The shortcomings in the Draft Serbian Data Protection Act ("Draft"), analysed in our blog posts of 13 and 17 November, do not tell the whole story about the Draft. The document also contains positive features, mainly (but not solely) when it espouses novel solutions from the Draft data protection regulation ("Draft EU Regulation"). Overall, the shortcomings in draft are numerous and serious enough to require the document to be thoroughly reshaped, but the aspects described in this last instalment in the four-part series of blog posts should be maintained in the amended version.

1)  Abolition of the requirement to seek authorisation for transfer of personal data to non-convention countries

The Draft facilitates transfer of personal data abroad to a great extent. According to the data protection law now in force in Serbia – the Data Protection Act of 2008 ("DP Act 2008"), any transfer to a country which is not a party to the Council of Europe Convention no. 108 is subject to the Serbian DPA's authorisation. Obtaining such authorisation can be lengthy and often involves cumbersome procedure. The Draft abandons the concept of authorisation altogether. Although the Draft goes too far by not requiring any assessment (on the part of the DPA) of adequacy of the protection of personal data in the country of intended import – the omission analysed in the second instalment in this series of blog posts – the basic intention to facilitate the transfers deserves credit.

According to the Draft, the basic precondition for transfer of personal data abroad is that a law, a bilateral treaty, or a multilateral data protection treaty (presumably the Council of Europe Convention no. 108) provides for such transfer. In the absence of such precondition, transfer is permitted on several grounds, including:  the data subject’s consent; implementation of a contract between the controller and the data subject; public interests such as national security, defence, important economic or monetary interests of the State, detection, prevention, or prosecution of criminal offences, or protection of rights and freedoms; an agreement between the controller based in Serbia (on one side) and a controller, processor or recipient based abroad (on the other side) provided that the contract is governed by Serbian law; etc.  In most of these situations, the controller has an obligation to notify the DPA and the data subject that the data have been transferred.

The proposed provision would bring a relief to data controllers. Under the law now in force, they must seek authorisation from the Serbian DPA in the absence of a relevant treaty (the Council of Europe Convention) involving the country of import. Under the Draft, if transfer to the country of intended import is not provided for by relevant legislation or any data protection treaty, the exporter can rely on one of the enumerated alternative grounds and does not have to seek authorisation from the DPA.

The problem remains that, in the absence of a statute, treaty, or an alternative ground for lawful transfer, the controller cannot export the data to a third (non-treaty and not encompassed by a Serbian law) country even if it provides adequate protection of personal data. This is so because, in contrast to the Draft EU Regulation, the Draft does not contain a separate ground for lawful transfer, which is the most important ground under the Draft EU regulation: that the country of intended import ensures an adequate level of protection of personal data. An additional flaw in the proposed provision in the Draft is that, when the alternative ground for lawful transfer is the interest of national security, defence, important economic or monetary interests of the State, detection, prevention, or prosecution of criminal offences, or protection of rights and freedoms, the controller does not have to notify the DPA and the data subject of the transfer. This could lead to unchecked transfers of personal data by the government to countries which do not ensure an adequate level of protection but count among Serbia’s political allies or economic partners.

2)  Explicit references to joint data controllers and sub-processors (novelty in the Serbian legal framework)

The Draft introduces a meaningful definition of the data controller, abandoning the ill-written and vague definition of the data controller in the current DP Act. The Draft also includes a helpful reference to joint control and co-processing.

Under the DP Act 2008, controller is a natural person, legal entity or public authority which processes personal data. Such definition makes the controller insufficiently distinct from the processor.

Under the definition provided by the Draft, controller determines – alone or jointly with others – the purposes and means of the processing of personal data. The definition is in line with the definitions in the EU Data Protection Directive (95/46/EC) and the Draft EU Regulation.

The DP Act 2008 is silent on whether joint controllers can exist. If the definition in the Draft is adopted, it will no longer be left to interpretation whether multiple subjects who jointly determine the purposes and means of the processing – a scenario not uncommon in practice – can be joint controllers at all. A downside is that, unlike the Draft EU Regulation, the Draft mentions no obligation for joint controllers to determine their respective responsibilities for compliance with the law and in particular their responsibilities vis-à-vis the data subjects.  

3) Stronger emphasis on data security

The Draft brings a set of provisions aimed at safeguarding personal data. These provisions are quite comprehensive compared to the DP Act 2008. The latter law only sets in one provision a scarcely defined obligation for controllers and processors to take all necessary technical, personnel and organizational measures “in accordance with the established standards and procedures” to protect the data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as stipulate an obligation for all persons who work on data processing to maintain confidentiality of the data.

The Draft elaborates the security measures in more detail, by providing a list of measures which are to be applied based on the data protection impact assessment. The decision by the data controller as to which measures to implement needs to take into account the type of personal data processed, the  existing security standards, the level of technology and the costs (one of the measures is training of the personnel who work on data processing data).

Introducing the mandatory notification on data security breach – a provision mostly taken over from the Draft EU Regulation – is a significant novelty, since the DP Act 2008 does not provide for any obligation for the data controller in case of data security breach. According to the Draft, the controller is obliged to notify the Serbian DPA within 72 hours from learning of a data security breach if the breach results in a threat to individuals' rights and freedoms - in particular, to privacy, identity, reputation or equal treatment, or protected interests of economic and social security. The same obligation exists for data processors towards the controller. Apart from notifying the DPA, the controller is also obliged to communicate a personal data breach to the data subject within the same timeframe, with a few exceptions, including when the controller has implemented measures which prevented and eliminated the consequences of data security breach. Unlike the Draft EU Regulation, the Draft does not explicitly refer to encrypted form in which the data are only available to the person not authorised to access it as a basis for exemption from the obligation to notify. However, encryption is arguably included in the notion of the "measures which prevented consequences of a data security breach".

Finally, introduction of an obligation to perform data protection impact assessment is another step which brings the data safety aspect of the Serbian data protection law closer to the EU standards. The impact assessment is required if, due to the nature, method or objective of the intended processing, the rights, freedom or protected socio-economic interests of the data subject could be infringed. The wording of the provision is somewhat imprecise, but its thrust is, as explained in the third instalment in this series of blog posts, that the impact assessment should be performed if: the data to be processed belong to some of the special categories of data; publicly accessible areas are planned to be monitored on a large scale; the processing would relate to data about children; the processing by automated means would involve comprehensive evaluation of the economic condition, movements, inclinations or behaviour of the data subject; or in a few other instances.