After conducting an inspection of compliance with the Law on Personal Data Protection at the Ministry of Internal Affairs pursuant to a citizen's petition, the Commissioner for Information of Public Importance and Personal Data Protection issued the Ministry with a Warning alerting the Ministry to the fact that its processing of citizens' personal data in the "Daily Bulletins of Events" and their subsequent submission to other authorities or persons without any legal grounds and with clearly stating the purpose of such processing constituted inadmissible processing of personal data.

The Ministry of Internal Affairs has been ordered to notify the Commissioner within 15 days of receipt of the Warning of the measures and activities it has undertaken to remedy the identified irregularities.

The inspection found that, in its data file titled "Daily Events", the Ministry of Internal Affairs processed data on reported criminal offences and misdemeanours, police interventions to restore public order, harm caused to persons and property by natural disasters and a number of other events within the mandate of the police, i.e. events and occurrences relevant for public safety. In addition, this data file also contained citizens' personal data.

This file was then used to create the Daily Bulletins of Events, which was circulated to a broad base of recipients. Thus, in addition to law enforcement officers at the Ministry of Internal Affairs, personal data were disseminated to a relatively large circle of external recipients.

The inspection found that personal data had been provided to the following at the national level: the President of the Republic of Serbia, the Prime Minister, the Spokesperson of the National Assembly, the Deputy Prime Minister, the Supreme Court of Cassation of Serbia, the Committee on Defence and Security, the Republic Public Prosecutor, the Special Prosecutor and the Security Information Agency.

At the level of police administrations, these data were selectively provided to: presidents of courts, prosecutors, heads of districts, mayors, municipal presidents, chairpersons of city and municipal councils, heads of Security Information Agency's centres etc.

Most of these authorities are not authorised to demand or receive the personal data contained in the Daily Bulletins and they do not need those data to perform duties within their respective mandates. Those authorities that need such data or are authorised to demand and receive them should do so through official correspondence, rather than through a Daily Bulletin.

In this context, Commissioner Rodoljub Šabić said:

"This practice is a leftover of the 'security culture' of old, a practice that should have been left behind a long time ago, one that is based on and mostly governed by secondary legislation dating back several decades and usually repealed long since.

If the purpose was to inform a certain circle of authorities or persons about certain events, it could have been achieved even without specific personal data. Dissemination of such data without proper legal grounds (an explicit provision of a law or consent of the data subject) undoubtedly constitutes unlawful processing within the meaning of the Law on Personal Data Protection. Furthermore, provision of personal data in connection with potentially sensitive events to the addresses of a broad circle of unauthorized bodies, including in particular political office holders, de facto creates and increases the risk of their abuse.

I have spoken to Minister Stefanović by phone today about the Warning and tomorrow we will meet face to face. I expect the Ministry of Internal Affairs to comply with the Commissioner's Warning."