The Commissioner for Information of Public Importance and Personal Data Protection pointed out in the letter to the Minister of Trade, Tourism and Telecommunications that it is necessary that the Ministry as the competent body should initiate the procedure for amending the existing legal regulations regarding legal grounds and the purpose of personal data processing in the procedure of issuing qualified electronic certificate.
The Commissioner has previously implemented analysis of relevant legal regulations and initiated and completed the supervisory procedure regarding the implementation of the Personal Data Protection Law by the Certification Bodies Rendering Services of Issuing Qualified Electronic Certificates (Public companies Post Office of Serbia Belgrade, Serbian Chamber of Commerce, Ministry of Defense and Serbian Army, „E-Smart Systems d.o.o. (Limited Liability Company) Belgrade“, „Halcom a.d. (Joint Stock Company)“ Belgrade and Ministry of Interior.)
Provisions of the Law on Electronic Signature did not regulate the issue of personal data processing, i.e. UCMN, but it has been prescribed that the Ministry in charge "shall prescribe technical-technological procedures for formation of qualified electronic signature". Such solution is directly opposing provisions from Article 42 paragraph 2 of the Constitution of the Republic of Serbia, as well as adequate Constitutional Court decision, based on which processing and using of personal data can be regulated only by the law, and not based on subordinate general legislation.
In addition to that, the bylaw the Ministry has passed, "Rulebook on Technical-Technological Procedures for Formation of Qualified Electronic Signature..." is inconsistent, bearing in mind that some of its provisions are contradictory, and some of them provide for processing of UCMN as optional, and the others provide it as practically mandatory thing.
Consequence of the quoted is, as confirmed by the supervision procedure, that besides unconstitutionality, we also have non-harmonized practice. Therefore the qualified electronic certificate which is generated by four out of six certification bodies (Serbian Chamber of Commerce, Ministry of Defense and Serbian Army, „Halcom a.d. (Joint Stock Company)“ Belgrade and Ministry of Interior), mandatorily within the structure of the user name contains one’s UCMN, that is, the user can not, during submitting the application for issuing the qualified electronic certificate choose if the qualified electronic certificate shall contain his UCMN or not.
Unconstitutionality and legal uncertainty due to non-harmonized practice are more than enough of reason to regulate this issue properly, according to the Constitution, based on the law, without delay. In relation to that, the Commissioner, as in all other similar situations holds the position that UCMN processing should be done restrictively, especially taking care of the purpose and proportionality.