"If I were to point to two striking examples of abuse of citizens' personal data, I would like to single out the inspection my inspectors performed in blood transfusion institutes in Serbia. The inspection identified serious omissions in the protection of medical data classified as "particularly sensitive" under the law. Effects of warnings sent in that regard were good and safeguards and treatment of such data are now significantly improved. The other example was the inspection action at a mobile telecommunications services provider. It confirmed there was a serious, dramatic gap between the practice and constitutional arrangements in access to data on citizens' electronic communication. On that occasion, the Ombudsman and I sent 14 recommendations to the competent authorities, the implementation of which should bring the situation in that field in compliance with the constitutional arrangement. Unfortunately, and hopefully for the time being, almost none of the desired results have been achieved", said Rodoljub Sabic, Commissioner for Information of Public Importance and Personal Data Protection.
It is common practice in the buildings of public authorities, companies and other buildings to leave one's identity card with the security personnel at the entrance, who, as a rule, in addition to a visitor's name and surname, also record the number of an identity card and possibly a unique personal identity number.
The first issue that arises in this regard is the issue of the purpose. What is the object and purpose of such data processing? If the purpose is to verify the identity, examining identity cards would be enough. If certain data still have to be registered, does that mean that all of them have to? What is the purpose of photocopying identity cards? And what is the purpose of keeping identity cards, which, by the way, enables photocopying without the holder's knowledge?
"Any data processing is admissible from the aspect of PDPL if it is performed on the basis of the law or with a consent of a data subject and if its purpose is defined. And if it does not comply with these conditions then it is inadmissible, whether it is performed by employees in public authorities or by someone else", said Mr. Rodoljub Sabic.
Still, he believes that photocopying of identity cards should not be completely banned.
"There are situations when it could be justified. But those situations should be precisely defined. What is the purpose of having your identity card photocopied several times by a telecommunications services provider or a bank? And if they legitimately need certain data on a client, do they really need a copy of a whole document? In short, due to this risk, photocopying should be minimized, particularly taking into account that electronic scanning multiplies the risk of forgery", explained Mr. Sabic.
Interfile
Where did Political Party Obtain Data on Pregnant Women
Many citizens received on their home addresses marketing material addressed to them personally. It is occasionally speculated that entire personal databases have been stolen and later used for marketing purposes, for example to send promotional material directly to citizens on their home addresses. Are there indications that something like that has actually happened?
"Of course there are, to put it mildly, "indications" that something like that has happened", said Mr. Sabic.
He cited one such example: "How can we for example interpret a situation when in a town during an election campaign all pregnant women received an invitation to vote for a political party with a "promise" that if it won the election, it would provide certain financial benefits? Where did such political party obtain the data on pregnant women? Looking for an answer to this question, can we be absolutely certain that it was not done by the head of a medical institution who is for example a member of such political party?"