This will be the first such comprehensive document of strategic importance in the segment of personal data protection and it will define the obligations of state bodies in the protection of this human right.
“Education of young people on the topic of personal data protection has a crucial impact on the effective and comprehensive protection of personal data in society as a whole because young people are the ones whose personal data are jeopardized because they are the biggest and most active users of online content,” Milan Marinović, Commissioner for Information of Public Importance and Personal Data Protection, says.
We can agree that the abuse of personal data is strongly present. Has anything been done since the beginning of 2020 to date to change this situation in a positive sense?
In terms of personal data protection, in the period from 1 January 2020 to 25 May 2021, regarding the protection of personal data, the Commissioner initiated a total of 465 supervisions, of which 233 regular, 231 extraordinary and 1 mixed. The object of the supervision were data handlers, mostly companies and small business owners (231), state administration bodies (60), provincial authorities (33), health care institutions (28), local self-government bodies (20), public companies (18), banks (13) and others. The most common reasons for initiating supervision were personal data security (48.1%), online and electronic communication (8.2%), video surveillance (4.2%), the unique master citizen number (JMBG) (3.9%), data processing in the health sector (3.5%) and others. After the inspections, the Commissioner issued 95 corrective measures, of which he issued 87 warnings to data handlers, in 6 cases he imposed temporary or permanent restrictions on data processing and in 2 cases he ordered the harmonization of processing operations with the provisions of the relevant law. In addition, 4 criminal charges and 7 requests for initiating misdemeanor proceedings were filed. Since the beginning of the implementation of the relevant law, 2,064 checklists have been sent to the data handlers to assess the risk of processing personal data at their premises, while 32 handlers have submitted the checklist to the Commissioner on their initiative.
As of 1 January 2020, a total of 249 complaints have been filed with the Commissioner due to the violation of personal data, of which 237 were resolved”
251 handlers did not submit the completed checklist to the Commissioner even after the Commissioner’s urgency. Based on these checklists, the Commissioner draws up an annual oversight plan. As of 1 January 2020, a total of 249 complaints have been filed with the Commissioner due to the violation of personal data, of which 237 were resolved. Because the implementation of the new law began only on 22 August 2019 and, in connection with, there is the need for all society members – data handlers and data processors, on the one hand, and citizens whose data are processed, on the other – to better educate themselves about the rights and obligations under the law, the Commissioner held 32 training sessions covering that segment.
The COVID-19 pandemic has caused great changes in all segments of society. Did the same happen in personal data protection and if it did, to what extent? Have there been any violations and what has been done to prevent further violations?
Since the beginning of the COVID-19 pandemic, the Commissioner has paid special attention to the protection of the data of infected persons. Thus, even before the beginning of the declared state of emergency, he issued a statement warning the media not to publish personal data of persons suffering from the coronavirus, and during the state of emergency, he also issued an appeal regarding the protection of student health data and a press release on personal data processing during a state of emergency. Despite the above, several cases of personal data violations were recorded, the most drastic of which was the exposure of the COVID-19 Information System and the relatively easy access to data on patients living on the territory covered by one particular health care institution. Thanks to the fast and efficient intervention of the Commissioner, there were no negative consequences and the mentioned data were not compromised.
The first generation of students of the Faculty of Security, majoring in management of personal data protection, was awarded certificates based on cooperation with the Commissioner’s Office. Are there plans to hold training sessions at other educational levels as well?
In cooperation with the Faculty of Security, we managed to train 55 people who have acquired the title of personal data protection manager following a short study programme that lasted 6 months. Although, this is an exceptional accomplishment, it is also only the first step in educating a require number of experts in this field who are very much in demand. As an illustrative example of how great this need is, I would just like to mention the fact that the Personal Data Protection Law prescribes an obligation to appoint persons for personal data protection for about 30,000 data handlers and data processors in the Republic of Serbia. To date, only just over 3,300 of them have fulfilled and even not all of them designated a person who has the know-how and experience in this field as their personal data protection officer, which is a legal obligation. This demonstrated how pronounced the need for such specialized experts will be in the time to come. For that reason, the Commissioner will gladly respond to the calls for cooperation from other higher education institutions.
Why is it important to educate young people on the topic of personal data protection?
Education of young people on the topic of personal data protection has a crucial impact on the effective and comprehensive protection of personal data in society as a whole because young people are the ones whose personal data are jeopardized because they are the biggest and most active users of online content. In order for the education of young people not to be spontaneous and disorganized, I proposed that personal data protection should be included in the curricula of elementary and high schools as soon as possible. I am confident that my proposal will be accepted and that we will be able to acquaint young people with their rights but also obligations when it comes to the protection and security of their personal data. The fact remains that young people easily give up the right to protection of their personal data for the sake of being able to use certain online content, download an application or video game, etc., as well as that they often publish information about themselves on social networks without thinking first about the consequences. Hence, there is the need for them to be aware of all the consequences that may arise as a result.
We need the strategy to protect the personal data of citizens in all areas of life”
What benefits does the Personal Data Protection Strategy bring for citizens and when it will be implemented?
In cooperation with the Government of the Republic of Serbia, the Commissioner has begun working on passing the Personal Data Protection Strategy, which should be applied in the period from 2021 to 2028. This will be the first such comprehensive document of strategic importance in the segment of personal data protection and it will define the obligations of state bodies in the protection of this human right. We need the strategy to protect the personal data of citizens in all areas of life, and the first task that the strategy envisages is the analysis of all regulations that contain topics relating to personal data processing and their harmonization with the Personal Data Protection Law, which is a legal obligation that must be fulfilled as soon as possible. Furthermore, the strategy should ensure normative regulation of certain types of personal data processing that the existing law did not regulate at all, such as processing of personal data through video surveillance, processing of citizens’ biometric data, the relationship between digitalization, artificial intelligence and personal data protection, and protection of personal data in emergencies, such as the situation caused by the COVID-19 pandemic.
In March, the Commissioner’s Office appointed a personal data protection deputy commissioner. How important is this appointment for the Office?
With the recent appointment of the Deputy Commissioner for Personal Data Protection, the National Assembly of the Republic of Serbia has significantly helped both the functioning of the Commissioner’s Office and me personally. Namely, before the Deputy was appointed (the Commissioner, although entitled to having two deputies – one for each area of human rights for which he is responsible – had not had a deputy for more than a year), the Commissioner was the only authorized signatory of all acts issued by the Commissioner’s Office. There are thousands and thousands of such documents issued in the space of just one year. This, in itself, shows how much workload the Commissioner has in a situation when there is no deputy, which, especially in the current situation caused by COVID-19, greatly complicated the work and hindered the normal functioning of the Commissioner’s Office. Now, after the deputy was appointed, the situation is much easier to handle, especially if we take into account the fact that this is a person who has been working in the Commissioner’s Office for over ten years and who is a personal data protection expert. Thanks to the appointment of deputies, we can fully commit ourselves to drafting the Personal Data Protection Strategy, preparing amendments to certain regulations covering this area and free access to information of public importance, and creating a more efficient way of educating all relevant entities.