The Commissioner for Information of Public Importance and Personal Data Protection is conducting a supervision procedure over the implementation of the Law on Personal Data Protection (LPDP) by the Privatization Agency.

The supervision procedure was launched several days ago and it would last for some time; however it is now evident that the results of the procedure will be the most drastic confirmation of the incomprehensible, irresponsible attitude of the state towards the right to personal data protection.

A vast amount of personal data (name, surname, Personal ID Number and some other data) of almost all adult citizens of the Republic of Serbia is exposed to the risk of unauthorized processing and abuse.

Following the surveillance procedure, the Commissioner shall, as usual, inform the public about all relevant facts, institute misdemeanor proceedings against the responsible persons and require the prosecutors' offices and MoI to institute (ex officio) proceedings so as to establish criminal liability.

In this regard the Commissioner, Rodoljub Sabic, has stated the following:

"The surveillance procedure has been launched ex officio on the basis of alleged evidence obtained from social media sites and the citizens' complaints which indicated the possibility of unauthorized access to personal data held by the Privatization Agency.

The allegations have been confirmed upon investigation. Even though, for example, the data file ''Right holders' register'' has been reported by the Agency and entered in the Register maintained by the Commissioner as the "data file maintained on a dedicated computer, which is safeguarded by the system of authorization and authentication passwords and accessed only by authorized persons", prior to the Commissioner's intervention, anyone could have simply accessed the said data file.

Due to the volume of available information (1.22 GB) it was not possible to immediately ascertain the exact number of affected citizens, but owing to the good collaboration with the civil sector experts, and especially the "Share Foundation" it was ascertained that there were about 5,190,000 affected citizens.

This case should not be linked to the news of "hacker threats" which have been a prominent feature in the media for several days now. In the case of the "Serbian hackers", according to what we could observe, this was a much smaller number of personal data most probably from a data base of ''committed voters" of a political party. In the case of the Privatization Agency we are dealing with a far greater number of data whose compromising can be laid at the door of a public authority. It is particularly worrying that in order to access and download the data held by the Agency neither hacker operations nor special knowledge were required, one could have done it relatively easy by using active links on the webpage of the Agency and a web search engine.

Following several warnings, which I have referred to the competent authorities, I wish to believe that at least this scandalous case would lead to a serious change of the state's attitude towards the right to personal data protection. This, among other things, necessarily implies accountability as well. I' am here referring to not only to the accountability the people in charge of the software, technical and physical data security, but particularly to the political and occupational accountability of the public officials and "experts" with the competent authorities, who are responsible for the development of the normative system, education and strategic approach and who have made incomprehensible omissions in this regard and ignored evident problems for a long time."