FIC online Conference “A Year of Application of the Personal Data Protection Law” attracted high interest from members, enabled clarification of several important issues and paved the way for further cooperation on resolving the open issues.

FIC representative Ivan Milosevic from Law Office Jankovic, Popovic, Mitic discussed the priority topics for members with Commissioner for Personal Data Protection Milan Marinovic. Panel, moderated by FIC Regulatory Officer Jelena Lazarevic, attracted 100 members representatives. Panelists agreed that the progress was achieved in the previous period in development of data protection practices, but that there are still the open issues to be addressed. Video recording of the event is below.

Ivan Milosevic said that further development will depend on the readiness of both regulatory authority and legislators for dialogue and adoption of adequate solutions. The Data Protection Commissioner Marinovic said that it was a good decision to start implementing the Law, and that it proved to be useful also in the context of COVID-19 pandemic which brought new topics to the table. “It is true however that there are shortcomings in the Law. We were aware of some of them from the very beginning”, he said, explaining that the Law didn’t tackle some issues, such as biometric data, video surveillance… The Commissioner expects the Parliament, once it’s established, to extend the deadline for harmonization of other legislation with Data Protection Law. Current deadline is the end of this year. “This will be the occasion to legislate this area to the benefit of all”, he added.

Labour-related issues were very much in focus. First one to be addressed at the event was the right to request the penal and misdemeanor record certificates from the potential employees. Commissioner Marinovic clarified that the legitimate interest cannot be the legal basis for processing such data, and that only the relevant laws and by-laws can suffice. The Commissioner’s Office came to that conclusion while working on the manual on the legitimate interest, which is to be finalized soon. At the moment, this possibility is therefore limited mainly to the public sector, education and some other specific sectors. As a solution, Officer proposed to regulate that issue during the harmonization of the Labour Law with Data Protection Law. It will be necessary to define the type of data needed, in order to avoid processing too much data. As it was discussed during the conference, some type of record, such as for the traffic violations, can be irrelevant for some areas of employment for which the certificate is requested. When it comes to the access to the employee’s email accounts, it was concluded that there is the need to adopt internal document in order to define conditions for such measure. Ivan Milosevic from FIC said that there the right balance should be sought between the employers’ needs and employees’ rights. Protecting business secrecy was outlined as one of the most relevant reasons for interception of employees’ emails. Commissioner Marinovic said that there are other reasons to monitor email activity of the employees, such as to assess the   conscientiousness and punctuality of the employees, but this time without looking at the content. He also explained that the professional email accounts of employees are intended solely for business purposes, which means that the privacy of the employees is not so much in danger. In any way, it is important that the employees are informed on the possibility for their emails to be tracked. New employees should be informed at the very beginning of their engagement, the Commissioner said.

New COVID-19 related practice to measure temperature of the employees and other persons entering premises was discussed. Commissioner Marinovic said that it is the obligation of the employer in the context of the protection against the infectious diseases and ensuring a safe environment at work. However, the problem arises if the evidence is being made on measurements. Such evidence is not needed, and if it is established there has to be clear purpose and rules of its archiving. This represents unnecessary data processing that could be unlawful.

FIC was interested in the regime of data export to the USA after the recent CJEU Judgment that abolished the safe data export regime between the USA and the EU. As Serbia has the obligation to harmonize with the EU in this respect, this should be applied in Serbia too. However, as explained by the Commissioner, it wasn’t done yet until the day of the conference, although he promptly notified the Serbian Government and the Justice Ministry after the judgment by the EU Court. This is to be changed when the Government is established, he said.

Topics addressed at the panel also include: status of data collected through cookies (it was concluded that there is the need for the assessment of impact on data protection if analytical cookies and personal data are involved); the need to notify the Commissioner in case of risks for data protection (Commissioner clarified that the data handlers have the obligation to notify the Commissioner only if data processing remains risky despite the measures taken); right to request feedback from clients (the Commissioner proposed to inform clients in advance, as part of the privacy statements, that they would be contacted for feedback).

The event was also the opportunity to ask the Commissioner about further activities FIC thinks his Office should take in order to improve the data protection system. Ivan Milosevic expressed the FIC view that the Commissioner should adopt criteria for issuing certificates in the domain of data protection, but also start delivering the certificates. Commissioner Marinovic didn’t agree, explaining that this authority should not engage in delivering the certificates as it also sets criteria and supervises the accreditation bodies. Criteria weren’t published until now, as the Officer waits to see how this situation will be regulated across the EU, given that Serbia has an obligation for EU harmonization. When it comes to the GDPR guidelines, the Commissioner explained that under Serbian Law he doesn’t have a mandate for doing so. Therefore, his Office gives Opinions on particular issues that could serve as guidelines for other entities. Typical opinions, applicable to a large number of cases, are planned to be published. On FIC questions whether the guidelines provided by the European Data Protection Board and commissioners of the EU countries can be used in Serbia, he responded positively, provided they are applicable. He outlined however that the guidelines by the EDPR are more valuable in this respect.

Ivan Milosevic drew attention to the importance of the Law enforcement and supervision and said that the Commissioner should assume this task. Commissioner Marinovic said that he started monitoring on the 1st day of the Law implementation. Over 250 inspections were undertaken, more than 60 corrective measures prescribed, 12 requests for opening misdemeanor procedures were filed, as well as three criminal charges.

FIC members took opportunity to engage in discussion and seek clarifications on following topics: data export to the USA; obligation of the branches and subsidiaries of the foreign companies to abide by the Data Protection Law (it was clarified that all entities on the territory of Serbia have the obligation in this respect); video supervision in the commercial centres (the Commissioner stated that there is the need to seek the opinion of his Office in case the risks remain despite the measures taken, or if there are new risky technologies involved, such as face recognition); posting information on notice boards within the company (it was clarified that the data exposed should be minimized, limited to the name of the person involved and official number of the case); and insurance intermediaries status.

As a conclusion, Ivan Milosevic from Law Office Jankovic-Popovic-Mitic said that harmonization with the GDPR is a demanding process that could take from 6 to 9 months for medium sized companies. “You cannot expect to learn all from the Commissioner, or in the seminar. You have to engage the professionals to assess risks”, he said. The Commissioner confirmed the need for a sustained interest for that issue, as one of the fundamental human rights is involved. He suggested the possibility that smaller companies engage one single professional. The Commissioner thanked FIC for its contribution to raising awareness on the Data Protection Law.