The Commissioner for Information of Public Importance and Personal Data Protection, due to an increasing interest by the media and the citizens with regards to the question of personal data processing in banks, warned that every processing of personal data has to be performed within a framework established in the Constitution and the Law on Personal Data Protection.
The Commissioner Rodoljub Sabic stated the following while warning the general public that there were serious indication that in the actual practice of personal data processing in the banks (especially, when it comes to certain data that the law treats as particularly sensitive, such as political party belonging or nationality), the banks violate the established frameworks, and he also asked the banks to refrain from such practices:
«When it comes to any data processing, the provisions of the Constitution of the Republic of Serbia (Art. 42) and the Law on Personal Data Protection (Art. 8) cannot be surpassed.
The Constitution, which guarantees personal data protection, clearly states that the processing, as well as gathering, storage, and utilization of personal data, is defined by law, namely the Law on Personal Data Protection, which establishes the legal context in which data processing is permitted.
The aforementioned means that personal data processing is only allowed for those data for which the processing is defined by law, and those data for which the consent of the individuals to whom the data is related to was obtained prior to processing.
With regards to the objective fact that the relationship between the bank and the client is not always equal, and that there is a possibility that the consent is not obtained due to the free will of the client, but in order to achieve a certain aim, it is necessary to remind everyone of the principles defined by the Law on Personal Data Protection. Firstly, in order for consent to be valid, it has to be given in written, legally established form. And, secondly, even with the obtained consent, data processing has to be conducted in accordance with the provisions of the Law on Personal Data Protection. Thus, the principle of expediency has to be respected (the data is processed only for a purpose defined by law or stemming from the consent given by an individual), and the principle of proportionality (only the amount of data necessary for the fulfillment of the stated purpose is processed).
Data processing of political party belonging and nationality is not envisioned by any law, and, even when there is formal consent, it is not possible to recognize the need for such processing. That is why the processing of such data represent the violation of citizens' guaranteed rights, and is not permitted as such.»
