The Commissioner of Public Importance and Personal Data Protection visited today the Association of Serbian Banks and talked with the Secretary General of the Association of Banks about the results and effects of the supervision over the implementation of the Law on Personal Data Protection which the Commissioner conducted in all commercial banks in Serbia.
The Commissioner sent back in March to all commercial banks (29) a warning about unlawful processing of personal data by requiring and retaining copies of clients' personal documents (passports, ID cards, health cards, etc...) even in those cases not expressly provided for by law. All the banks were given a deadline of 30 days to make a statement regarding this warning, and the Commissioner announced that it will adopt orders which would explicitly prohibit the unlawful processing of data.
At today's meeting the Secretary General of the Association of Banks confirmed that, in addition to the seven banks that already informed the Commissioner that they will discontinue the unlawful processing of personal data, all other banks are also aware that the data processing without a legal basis is unlawful, that it is not in the interest of banks, and that they are ready to, if the Commissioner's order instructs so, to discontinue such processing. However, in this regard, the Association of Banks voiced its concern that the members of the Association might be subject to sanctions by the National Bank of Serbia (NBS), if they discontinue data processing based on the requirements of the NBS, and so far practice.
The Commissioner recalled that multiple copies of clients' personal identification documents without explicit legal basis is not just an abstract violation of the Constitution and the law, but concrete, unnecessary mistreatment of clients, and that the establishment of massive, multimillion data files or copies of personal documents is unnecessary, and certainly increases the risk of their abuse.
The Commissioner said that it would be legally untenable for commercial banks to be subjected to any kind of sanctions for starting behaving in practice in compliance with the Constitution and the law instead of by-laws or internal procedures. Discontinue of data processing that it is not based on the law does not impede the objectives set by the Law on the Prevention of Money Laundering and Terrorist Financing, as the banks will continue to apply those measures to establish the identity of clients that have an explicit basis in this or any other law.
