Processing of data on the members of national minorities by the national councils
The question is whether the activities of Minority National Councils related to personal data processing for specialized voting registries and membership enrollment are in sync with the Law on Personal Data Protection. The aformentioned activities include: collecting data from the members of national minorities, form data entry accompanied by the signature of the person whose data is in question, photocopying or taking a photo of the ID card, delivering the completed form to the municipality, keeping the photocopies of documents (the form and the ID card), registering data in the internal membership registry.
According to the Article 42 of the Constitution of the Republic of Serbia, personal data protection is guaranteed.
According to the Articles 8 to 18 of the Law on Personal Data Protection related to the conditions for data protection (‘The Official Gazette of the Republic of Serbia’, no. 97/08), personal data processing, which, among other things, entails data collection and utilization, is not allowed without a legal permission or without an explicit approval of the person whose data is being processed. Also, data processing is permitted only for lawful purposes or if the person agrees to it, taken into consideration that the number and the kind of data being processed have to be proportional to the purpose of data processing. Data processing is not allowed if the very manner of processing is not allowed.
For processing of especially sensitive data outlined in Articles 16 and 17 of the Law, among which are the information on national belonging, the Law requires even stricter conditions. This data can only be processed when consent is given by the person, unless the processing of this data is forbidden by law even with the consent. The conditions for processing of this especially sensitive data are much stricter, both when it comes to the manner of processing and the contents of the consent, and require for the consent to be given in a written form and contain the code for the data being processed, the purpose of processing, and the purpose for which the data will be used. Also, the conditions are stricter when it comes to the obligation of application of special protection measures to this type of data.
The Law on Minority National Councils (‘The Official Gazette of the Republic of Serbia, no. 72/2009’) and the By-law on the special voting registry of national minorities (‘The Official Gazette of the Republic of Serbia’, no. 91/2009) regulate the questions of data collection and processing for purposes of registering members of national minorities in separate voting registries. The Article 38 of this Law states that the organization of the selection for National Councils is done by the Ministry for Human and Minority Rights and bodies in charge of selection, which means that no one can perform data processing for those purposes, meaning, no one can make registries, such as voting or other lists, of the members of national minorities. According to this Law, the citizen has the right to, by filling out the appropriate form, in person or by post, request from the local self-governing body in the person’s place of residence to be registered in a separate voting registry. This has to be done by the person (unless the general or specific rules related to the power of attorney apply).
Thus, the Law does not give the right to the existing National Councils (to which Article 137 Section 3 of the Law applies) to collect citizens’ requests and to submit them to the municipal institutions on their behalf, nor to collect data for their own purposes. This applies specifically to photocopying personal documents.
Taken into consideration that the National Councils do not have the legal base for processing of data of members of national minorities, the only justification for the processing could be the freely given consent, according to Articles 10 and 17 of the Law on Personal Data Protection.
Personal data protection without consent and against the conditions set in Law is forbidden and sanctioned as an offence according to the Article 57 Section 1 Paragraphs 1 and 5, and Section 3 of the Law. These articles do not exclude criminal responsibility as stated in Article 146 of the Criminal Code of the Republic of Serbia.
Legality of collecting data on owners renting apartments or business offices, by Tenants’ Assembly and delivery of that data to tax administration
According to Article 8 of the Personal Data Protection Act (Official Gazette of the RS 97/08), processing of personal data (under which, besides else, falls also collection and use of data) is not permitted without legal authorization or without explicit consent of the person whose data are processed. Also, processing of data is permitted only for the purpose determined by the law or by that person’s consent.
Article 42 paragraph 2 of the RS Constitution prohibits and makes punishable use of personal data outside the purpose for which they have been collected, according to the law, except for the needs of holding criminal action or protection of safety in the Republic of Serbia, in the way envisaged by the law.
In line with the quoted, answer to the question whether the Tenants’ Assembly, that is, its Chairman are obliged to, on the request of Tax Administration collect, that is, deliver available data about tenants who are renting their apartments or business offices, depends on whether the Tenants’ Assembly fulfills one of the quoted two basis for data collection and for what purposes.
The Law on Housing Buildings’ Maintenance regulating the legal position and authority of the Tenants’ Assembly, does not vest in the Tenants’ Assembly authority to collect the quoted personal data, including the data about the Unique Citizen’s Identification Number.
If the Tenants’ Assembly might possibly have such data collected with the consent of the person, the question is for which purpose have those data been collected. Further use of available data, including their delivery to the tax authorities is not possible outside of the purpose for which the data have been collected with the owner’s consent.
Provisions of the Articles 12 and 13 of the Personal Data Protection Act, which prescribe the exceptions for data processing without person’s consent, can be interpreted solely in the context of the quoted Constitutional norm, which approves use of data outside the purpose for which they have been collected, solely for the needs of holding a criminal proceedings or for protection of safety in the Republic of Serbia.
Accordingly, personal data collection by the Tenants’ Assembly, that is, by its Chairman for the needs of holding tax procedure is against the Personal Data Protection Act, as well as delivery of available data to Tax Administration, acquired with the owner’s consent for some other needs, that is, purpose.
Exercising right to have personal data protection regarding data entered into Schengen information system database (Schengen information system-sis)
Constituent organizational parts of Schengen Information System (SIS) are national liaison offices - SIRENE (Supplementary Information System at National Entry), through which, one can in the most complete manner access the system and exercise the data protection right.
Regarding data processing, the SIS also contains warning marks pertaining to protection of entry and stay of third country nationals - of countries which are not EU members, that is, signatories of Schengen Convention, into Convention member states.
According to the general principles for data protection, and especially regarding provisions of Articles 109 and 110 of the Convention, each person is entitled to be informed about the type of data about him that are processed, based on which order (of the authorities or services within the Convention member countries), legal base and purpose of data processing, as well as about possible users.
Besides that, a person can ask for a correction or deletion of incorrectly entered data, performed by a national body of the member state which has entered the data. Check of data correctness, and correction or deletion of them is always done based on national regulations of the member state which has entered the data.
A request for exercising the right to gain insight into records and possible correction shall be submitted to the national office of SIRENE, in any Convention member country or to an independent body for personal data protection from those countries, in charge also for complaints to the answers from the national SIRENE office, if the applicant is dissatisfied with the answer. A request shall be submitted directly to the member country body, or through diplomatic-consular representative office, and the applicant must prove his identity during submitting application, by presenting of a photocopy of a valid identification document containing the applicant’s signature, for instance, the valid passport. The request shall be delivered in writing, directly or by fax.
Based on request of a person for correction of incorrect data or facts contained in SIS, national SIRENE authority shall act, in the Convention member country that has entered that data. A request can be directed directly to that SIRENE, (which is, for sure the most efficient way) or through another member country, which shall forward the received request to the country in which the data has been entered.
The Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia, can not currently render protection of rights regarding processing of data entered into Schengen Information System, until the Republic of Serbia becomes a member of the Schengen Convention.
Unique records of the Ministry of education – Pupils’ database
Based on announcement that a unique records shall be formed for pupils of secondary and elementary schools, based on data within the unique information system of the Ministry of Education, the Commissioner has, according to the authorizations and obligations from Article 44 of the Personal Data Protection Act, sent a letter to the Minister of Education, presenting his attitude in relation to that:
„Media report that the records would be used by the Ministry, but also in return, by the schools, local self-government that finances them, even by the parents. Multiple data are mentioned, from the pupils’ grades and attendance in school and regarding extracurricular activities, and the like to the data on parents (personal data, property status, profession and the like), even the evaluation of pupils’ behavior, observation on health, psychological profile and the like.
I have been unofficially informed that there is a project of establishing unique records within unique information system of the Ministry, financed by the World Bank, for which the base probably exists in Article 27 paragraph 1, point 6 and Article 28 paragraph 2 point 5 of the Law on Basis of the Education and Training System. A base for this database, would be I assume, records the schools keep according to the laws and rule books for certain levels of education.
However, besides the quoted general provisions of the Law and technical regulations regarding the method and type of records (they are kept on paper in a strictly prescribed form, in certain record books, prescribed method of keeping and archiving those books and the like) keeping of unique records on the ministry level is not prescribed by anything, nor has been prescribed what constitutes a unique information system. Also, it is not prescribed what personal data are delivered to the ministry, in which scope and who uses them, and how are they protected. Especially, nothing prescribes that schools’ record, and also that they deliver data about parents (personal data, property status, profession and the like), even for the marks regarding pupils’ behavior, psychological profile and the like. Especially, it is not prescribed by anything that these can be used for other purposes, except the ones from Articles 8, 27 and 28 of the Law on Basis of the Education and Training System.
Starting from the quoted, аnd especially having in mind the fact that some of the quoted personal data fall into the category of specially sensitive data, I am of opinion that one should pay special care in discussing all issues pertaining to formation of the unique information system, primarily having in mind the principle that data processing can be performed only based on the Law, only for purposes envisaged by the Law and only in the scope necessary for achieving specific purpose."
In relation to that, the Commissioner has suggested to jointly discuss that issue.
About personal data from the questinnaire for entering conscripts into military records
Based on turning of the citizens to the Commissioner for Information of Public Importance and Personal Data Protection regarding request of military section to enter in the questionnaire for introduction of conscripts into military records, besides conscript’s data, also numerous detailed personal data of the other family members, parents, and even of siblings (including for instance Unique Citizen’s Identification Number, qualifications and the like), the Commissioner has in the letter to the Ministry of Defense pointed out the following:
„Generally accepted principle in democratic societies regarding personal data protection is that data processing without consent of persons about whom data are, can be performed pending - that it is envisaged by the law, to perform it for purposes envisaged by the law and within the scope necessary for implementing that purpose.
Accordingly, Article 13 of our Personal Data Protection Act („Official Gazette" 97/08), envisages that the „authority processes data without person’s consent if the processing is necessary for performing jobs from its authority determined by the law or by another regulation in order to secure interests of national or public safety, country defense, prevention, discovering, investigation and persecuting for criminal offences, economic, that is, financial interests of the state, protection of health and morale, protection of rights and freedoms and of other public interest, and in other cases based on written consent of the person."
Starting from the quoted, my opinion is that it is necessary that the Ministry of Defense shall evaluate whether there is really a base for collection of all above mentioned data, that is, even if it exists, to check its justification."
Publishing of Unique Personal Identification Numbers of Citizens (JMBG)
Publishing of unique personal identification numbers (JMBG) of several dozen thousands of citizens on the Internet, in the Official gazette and daily paper "Politika" by the Privatization Agency, apart form their names, surnames and names of their parents, regarding exercise of entitlement to free shares is, by the opinion of the Commissioner for Information of Public Importance and Personal Data Protection, mass and gross violation of their privacy and the right to personal data protection.
The Commissioner's opinion is based on the main principle in connection with processing and use of these data according to which data processing, even when it is envisaged by the law, is allowed only for the purposes for which it was envisaged and only to the extent necessary to achieve that purpose. Publishing of unique personal identification numbers (JMBG) of several thousands of citizens is neither set by law nor necessary and in any case it is contrary to the basic international standards of personal data protection and provisions of Article 8 of the Serbian Law on Personal Data Protection.
