In connection with the identified inadmissible personal data processing done pursuant to the Instructions on Security Clearance Checks contained in the National Aviation Security Programme passed by the Serbian Government, the Commissioner for Information of Public Importance and Personal Data Protection has sent a letter to the Prime Minister of Serbia.
While fully acknowledging the importance of aviation security, the Commissioner felt it was opportune to point to the effects of undermining legal certainty and violating constitutional guarantees which stem from this document, as the "system" put in place pursuant to it is absolutely inconsistent with explicit constitutional provisions.
In September 2015, the Government passed the National Aviation Security Programme and classified it as "TOP SECRET." The Commissioner was not aware of the existence of this document until May 2016, when he learned about it through official correspondence with joint-stock company AIR SERBIA a.d. Belgrade, after which he obtained the text of the document from the Government's General Secretariat. On this occasion, the Commissioner did not examine the reasons for classifying the document as "TOP SECRET" and merely noted it was disputable.
The said document incorporates Appendix III-1-V titled "Instructions on Security Clearance Checks", which contains a description of security clearance checks, identifies the national authorities in charge of conducting the security clearance checks and the categories of staff subject to security clearance checks, defines the process of filing requests and provides for procedural issues concerning the conduct of security clearance checks.
The Constitution of Serbia (Article 42) guarantees personal data protection and provides that collecting, keeping, processing and use of personal data must be governed by law.
In a case pursuant to a motion filed by the Commissioner, the Constitutional Court reaffirmed in its Decision IUz No. 41/2010 of 30 May 2012 "... that only a law can provide for a basis of personal data processing", i.e. such data cannot be processed on the basis of secondary legislation.
The National Aviation Security Programme passed by the Government has never been published and is not even a legal instrument; accordingly, it most certainly cannot provide a legal basis for personal data processing.
In addition to these objections on principle, in his extensive letter the Commissioner also noted the legal confusion recognized in the Instructions, namely the fact that two different forms of personal data processing are both referred to as "security clearance checks", although they differ significantly.
The Commissioner demanded of the Government to repeal the section of the National Aviation Security Programme set out in Appendix III-1-V and to provide for those security clearance checks it considers necessary through amendments to the Air Traffic Law, as it is authorised to propose laws.
The Commissioner notes that this situation, just like other similar situations we have faced and which we will unfortunately become increasingly common, is a direct consequence of the lack of a strategic, well-designed and coordinated approach to issues in the field of personal data protection at the overall government level and once again calls on the Government to pass an Action Plan to implement the Personal Data Protection Strategy, which has been delayed for inexcusably long, and to finally begin implementing the Strategy, which was adopted as early as in 2010.
