Regulation of the use of sensitive health data by public and private actors is fast becoming a hot topic in Serbia due to several highly publicised leakages of such data in recent months. This included the health records of public figures such as actors and actresses and the mental health record of a journalist being leaked to the public and published and broadcasted in the media. At the same time, the story that one of the municipalities in Serbia allegedly allowed access to health records of 55,000 of its citizens to a potential business investor, with the rational that the business investor wanted to inspect general health status of work force prior to investing and commencing its business activities, caused quite a stir.

Such cases put into the spotlight issues such as the adequacy of the current legal framework for collection and processing of sensitive data and practice of private and public actors. These issues are not only important for the general legal and business public but also for specialised business actors such as insurance companies engaged in providing life insurance and who are processing sensitive data of customers. As such the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") has issued several press releases highlighting the importance of lawful collection and processing of sensitive data.

The Serbian Law on protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012) (the "LDP") prescribes that collection and processing of personal data must be either be: (i) based on statutory authorisation; or (ii) based on prior informed consent of the data subject. While as a general rule the LDP prescribes that, due to its nature and importance for the data subject, sensitive personal data (data regarding health, ethnicity, race, gender, language, religious affiliation, political party membership, union membership, etc.) can be collected and processed only based upon the prior informed consent of the data subject, there are exceptions for certain categories of sensitive data. In particular, the LDP provides that the collection and processing of health data can be based on statutory authorisation.

While collection and processing of sensitive data can be based on the LDP (i.e. statutory based collection and processing of sensitive data without consent of data subject), other laws can also be important for proper legal handling of sensitive data.

For insurance companies engaged in providing life insurance in Serbia it could be of importance that the Law on protection of patients’ rights (Official Gazette of the Republic of Serbia, no. 45/2013) extends a duty of confidentiality regarding the health status of patients to all employees in legal entities engaged in providing voluntary health insurance to such patients. Pursuant to the above mentioned law, breach of confidentiality duty could lead to monetary fines up to approx. EUR 8,000.00 for an insurance company and up to approx. EUR 400.00 for the responsible person in that insurance company.

As such, to the extent that organisations process health data in Serbia they should ensure that they have an adequate legal basis for doing so and comply with the duty of confidentiality where it applies.

The Serbian DPA's press releases are available here and here.

Submitted by Aleksa V. Andjelkovic of Andjelkovic Law Office – Belgrade, Serbia in partnership with DAC Beachcroft LLP