On the trail of our previous blog post, we shed some more light on contentious provisions in the Draft Serbian Data Protection Act ("Draft").

1)  Data controllers in charge of processing special categories of data overwhelmed by too many record keeping and registration requirements

The Draft introduces important novelties concerning three related issues: data protection impact assessment, notification of data protection authority ("DPA") of intended data processing, and registration of an established filing system. The net effect of the new provisions is that data controllers in charge of processing special categories of data must do too much paper work – more than what would be required under the Draft EU Regulation, but also, all things considered, more than what would be required under the Serbian DPA’s Model personal data protection Act ("Model").

The Draft EU Regulation requires from the data controller (or – in the version accepted by the European Parliament – the processor acting on the controller’s behalf) to conduct a data protection impact assessment if the nature, scope, and purposes of the intended processing is likely to create a genuine risk for the rights and freedom of individuals. The assessment has to be expressed in a document describing the envisaged processing operations, an evaluation of the risk for the rights and freedoms of individuals, and the measures to address the risk and to demonstrate compliance with the Regulation. If the assessment indicates the likelihood of a high risk, the data controller must consult the DPA (or, in the Parliament’s version, the data protection officer – provided that the controller has appointed such officer) and the DPA may prohibit the intended processing.

The DPA’s Model mandates a similar sequence of steps that data controller must make, if the processing involves sensitive data or data (sensitive or non-sensitive) concerning more than 500 data subjects. The data controller has to notify the DPA of the intended processing.

The Draft adds another obligation on the part of the data controller, which does not exist in the EU Draft Regulation or the Model: the obligation to file for registration of the filing system when special categories of the data are processed. The sequence of the required steps, therefore, is as follows:

  • The data controller or the data processor (presumably when the data processor acts on the controller’s behalf) must carry out a data protection impact assessment if the nature, method or objective of the intended processing is such that the processing operations might result in an infringement of rights, freedom or protected socio-economic interests of the data subject (Article 50(1) of the Draft).  This may be the case if the data to be processed belong to some of the special categories of data, as well as in other types of situations (such as when publicly accessible areas are planned to be monitored on a large scale, or the processing would relate to data about children, or the processing by automated means would involve comprehensive evaluation of the economic condition, movements, inclinations or behavior of the data subject). Based on the assessment, the controller, i.e. the processor, must create a document corresponding in the substance to the one required under the Draft EU Regulation and the Model.
  • If the processing operations might result in an infringement of rights, freedom or protected socio-economic interests of the data subject, the data controller has to communicate to the DPA a notification on the intent to launch the data processing, i.e. to establish a filing system.
  • The Draft then introduces an additional mandatory step: the data controller (or processor) who processes special categories of personal data must file with the DPA a separate request for registration of the filing system containing relevant information about the processing of such data.

The last obligation (to register the filing system) resembles the obligation from the existing Data Protection Act (2008) ("DP Act 2008") to register (in a separate procedure) the filing system after having already notified the DPA of the intended processing. This two-step approach was impractical and anachronistic even when it was introduced in 2008, and the data protection laws of most countries, including France, Italy, Belgium, the Netherlands, Montenegro, Macedonia, Croatia, and Bosnia and Herzegovina, do not know of a separate registration stage. The only obligation for the data controller in those countries, as well as under the Directive 95/46/EC, is to notify the DPA of the intention to process personal data, and such notification is sufficient for the DPA to compile a register of data controllers.

2) Territorial jurisdiction of the court in relation to the compensation for damages

Unlike the DP Act 2008, the Draft expressly states that the data subject may sue for damages resulting from infringement of his or her rights under the law. But the Draft stops here: it does not enable the data subject to sue in the place of his or her residence (or temporary residence) and thereby to minimize the inconveniences resulting from launching the court proceedings.

In contrast, the DPA’s Model prescribes that, in addition to the court of general territorial jurisdiction, the court in whose territory the data subject has residence or temporary residence is also competent. This provision should be transposed into the Draft. Allowing a plaintiff to sue in the place of his or her residence or temporary residence is a way in which the law protects economically weaker party in his or her relation with a company or public authority. Similar provisions can be found in consumer protection law.