The Commissioner for Information of Public Importance and Personal Data Protection has launched a supervision procedure over the implementation of the Law on Personal Data Protection in the Chamber of enforcement officers.
The immediate cause is the manner of implementation of the amendments to the Law on Enforcement and Security, which entered into force on 26 December. According to the above amendments, enforcement officers are obliged to deliver the Chamber data on the authentic document on the basis of provided utility and related services which enforcement is requested, so the Chamber can evenly distribute the enforcement officers throughout the territory of the Republic of Serbia, and only if the Chamber fails to respond within 5 days, a creditor may contact a local enforcement officer.
Accordingly, the Chamber is obliged to issue within 15 days a general rule specifying in detail the contents and manner of submitting a request by the enforcement creditor to the Chamber, the contents of the response of the Chamber and the manner of submission of response of the Chamber to the enforcement creditor. The Chamber published, not within 15 days, but the same day on 26 December, on its website that it had adopted a Rulebook! The contents of the Rulebook, nor information on obtained approval from the Minister and on the publication of the Rulebook in the Official Gazette were not disclosed. Forms to be filled and submitted to the Chamber have been also published with a notice that it will submit a list of competent enforcement officers to whom enforcement motions should be filed.
The published forms include, inter alia, data on natural persons – enforcement debtors (name, amount due, address, unique citizen number).
Even if it were possible to put aside the "quality" of the Rulebook (the manner of adoption, the existence, validity and conditions for application), it raises, at first glance, a number of questions of importance for permitted and lawful processing of personal data.
First, it is obvious that the Rulebook (a bylaw) gets into regulating processing of personal data, although under the Constitution that is a legal matter.
In addition to the legal basis, a question of purpose is completely open as well, as if the purpose, as the law states, is even distribution of cases, the provision of personal data is not only not necessary, but it is quite redundant.
Although in relation to the above two questions it seems less important, but there is a number of questions which is by no means insignificant, such as – what measures are taken for the protection of data and are they taken at all, why is it submitted by regular e-mail, what happens to the data on which the Chamber fails to respond within 5 days, how long does it keep it etc.?
The Chamber of enforcement officers were ordered to make statement on all outstanding issues within 3 days, after which the Commissioner will decide on taking further measures.
