In connection with the increased public interest in the activities in the Tax Administration (TA), the Commissioner for Information of Public Importance and Personal Data Protection said that he had initiated the procedure of enforcement of the Law on Personal Data Protection (LPDP) as early as eight days ago.
The direct cause for initiation of the procedure was an individual report stating that the media were given access to and published data from a tax return, that is, data which should be available only to authorized persons in the TA. However, during the enforcement procedure, employees in TA gave the Commissioner's authorized officers information which could be relevant for the very poor and extremely worrying standard of overall treatment of taxpayers' data.
The Commissioner's authorized officers were informed that those data were also submitted to the Prosecutor's Office and the Ministry of Internal Affairs, although the TA failed to inform the Commissioner about them sooner.
Setting aside, at least on this occasion, the question whether it is good that the data which are yet to be verified by the Prosecutor's Office and the Ministry of Internal Affairs have been published or why the public has not been informed about them before initiation of the procedure by the Commissioner, the Commissioner believes it is necessary that the competent authorities (the Prosecutor's Office and the Ministry of Internal Affairs) should check all relevant facts as soon as possible both regarding the rights of individual taxpayers and particularly regarding possible inadmissible mass invasion of taxpayers' personal data files and should inform the public about that.
The Commissioner will, within his sphere of competence, take measures he is authorized to take as soon as possible and the public will be informed about it as always.
In that regard, Commissioner Rodoljub Sabic also said he following:
"Either way, this particular case just reaffirms what I warned about as the Commissioner on several occasions. It is the fact that Serbia as a state has been chronically, for years, displaying an inadequate, irresponsible approach to the citizens' right to personal data protection.
It is inadmissible that the state does not have any real answers to questions who, when, why and how has the right to process personal data. The basis for this under any circumstances can and should be clear and precise arrangements set by the law instead of more or less (in)formal order of some minister or state secretary or another and each access to databases of citizens' personal data must leave a "permanent trace" which enables checking of the meaning, purpose and above all lawfulness of access to data at any time. In that context, even a mere doubt that it is possible to download even entire databases without the basis, purpose and volume defined by the law seems almost grotesque.
Surely it is no coincidence that every day we are faced with scandals in connection with invasion of privacy, i.e. illegal processing of personal data (surveillance, tapping and locating, identity theft, establishment of unlawful data files...).
This is why I would like to warn again on this occasion that a radical change of approach to protection of personal data is necessary. If Serbia fails to introduce a well-designed, strategic approach to problems in this field, these problems will multiply continually and increasingly fast, with extremely negative consequences which in some cases may be literally irremediable."
