Source: Politika
INTERVIEW:
The number of entries in the central registry of personal data records and the controllers is insignificant
Because, even two years after the Law on Personal Data Protection was passed, the majority of the ministries failed to fulfill their two basic responsibilities – to create and maintain their personal data records according to the aligned ordinance issued by the Government and to forward those records to the Commissioner in charge of creating a central registry of personal data records – Mr. Rodoljub Sabic filed minor offence complaints against 14 ministers who are considered responsible for their ministries.
The Commissioner for Information of Public Importance and Personal Data Protection decided to take this step since his numerous appropriate and timely warnings did not have any effect.
What is, in your opinion, the reason as to why 14 ministries failed to fulfill these obligations? Would you say because they are negligent, irresponsible, badly organized, purposefully trying to obstruct justice…?
I believe that everything you have enumerated did play a part in this; however, purposeful obstruction played a minor role. However, we should add probably the most important factor – the lack of knowledge, to the list of the factors that negatively influenced the situation. Namely, despite their declarative orientation and statements about the introduction of the EU standards in this area and the acceptance of international legal obligations, the realistic understanding of our administration regarding the content of the aforementioned standards is at a very low level. And, the first supposition for an efficient solution to any problem is a clear understanding of the scope and the dimensions of the problem.
What this says of them [or, of the country itself] when it comes to this area?
It says a lot, unfortunately, and none of it is good. If the supervision and surveillance, which were announced to the ministries long before they happened, showed that, not even two years after the Law on Personal Data Protection, the majority of the ministries managed to fulfill their most basic obligations stemming from the Law and the ordinance that the Government passed itself, all in all, the situation is very worrying. Certain facts should also be taken into consideration. For example, the Law on Personal Data Protection, and I have warned of this several times and even disputed some of the provisions before the Constitutional Court, is more-or-less not synchronized with the EU standards. Moreover, it should be mentioned that, in order to implement and apply the Law, certain by-laws had to be adopted as well. Two of the by-laws had to be adopted by the Commissioner and this was done. The other two were to be implemented by the Government of the Republic of Serbia. One was implemented following a significant delay, while the other, a very important one, has still not been passed. The by-law in question is a very delicate and sensitive one – it is related to the protection of especially sensitive personal data. Additionally, the Government “wasted” an entire year before adopting the Personal Data Protection Strategy, which was prepared by my associates and myself in cooperation with the EU experts; the Strategy has not been implemented and just exists on a piece of paper. By adopting the Strategy, the Government made a commitment to prepare an action plan for its implementation within three months. Unfortunately, the deadline has passed, and the Government failed to prepare the action plan. I could go on and on and keep on enumerating issues, but I believe that this is enough to show that the attitude of the authorities to this very important area needs to change significantly and rapidly.
Do you believe that these 14 complaints will be addressed by the courts of law in an adequate manner? What if the ministries continue to avoid their responsibilities?
What else could I say except that I believe in the courts of law. The efficient handling of this matter and a strict application of the law would contribute to the affirmation of the Law on Personal Data Protection, as well as the reformed minor offence judiciary. When it comes to failing to fulfill their obligations in the future, the ministries, regardless of the minor offence charges, received instructions, which I expect they would follow. If they fail to comply, we will have to issue formal decisions with our findings and file new minor offence charges.
What is the attitude of other data handlers and controllers towards their obligations stemming from the aforementioned Law?
In general, not satisfactory. If the executive authorities have such a bad attitude towards the Law, nothing else can be expected from other stakeholders. However, what is interesting is that twice as many banks than ministries fulfill their obligations of creating and maintaining their personal data records according to the aligned ordinance issued by the Government and forwarding those records to the Commissioner in charge of creating a central registry of personal data records.
You expect to have around a million entries in the Central Registry. How many do you have up until now? What is the realistic time frame in which all of the data handlers and controllers would be able to submit their entries?
Some estimates say that there are around one million personal data records and databases in Serbia. The number of stakeholders managing those databases is around one hundred thousand, or more. Records exist across various levels, from large state systems, such as the National Health Insurance Fund and the Ministry of Interior, to banks, enterprises, insurance companies, to small- and medium-sized companies and entrepreneurs. Of course, it is not realistic to expect that they would submit all of the records in their possession. However, we cannot be satisfied with the current state of affairs regarding the number of entries. The Commissioner established an electronic registry, which is quite convenient for the users, and appealed on several occasions to stakeholders to fulfill their obligations. However, in this lengthy period of time, the number of entries into the registry is significantly small in comparison to the total estimated number of existing databases. This is, of course, an unacceptably small number and that is why we had to initiate the proceedings against the responsible individuals. And, as I announced before, I decided to start from the very top – from the highest executive authorities.
Entrefilet: Minor Offence Charges Against Ministers
The minor offence charges were filed against Ms. Diana Dragutinovic, Mr. Tomica Milosavljevic, Mr. Slobodan Milosavljevic, Mr. Oliver Dulic, Mr. Sasa Dragin, Mr. Petar Skundric, Mr. Milutin Mrkonjic, Mr. Bozidar Djelic, Mr. Zarko Obradovic, Ms. Snezana Samardzic-Markovic, Ms. Jasna Matic, Mr. Dragan Sutanovac, Mr. Rasim Ljajic, and Mr. Nebojsa Bradic.
From the Law on Personal Data Protection
The objective of this Law is to ensure realization and protection of the right to privacy and other rights and freedoms regarding personal data processing to every natural person.
Personal data is any information concerning a natural person, regardless of the form in which it is expressed and the data format (paper, tape, film, electronic medium and the like), under whose mandate, in whose name or for whose account the information is stored, the date when information originated, the place where the information is stored, the mode of learning the information (directly, by listening, watching and the like, or indirectly, by insight into documents containing the information and the like), and regardless of other characteristics of the information. Personal data filing system controller is a natural or legal person or authority processing the data.