing of personal data exists in a situation where the operator processes data on the document number (identity card or passport) that are collected during the online purchase of goods through certain websites, because at the time of collection of the disputed data the prescribed conditions were not met By law, that is, because the processing of these personal data was not necessary in order to comply with the legal obligations of the operator. Namely, the Commissioner took the position that the operator’s legal obligation arises at the moment of refunding the money to the customer (which was the purpose of collecting this data), whereby the operator acted contrary to the principle of legality, honesty and transparency as well as the principle of data minimization.
Business compliance
If you are thinking of making your business available on a digital platform, then it is important to know that there are certain obligations that you must undertake. Thus, if you own a website, then it is necessary to adopt and publish the Privacy Policy as well as the Cookie Policy, if you use them in your business. The privacy policy is a comprehensive document where you need to specify which personal data you process and for what purposes. It is very important that the Privacy Policy provides in a clear and transparent manner all the necessary information regarding the processing of personal data as well as the rights of the persons to whom the processing refers.
On the other hand, the Cookie Policy is adopted when your website also uses “cookies”, i.e. pieces of computer code, which have different functions. In this sense, certain cookies are used to analyze the visit to certain websites, the length of stay on the website, marketing and the like. Accordingly, there are different types of cookies – necessary, functional, statistical, marketing and others. With regard to cookies, it is necessary that there is a notification on the website about the use of them, that is, about the purpose of data collection and processing, and that the person can refuse such processing in a simple way.
The cookie policy explains in a simple and transparent way which types of cookies are used when visiting the website, the purpose of each of them, and how you can block them.
Certainly, in addition to the above-mentioned documents, it is important to regulate the mutual relations between the handler and the processor by concluding a contract where mutual rights and obligations regarding the processing of personal data will be defined in detail. The conclusion of the contract is also necessary in the case of the existence of joint operators, i.e. in a situation where two or more operators determine the purpose and method of processing. As a document that would regulate all important issues of processing personal data, the Internal Privacy Policy is adopted, which regulates the processing of personal data in a detailed and comprehensive manner.
Not only is it necessary to harmonize business with the protection of personal data, but this step in your business significantly contributes to a better reputation on the market, considering that users are paying more and more attention to determining whether a certain company operates socially responsibly.
In the era of digitization and rapid flow of large amounts of information, it is very important to organize your business in a way that is fully compliant with legal norms. Respect for privacy, as one of the relatively recent rights, is essential for legal business and business development. If you have not yet harmonized your business with the obligations in the area of personal data protection, you need to do so as soon as possible in order to avoid fines that can be up to 2,000,000.00 dinars. Feel free to contact us if you need help in complying with legal obligations.
This article is for informational purposes only and does not constitute legal advice. If you need additional information regarding the topic in question, please feel free to contact us by email at office@ncrlawyers.com or by phone at +381677049551.
