The Commissioner for Information of Public Importance and Personal Data Protection carried out an inquiry in the public utilities of the City of Belgrade about the implementation of the Law on Personal Data Protection, in order to establish the facts relating to the legal basis and purpose of processing of service users' personal data.

The inquiry was carried out in 13 public utilities of the City of Belgrade.

Persons authorized by the Commissioner determined that the vast majority of the PUCs, ten companies, collect photocopies of identity cards and other identity documents of service users without a legal basis and without complying with the principle of proportionality of personal data processing.

All these companies shall, in accordance with the law, be issued a warning and, if necessary, other statutory actions shall be taken.

The need to establish the identity of service users in specific cases involves insight into identity documents, or certain data, but not photocopying and retention of identity documents. Photocopying and retention of citizens' identity documents, as a form of personal data processing, constitutes an invasive violation of privacy and such data processing is admissible only when explicitly provided for by the law.

Public utility companies, as well as all other entities that require citizens to photocopy and hand over copies of identity documents, in cases where this is not explicitly provided for by the law, carry out unlawful processing of personal data, and, in addition, expose citizens to unnecessary exertions and costs, regardless of how high they are.

However, it is much more important to form a vast collection of identity documents in this way, without foundation and purpose that would justify this action, which, even if PUC organized much better protection, unnecessarily multiplies the risk of personal data misuse.