Commissioner for Information of Public Importance and Personal Data Protection, Serbia
- Legal grounds for the protection of personal data in the national legislation
- The status and the legal position of national DPA
- The legal rights and the limitations of the national DPA
- Contact information
1) Legal grounds for the protection of personal data in the national legislation
Legal grounds for the protection of personal data in Serbia can be found in, above all, the Constitution of the Republic of Serbia and the Law on Personal Data Protection.
Within the section two of the Constitution of the Republic of Serbia entitled Human and Minority Rights and Freedoms, Article 42 stipulates that personal data protection shall be guaranteed and that “collecting, keeping, processing and using of personal data shall be regulated by the law”. Accordingly, Serbia adopted its first Law on Personal Data Protection in 2008 (The Official Gazette of the Republic of Serbia, No. 97/08, 104/09-as amended 68/12-CC Decision 107/12). On 9 November 2018, the National Assembly of the Republic of Serbia adopted the new Law on Personal Data Protection, which came into force on 21 November 2018. However, the new Law will only become applicable nine months upon coming into force, i.e. on 21 August 2019.
2) The status and the legal position of national DPA:
Adopted in 2004, the Law on Free Access to Information of Public Importance established the institution of Serbian Commissioner for Information of Public Importance as an autonomous public authority exercising its powers independently. Since 2008, this institution is vested with powers related to personal data protection. The Commissioner’s competences are set by Article 44 of the currently applicable Law on Personal Data Protection1.
1 Please note that for the purpose of filling in this form and providing basic information about the national institution in Serbia responsible for the creation and implementation of the personal data protection, we will focus on the currently applicable Law and the rights and obligation stemming from it, bearing in mind that the new Law will only be applicable from 21 August 2019.
The Commissioner’s competencies and obligations in terms of safeguarding the right to personal data protection include the following activities:
- Supervising the enforcement of data protection;
- Deciding upon appeals in cases set out in the Law on Personal Data Protection;
- Maintaining the Central Register;
- Supervising and allowing trans-border transfer of data from the Republic of Serbia;
- Pointing out the identified cases of abuse in data collection;
- Producing a list of countries and international organizations with adequate provisions on data protection;
- Providing the institution’s opinion on the formation of new data files or introduction of new information technologies in data processing;
- Providingthe institution’sopinion in case of doubt whether a data set constitutes a data file within the meaning of this Law;
- Providingthe institution’sopinion to the Government in the procedure of enactment of instruments governing the methods of data filing and safeguards for particularly sensitive data;
- Monitoring the implementation of data safeguards and suggesting improvements;
- Giving proposals and recommendations for improving data protection;
- Giving prior opinion on whether a certain processing method constitutes a specific risk for citizen’s rights and freedoms;
- Keeping up to date with the data protection arrangements in other countries;
- Cooperating with authorities responsible for data protection supervision in other countries;
- Determining the way in which data are to be handled if a data controller ceased to exist, unless provided otherwise.
The Commissioner is obliged to submit its annual report to the National Assembly of the Republic of Serbia, as well as to make it available to the President of the Republic of Serbia, the Government and the Ombudsperson and to the general public through appropriate means. This report provides detailed information on the institution’s work and the current situation in exercising the rights to both free access to information of public importance and personal data protection in Serbia. It, therefore, represents the essential document on the practice of the personal data protection in Serbia.
3) The legal rights and the limitations of the national DPA:
According to the currently applicable Law on Personal Data Protection, the prescribed time limits for the controller to act upon a request for information on personal data processing is 15 days from the day of submission of the request, or 30 days from the day of submission of the request for insight or for the copy of the documents containing personal data, or 15 days from the day of submission of the request concerning the performed insight. The data subject may submit an appeal to the Commissioner regarding personal data processing within 15 days upon receiving the ruling by which the request is denied or rejected. Moreover, the data subject may submit an appeal even upon the expiry of the prescribed time limit for the so-called “failure of the authorities to act”.
The Commissioner is obliged to decide upon appeals within 30 days of lodging at the latest.
The Commissioner is not authorized to supervise the processing of personal data in public media.
In deciding upon an appeal, the Commissioner may reject all untimely or incomplete appeals or reject ungrounded appeals. If the Commissioner establishes that the appeal is grounded, he/she has the right to order the data controller to act upon request within a specified period of time.
However, one of the most significant limitations of the Commissioner refers to the fact that this institution was not able to enforce its decisions upon public authorities in the past, which somewhat led to the “dead letter” effect. Moreover, all parties are entitled to initiate an administrative dispute against the Commissioner’s decision.
4. Contact information
Commissioner for Information of Public Importance and Personal Data Protection
15 Bulevar kralja Aleksandra, Belgrade 11120, Serbia
Tel: +381 11 3408 900
Fax: +381 11 3343 379