Processing of personal data without legal authority or without consent of a person - inadmissible - Commissioner for Information of Public Importance and Personal Data Protection

26.11.2008 Commissioner for Information of Public Importance and Personal Data Processing is issuing a public warning to all business banks, which without legal authority or consent of the natural person whose data are processed, under contracts on business collaboration with the Republican Pension and Disability Insurance Fund make available the data on holders of current accounts or the data of third persons to the Fund, that such action is contrary to the provisions of Articles 8 and 13 of the Law on Personal Data Protection (LPDP) and constitutes inadmissible data processing.

Emphasizing that he has sent an adequate warning to the PDI Fund back in May this year, the Commissioner, Rodoljub Sabic, has stated the following:

''On occasion of citizens' complaints and texts published in the media, surveillance of implementation and enforcement of LPDP by the Republic Pension and Disability Fund was performed on the basis of my order, earlier this year.

The motive were the citizen's claims that the PDI Fund was collecting from business banks personal data on pensioners who had not withdrawn funds from their accounts in a certain period, or who authorized a third party to access their account.

In the course of supervision, photocopies of contracts signed by the Fund with 31 banks were examined. On the basis of the content of the contracts and actions taken by the contractual parties it was ascertained that the exchange of data included processing of numerous data on pensioners account holders, including third persons authorized to dispose of current accounts (personal identification number (JMBG), name, surname, address, account number, dates of changes etc.) contrary to provisions of LPDP.

The Fund's claims that it '' was using all available means to ascertain whether the requirements for the exercise of rights relevant to pension and disability insurance were still complied with'' had no bearing on the Commissioner's estimate that this constitutes data processing which is inadmissible pursuant to the Law on Personal Data Protection."

Personal data may be processed either on the basis of legal authority or the consent of the data subject. Notwithstanding any deficiencies in the content or implementation of the Law on Pension and Disability Insurance, contracts between PDI Fund and business banks do not constitute proper means to remove the deficiencies because they do not constitute valid legal grounds for personal data processing.

Lack of adequate mechanisms to enable the Fund to obtain all data necessary for its operation or rather inefficient use of existing mechanisms cannot be the reason to justify data processing contrary to the LPDP and interference with the privacy of individuals to a greater extent than allowed."

Press Releases - Archive

Processing of personal data without legal authority or without consent of a person - inadmissible

Archive