Press Releases - Archive

The Commissioner for Information of Public Importance and Personal Data Protection assessed as good and useful the reaction of the Pension and Disability Insurance Fund after the Warning he sent the Fund for irregularities in processing personal data of the insured.

When the insured requested the issuance of certificates they need for enrolling their children in preschool institutions, the Fund issued them, instead of certificates, a copy of the complete M4 form, for which there was no legal basis, which additionally and unnecessarily exposed personal data of the insured to risk of abuse, given that M4 form contains more personal information than it is required and necessary.

The Fund, within the period specified in the Warning, informed the Commissioner that it immediately after receiving the Warning ceased such practice and in the future it will issue only certificates containing required, necessary data.

The Fund also informed the Commissioner that the Fund will initiate holding the meeting with representatives of the City of Belgrade, which is the founder of preschool institutions, as well as with other entities that require certificates containing data from its register, to clearly define and bring into line their requests, regarding the type and extent of necessary information, with the fundamental principles of the Law on Personal Data Protection, such as appropriateness and proportionality.

The Commissioner for Information of Public Importance and Personal Data Protection sent a warning to the Pension and Disability Insurance Fund because of irregularities in the processing of insured persons' personal data by this Fund.

When insured persons request issuing of certificates they need to enroll they children in preschool institutions, the Pension and Disability Insurance Fund issues them a copy of the complete M4 form instead of issuing certificates, without any legal grounds. In addition, the complete M4 form contains much more personal data than necessary and required for the intended purpose (on years of service of insured persons, salaries, compensations...).

This not only contravenes the fundamental principle of the Law on Personal Data Protection, which provides the legal basis for data processing, as well as the principles of purposefulness and proportionality; it also unnecessarily exposes personal data of insured persons to the risk of abuse, which cannot and must not be justified by "simpler" and "more expedient" acting of the competent authorities. More generally, the ubiquitous and long-standing practice of employees ignoring and underestimating their duties regarding personal data because it is "easier" or "more convenient" for them to do so must be eliminated as soon as possible.

The Commissioner ordered to the Pension and Disability Insurance Fund to inform him within 8 days about the measures it would take to rectify the irregularities identified by the Commissioner.

As announced earlier, acting on the facts found during the supervision of implementation of and compliance with the Law on Personal Data Protection by electronic communication operators providing internet services, which show that the situation is a matter of grave concern and improvements are needed, the Commissioner for Information of Public Importance and Personal Data Protection submitted to the Serbian Government the Draft Recommendations for improvement of the situation in this field.

The Commissioner for Information of Public Importance and Personal Data Protection held a press conference today in which he presented his Report on Supervision of Implementation of and Compliance with the Law on Personal Data Protection by Electronic Communications Operators providing Internet Access and Online Services.

This has been the first supervision activity of this type and on this scale in Serbia. Given the limited human resources available to the Commissioner and the huge workload of this institution in other areas (in 2014 it closed more than 2200 cases in the field of personal data protection alone), this process has proven to be a difficult, complex and time-consuming task, lasting from the end of 2013 to June 2015. During the initial stage it had covered all active internet operators (184). After the initial stage, which involved written supervision, 26 operators were selected for further supervision based on the criteria of market share, type and number of services, geographic coverage and the quality of their replies to the questionnaire.

This supervision exercise has only confirmed what the Commissioner had already known and publicly stated, namely that the situation with regard to personal data protection in the field of electronic communications, including in particular internet services, was far from satisfactory and a matter of grave concern. The main culprit for the underlying causes of this state of affairs (lack of legislative provisions and appropriate measures) is the government. With a view to remedying the situation and eliminating the identified shortcomings, the Commissioner intends to send proposals of recommendations for improvements (some of which have already been given), which will include:

1. Adoption of a new Personal Data Protection Strategy and an Action Plan on its implementation;

2. Passing of a new Law on Personal Data Protection;

3. Passing of a new Law on Electronic Communications or amendment of the existing one;

4. Putting in place an effective inspection system to enforce the Law on Electronic Communications;

5. Relevant amendments to legislative provisions in order to put in place a system for interception of electronic communications and access to retained data through the formation of a single national register to which all competent government authorities authorised to lawfully intercept and access retain data would submit their requests for interception of communications or access to retained data in real time, based on court orders. This national centre would integrate the existing parallel technical functionalities of different agencies and the police into a single national agency that would act as a provider of sorts of all those services that are necessary to intercept communications and other signals and access retained data to all authorised users.