One of the first issues raised by insurance companies when they are confronted with the Serbian data protection regulatory framework and their obligations thereunder is the issue of legal basis for lawful collection and processing of personal data of its customers and potential customers.
In that sense the question posed by some insurance companies to the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") may provide some guidance. Insurance companies approached the Serbian DPA with the question as to whether personal data of customers and potential customers could be collected and processed ex lege (i.e. without prior informed consent of a person) on the basis that the relevant data protection legislation allows such collection and processing in certain cases, or whether such collection and processing must be based upon prior informed consent of a customer.
The Serbian Law on the protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012)) (the "LDP") sets out two separate legal bases for the collection and processing of personal data. Pursuant to the LDP, collection and processing of personal data may either be: (i) based on statute; or (ii) based on the prior informed consent of the person whose data is being collected and processed i.e. the data subject.
Pursuant to the Article 12 of the LDP, statutory based collection and processing of personal data without prior informed consent of the data subject is allowed in the following circumstances:
- to achieve or protect vital interests of the data subject or a third party, in particular their life, health and physical integrity;
- for the purpose of discharging duties laid down by a law, an enactment adopted pursuant to a law or a contract concluded between the person concerned and the controller, as well as for the purpose of contract preparation;
- in other cases envisaged by the LDP or another regulation adopted pursuant to the LDP for the purpose of achieving a prevailing justifiable interest of the person concerned, the controller or a user.
The relationship between the insurer and insured person including the conclusion of the insurance agreement is regulated by the Serbian Law on contracts and torts (Official Gazette of the SFRY, nos. 29/78, 39/85, 45/89 and 57/89, Official Gazette of the FRY, no. 31/93 and Official Gazette of SMNE, no. 1/2003) in its Articles 897 – 965. However, the Law on contracts and torts does not regulate the scope of personal data necessary to be provided to insurer for conclusion and execution of the insurance agreement.
Taking into account the above, and while it is unambiguously prescribed by the LDP that collection and processing of personal data is allowed for the purpose of discharging duties laid down by the law, certain insurers raised the issue to the Serbian DPA whether the mere fact that insurance agreement is regulated by the Law on contracts and torts, although it does not state which data is necessary for conclusion of the insurance agreement and execution of duties thereof, provides a legal statutory basis for collection and processing of personal data.
In response to this question, the Serbian DPA issued an opinion (the "Opinion") which stated that the Law on contracts and torts is not in line with the Constitution of the Republic of Serbia and the LDP regarding the collection and processing of personal data.
Having in mind this lacuna in the Law on contracts and torts regarding the scope of the personal data necessary for conclusion and execution of the insurance agreement, the Serbian DPA stated in its Opinion that the collection and processing of personal data based solely on the Law on contacts and torts is not allowed and that collection and processing of personal data between insurers and insured persons is allowed only based on the prior informed consent of the data subject.
While the Serbian DPA is clear about the limitations of the collection and processing of personal data pursuant to the Law on contracts and torts, it is interesting that in its Opinion the Serbian DPA does not set out expressly whether the collection and processing of personal data in insurance sector is allowed in other cases set by the LDP in which prior informed consent is not required such as for the purpose of execution of an agreement concluded between the person concerned and the controller, as well as for the purpose of preparation of an agreement.
However, the search of the Central Data File Register shows that most insurers state as a legal basis for collection and processing of personal data of insured persons Law on contracts and torts, despite the opinion of the Serbian DPA and, also, Article 12 of the LDP which allows data controllers to collect and process personal data without the consent of insured person (i.e. data subject).
To the extent that an organisation processes personal data in Serbia it should examine the legal basis on which it is doing so. Based on the Opinion, strictly it should ensure that it has the prior consent of its data subjects to do so, however the practicalities of doing so, and what appears to be market practice, may mean that a careful balancing exercise will need to be undertaken.
The Opinion may be accessed here (Serbian).
Submitted by Aleksa V. Andjelkovic of Andjelkovic Law Office – Belgrade, Serbia, in partnership with DAC Beachcroft LLP