Law on Personal data Protection comes into effect

The new Law on Personal Data Protection has come into effect on Thursday, August 22, 2019 and the Commissioner for Information of Public Importance and Personal Data Protection reminds all subjects under obligations of the Law to harmonize their policies with the Law now if they haven't already done it.

The Commissioner has once again stated that the application of the Law has not been delayed despite the fact that many subjects under the Law are not adequately prepared for its application, Tanjug reports.

Personal data processing is not allowed if a natural person did not give their consent to processing, i.e. if processing is carried out without legal authority or if it is done for purposes other than those specified. Processing without consent shall be allowed only in order to achieve or protect vital interests of the data subject or a third party, in particular their life, health and physical integrity, the new Law, which came into effect on August 22, specifies.

New rules will be mandatory for all subjects – such as banks, companies, state institutions, associations, hospitals - who request citizens' ID card number, Unique Master Citizen Number or a bank account number.

The authorities of the Commissioner have been expanded as well. Now the Commissioner will supervise the enforcement of data protection, decide on appeals in cases set out in this Law, maintain the Central Register, supervise and allow transborder transfer of data from the Republic of Serbia, point out the identified cases of abuse in data collection and so on.

The Ministry of Justice said that the Law was harmonized with the new EU regulations and that it's goal was to provide the protection of rights and freedoms of all natural persons. The law regulates the responsibility in case of violation of rights of persons whose data are processed and in case of any irregularities in actions of data controllers. The damage may be categorized as a minor offense and the person who has suffered damage due to privacy violation shall be compensated for the damage.

The Data Security section has been better regulated and proscribes greater set of security measures. Data controllers will also have to carry out risk assessments of processing methods and in case a method constitutes high risk for a citizen's rights and freedoms the prior opinion of the authorized government body is necessary.

The law also specifies processing of special categories of personal data, for instance, data on suspects or convicted individuals for the purposes of investigation, detection, prosecution or imposing criminal sanctions.

Law on Personal Data Protection

Commissioner for Information of Public Importance and Personal Data Protection

General Data Protection Regulation

GDPR

personal data protection