The Commissioner for Information of Public Importance and Personal Data Protection will initiate enforcement of the Law on Personal Data Protection (LPDP) in the Business Registers Agency.
The direct cause for the enforcement procedure was information that several days ago the Business Registers Agency introduced a procedure which includes recording who accessed the archive of the Business Registers Agency and in which firms they showed interested by requiring visitors to fill in a special request before having access to documentation, thus forming a database on the basis of which it is possible to subsequently asses the level of interest of journalists or citizens in particular businesses.
Emphasizing that he will require from the Business Registers Agency to state the legal basis, meaning and purpose of such data processing, Commissioner Rodoljub Sabic also said the following in that regard:
"This new, unusual manner of processing of data of persons who access the archive of the Business Registers Agency upset the public to a certain extent, particularly investigative journalists.
They point out not only that the purpose of such processing is completely unclear, but also the real risk that information showing that the subject of their investigations and interest are companies owned by serious criminals or corrupt politicians could in various ways become available to the owners of those companies, which can put journalist in an inconvenient or even dangerous position.
The real possibility of such risks occurring is illustrated by the fact that soon after the introduction of the new "system", information on journalists who showed interest in certain businesses became available to the public and was even published in the media.
However, even regardless of the risk pointed out by the journalists in connection with the newly-introduced manner of processing the data of users of the archive of the Business Registers Agency, a number of elementary, inevitable issues arise even at the level of formal legal requirements. Namely, according to Article 42 of the Serbian Constitution, processing of personal data is regulated by the law. Thus, even if the introduced data processing was considered to be meaningful and justified, the basis for it should be provided by clear and undisputable provisions of the law, either the law on the Business Registers Agency or a special law. Of course, this law should inter alia define the purpose of processing and the volume of personal data that are processed, which should be proportionate to the purpose. In the absence of the above elements, according to Article 8 of LPDP, personal data processing is inadmissible.
Since there are, to put it mildly, very serious dilemmas in connection with these issues, I will demand of the Agency to provide its opinion about them without delay and after that and also after direct on-site enforcement I will decide on further measures."
