Housing and Residential Buildings Maintenance Bill is under the procedure in front of the National Assembly of the Republic of Serbia. Regarding the solutions contained in this Bill, its effects and scope, the public is informed in expressly positive, affirmative way. However, the Commissioner for Information of Public Importance and Personal Data Protection evaluates that the public is not informed enough regarding potentially negative effects this Law might have on personal privacy, i.e. personal data protection.

The Bill envisages introducing into our legal system completely new institutes, like the Manager and Professional Manager, who are entrusted, within broad authorizations in acting and managing the building, with among else, establishing and keeping records on all owners of special parts, all owners of independent parts and all persons to whom common or special parts of the building have been rented out, i.e. let to use, based on some other grounds. It has been envisaged that the owners of special parts of the building have the obligation to, under the threat of perpetrating offence and payment of hefty fines, inform the managers and professional managers about the Rental Agreement and the tenants. There, the Bill text does not state quite clearly what is the purpose of processing those data, whether and to whom those data shall be delivered, and how shall they be kept. Additional ambiguities are created by information appearing in the media, the source of which is unknown, and wheter or not they are correct, but which haven’t been refuted by the authorities. For example, the media published the information that the managers shall deliver data on persons who didn’t pay the costs of building maintenance to Public Enforcement Agents. The Commissioner reminds that the personal data protection right has been guaranteed by the Constitution, and that the legal ground for data processing can be either express legal authorization or a consent of the person whose data are being processed. Consequently, the delivery of data to other legal subjects can also be performed solely if this has been prescribed by the Law, or there is a consent of the person, of course, with clearly stated and permitted data processing purpose.

The Commissioner considers that the fact that processing of a huge number of personal data is entrusted to completely new, still non-existing structures also deserves serious attention. In relation to that, in the context of (lack of) competence, (in)experience, lack of practice and standards, a series of questions might be raised regarding the safety, i.e. keeping those data.

Therefore, the Commissioner appeals also to the Government, as a proponent, and to the MPs, to once again, in the procedure of adopting the Law, with due dilligence and responsibly evaluate the justification of adopting proposed legal solutions, opting for those that can achieve the desired objectives in the manner least invasive for the privacy of citizens, and minimally risky for their personal data.