HomeObligations of Data Controllers

Obligation of Data Controllers

Print PDF

The Controller, who could either be a natural person, legal entity, or an authority, collects data from data subjects that is pertinent to those subjects, or from the third parties. The Controller is obliged to process data in accordance with the consent of the data subjects or in accordance with the Law. In case a data subject revokes his/her consent, the Controller cannot proceed with data processing thereafter.

The Controller is obligated to conduct data processing in accordance with the provisions on the conditions for processing (Article 8 of the Law).

Before collecting data, the Controller is obliged to inform, in writing as is the rule, the data subject whose data is in question, or the third party, of his/her identity and all of the questions related to data processing in accordance with Article 15 of the Law. The Controller is obliged to inform the data subject of any alteration, amendment, or erasure of data.

As stated in Article 19 of the Law, the Controller is obligated to fully and truthfully inform the applicant about all the questions related to data processing, without delay, and at the latest within 15 days from the submission of the request for information.

The Controller is obliged to provide the data subject the insight into data pertinent to the said subject, that is to hand over the copy, without delay, and at the latest within 30 days from the day of receiving the request for insight. If there are valid reasons why the deadlines of 15, or 30, days cannot be met, they can be extended by additional 30 days. The Controller is obligated to make available to the applicant the data concerning him/her in comprehensible form, meaning to make available to the applicant all data in the given state, and to, at the request of the data subject, provide professional aid for the purposes of understanding the contents of data concerning him/her. The right to insight is free of charge, while the applicant only bears the costs of making and delivering the data copies.

Moreover, the Controller is obliged, without delay, and no later than 15 days from the day the request was submitted, to decide on the request regarding the fulfillment of rights stemming from the performed insight (correction, amendment, update, erasure, termination and temporary termination of processing), as well as to inform the applicant of this.

When the Controller is not processing the data, he/she shall forward the request to the Commissioner for Information of Public Importance and Personal Data Protection, unless the applicant objects to that. The Controller is obliged to act on the decision (order) by the Commissioner, as well as to allow the authorized representative of the Commissioner to supervise without interference and to provide him/her with all the necessary documentation.

If the personal data filing system was established by contract, that is, on the ground of written consent, in case of the recession of the contract or the withdrawal of consent, the Controller is obliged to erase the personal data within 15 days from the day of the recession of the contract or the withdrawal of consent, unless otherwise prescribed or stipulated.

The Controller is obliged to provide necessary technical, personnel, and organizational measures for data protection, in accordance with prescribed standards and procedures, which are necessary to protect data from loss, destruction, unauthorized access, unlawful alteration, publishing, and any other abuse, as well as to prescribe the obligation of keeping the confidentiality of data for those who work on data processing.

The Controller is obliged to establish, keep, and update the records on data processing that contain the information stated in Article 48 of the Law, and in accordance with the Bylaw on Personal Data Processing Record Keeping (“The Official Gazette of the Republic of Serbia”, no. 50/09).

Before commencing with the processing and/or establishing of the data filing system, the Controller is obliged to notify the Commissioner of the intention to establish the data filing system (Article 49 of the Law), as well as of any subsequent intended data processing, before assuming the task of processing, at the latest 15 days before the data filing system is established, meaning before the processing has begun. The Controller forwards to the Commissioner the record on the data filing system, that is, forwards the changes in the data filing system, at the latest within 15 days from the day of the establishment or change. The aforementioned notifications and records are integrated in the Central Register.

model-zakona-baner-eng

Statistics

  • Monthly Statistical Report in the field of Access to Information and Personal Data Protection

    31.10.2017.

    PENDING: 4.186

    DONE: 56.291

    Read more...

centralni-registar-baner-eng


get_adobe_reader
portal-otvorenih-podataka-eng
novi zup cir

ADDRESS BOOK

CONTACT

Address book of the highest national authorities and selected non-governmental NGOs.

Commissioner for Information of Public Importance and Personal Data Protection

15, Bulevar kralja Aleksandra str, Belgrade 11000
Tel: +381 11 3408 900    Fax: +381 11 3343 379
Email: оffice@poverenik.rs