On the basis of complaints received from citizens, the Commissioner for Information of Public Importance and Personal Data Protection enforces ex officio the Law on Personal Data Protection in a number of joint stock companies.

These companies published on their official Internet presentations databases on shareholders - natural persons containing their names and surnames, unique personal identification numbers (JMBG), town/city, street and number of residence and the number of shares they hold.

Warnings pointing to inadmissibility of such personal data processing have been sent to addresses of dozens of such companies and they also received rulings ordering deletion of personal data from their Internet presentations. Requests will be filed for initiation of infringement proceedings against those legal entities and their responsible persons.

Urging all other joint stock companies which were not subject to inspection on this occasion to refrain from unnecessary, excessive and inadmissible personal data processing, Commissioner Rodoljub Sabic also said the following:

"This is tantamount to publication of the "Single Records of Shareholders" (the so-called book of shareholders) which the companies obtained from the Central Securities Registry and Clearing House and which the Central Register maintains in accordance with the Law on Capital Market, its Articles of Association and Operating Rules. Publishing of data on shareholders – natural persons on the official website of the Central Register is limited only to a shareholder's name and surname and the number of shares he or she holds. The "Single Records of Shareholders" is submitted to companies on request for the purpose of holding a Shareholders' Meeting and a Shareholders' Day, which is set out in the Law on Companies.

Publishing of complete data, including unique personal identification numbers and home addresses, on the Internet is an obvious example of personal data processing which is carried out for purposes other than those specified and is disproportionate, which means that it is also inadmissible according to Article 8 of the Personal Data Protection. Such processing violates the right to privacy of shareholders and increases the risk of possible identity theft.

Only in several dozens controlled companies personal data of several thousands of shareholders have been made publicly available in the described manner. I will not say the names of these companies because I do not want unnecessarily to attract attention to shareholders' personal data which are still published on official websites of some of these companies. And since it can realistically be expected – and is indeed quite certain – that the number of companies that are acting or intend to act in the similar manner is much higher, I urge all them to refrain from such practice or to stop it."