GDPR – Abbreviation that marked the year behind us

The global importance of social networks, the large number of users and the flow of information on them has brought many challenges. To solve the challenges, the European Union has resorted to protecting users from large corporations and the increasing misuse of data that is available to them more than ever before. The General Data Protection Regulation (“GDPR”) and its effect in the Republic of Serbia have initiated many questions and concerns since the Republic of Serbia is not yet a member.

First of all, the hierarchy of legal regulations in our country, determined by the Constitution of the Republic of Serbia from 2006, is specific, and this specificity is reflected in the high hierarchical position of international treaties. Immediately behind the constitution, ratified (confirmed) international treaties are on a hierarchical ladder, ahead of the law. This is one of the factors that raises the question of the application of the GDPR regulation. However, the regulation is a unilateral act, unlike international treaties, so its effect cannot be applied in the territory of the Republic of Serbia, but unlike this situation, if our companies operate in the territory of the EU, they will have to comply with the provisions of that regulation. Which means that, in theory, the provisions of the GDPR can be applied to companies from the Republic of Serbia that offer products and services to EU citizens, but this also raises the question of the competence of bodies within the European Union itself.

To prevent and incorporate these challenges into our legal system, the Legislature has enacted the Personal Data Protection Act, which has been in force since August 21, 2019. Compared to the previous law that regulated this area, the current the Personal Data Protection Act is much more extensive and relies heavily on the GDPR regulation repeatedly mentioned, precisely to overcome the challenges mentioned above.

Below, after the introductory part, we will try to answer some of the key questions that that have came up in our practice regarding the Personal Data Protection Act.

What is the appropriate legal basis for processing personal data?

Similarly to the existing legal framework, the Company, as a manager, must ensure that there is an adequate legal basis (existence of an appropriate legal basis) for any collection and processing of data (for example: consent, fulfillment of legal obligations, performance of contracts, vital interest of the person data subject, legitimate interest, etc.) (article 12 of the Personal Data Protection Act.). If e.g. the company collects data on employees on the basis of the obligations prescribed by the Law on Records in the Field of Work (“Official Gazette of the FRY”, No. 46/96 and “Official Gazette of the RS”, No. 101/2005 – other law and 36 / 2009 – other Law) or the Law on Safety and Health at Work (“Official Gazette of the RS”, No. 101/2005, 91/2015 and 113/2017 – other Law), the legal basis for collecting and processing data is compliance with legal the obligation of the operator. Another example is the creation of cards for determining when an employee came to work, data for employee profiles to log in programs, etc., where the legal basis for processing could be the execution of a contract concluded with the data subject (in the specific case of the contract about work).

What type of consent is required to process personal data?

Article 23 of the Personal Data Protection Act provides that the data subject must be informed in a timely and appropriate manner about the collection or processing of data. Also, at the same time, the person must be informed of their rights on this occasion. In practice, this has already been reflected in our daily “surfing” of the internet, so usually at the bottom of the pages we visit requires our consent to use the so-called cookies. In this way, we consent and at the same time accept that we have been informed of our rights guaranteed by the Personal Data Protection Act.

How are records of downloaded data processing actions taken?

A common question is also the issue of records of processing operations. In order to keep records, the operator must designate a representative who is in charge and responsible for performing these actions in accordance with the law. The records must have the form prescribed by law, as provided for in Art. 47 of the law. However, it is not necessary to keep these records unless it is a particularly prominent (sensitive) data, or if the legal entity has more than 250 employees. Under particularly prominent types of personal data, the legislator implies racial or ethnic origin, political opinion, religious or philosophical belief or union membership, as well as the processing of genetic data, biometric data, etc. (Article 17, Paragraph 1 of the Law). This includes personal data relating to criminal convictions, criminal offenses and security measures (Article 19 of the Law). Notwithstanding the exceptions mentioned above, we advise our clients to maintain internal records in accordance with Article 47 of the Law.

In addition to the aforementioned issues, in view of the changes introduced by the new Personal Data Protection Act, it has opened a number of others that exhaust the scope and basic information on current issues. In practice, depending on the activity and category of our clients, other issues arise, such as, for example, measures to be taken in technical, organizational and personnel terms. It also raises the question of the potential transfer of personal data, whether it is allowed and whether the data can be transferred outside the borders of the Republic of Serbia in the case of international business and partnership obligations.

If you also have questions about these or questions regarding the GDPR regulation or the Personal Data Protection Act, please feel feee to contact us.