On the occasion of the discussion that took place on HAPPY television in the show " Добро јутро Србијо /Good morning Serbia" on November 11, 2021, in which Dragan J. Vučićević, the editor-in-chief of the daily newspaper "Informer" was a guest, which referred to the regular supervision, performed on November 10, 2021, by the authorized persons of the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: the Commissioner) over the application of the Law on Personal Data Protection (hereinafter: LPDP) by the controller or supervised entity, whose one of the activities is the online sale of wine, and “questioning” the competence of the Commissioner with the text published on the "Informer" official site entitled "Special War against Vučić! Inspectors supervised the wine shop where the president's son Danilo works! "аnd in the daily newspaper "Informer" entitled "Commissioner persecutes Danilo?! ", the commissioner gave the following statement:
I
As a reminder, due to doubts regarding the powers of the Commissioner, we point out: by the Law on Free Access to Information of Public Importance ("Official Gazette of the RS" No. 120/04, 54/07, 104/09 and 36/10), adopted in November 2004 The Commissioner for Information of Public Importance was established as an independent state body, independent in the exercise of its competence, with the task of protecting the exercise of the right to free access to information of public importance. With the enactment of the Law on Personal Data Protection ("Official Gazette of RS" No. 97/08 and 104/09-other law, 68/12-decision CC and 107/12) in October 2008, the Commissioner for Information of Public Importance received new competencies in the field of personal data protection and according to that law, he continued to work as the Commissioner for Information of Public Importance and Personal Data Protection. In November 2018, a new Law on Personal Data Protection ("Official Gazette of RS" No. 87/18) was passed, which in Article 73 of the Law regulates the position of the Commissioner in the same way as the previous law.
According to Article 4, paragraph 1 of the LPDP:
- “Personal data” means any information relating to a natural person whose identity can be identified or identifiable, directly or indirectly, in particular on the basis of an identity mark, such as name and identification number, location data, identifiers in electronic communication networks or one or more features of his physical, physiological, genetic, mental, economic, cultural and social identity (Item 1)
- Controller –;Is a legal or natural person, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it. The law which determines the purpose and means of processing, may also determine the controller or prescribe the conditions for its determination (Item 8).
Therefore, the controller can be, in addition to government bodies (which include state bodies, local self-governments, public companies, public services and institutions…) and banks, insurance companies, companies engaged in various activities, as well as other legal and natural persons or ANYONE who handles personal data and processes that data, and to whom the LPDP refers.
According to Art.1. Art. 78 and Art. 79. LPDP the Commissioner ensures the protection of personal data.
The duties of the Commissioner under Article 78 are, inter alia:
- Supervise and ensure application of this Law in compliance with their powers;
- Provide opinion to the National Assembly, Government, other public authorities and organizations, in compliance with the regulations, on the statutory and other measures relating to the protection of rights and freedoms of natural persons with regard to processing;
- Take care of the promotion of the awareness of controllers and processors of their obligations prescribed by this Law;
- Handle complaints of the data subjects, determine whether or not there has been an infringement of this Law and inform the complainant of the progress and the outcomes of the proceeding conducted by them in compliance with Article 82 of this Law;
- Carries out inspection supervision on the application of the Law, in accordance with the Law and the corresponding law introducing inspection supervision, and submits a request for initiating misdemeanor proceedings if it is determined that it could violate the Law, in accordance with the law that regulates misdemeanors
- Keeps records of persons responsible for personal data protection (DPO – data protection officers) referred to in Article 56, paragraph 11 of this Law;
- Keeps internal records of violation of this Law and of measures taken in carrying out inspection supervision in compliance with Article 79, paragraph 2 of this Law;
- Carry out other tasks specified by this Law.
According to Article 79 of the LPP, the Commissioner is, inter alia, authorized to:
- instruct the controller and the processor, and if necessary, their representatives, to provide all the information he/she requests in the exercise of his/her powers;
- check and evaluate the application of the provisions of the law and otherwise supervise the protection of personal data by using inspection powers;
- request and obtain access from the controller and processor to all personal data, as well as information necessary for the exercise of his / her powers;
- request and gain access to all controller and processor premises, including access to all facilities and equipment.
According to the said article, the Commissioner is authorized to take the following corrective measures:
- to warn the controller and the processor by submitting a written opinion that the intended processing operations may violate the provisions of this Law in accordance with Article 55, paragraph 4 of this Law;
- to issue a warning to the controller, ie the processor if the processing violates the provisions of this Law;
- to order the controller and the processor to act upon the request of the data subject in connection with the exercise of his rights, in accordance with this Law;
- to order the controller and the processor to harmonize the processing operations with the provisions of this Law, in a precisely determined manner and within a precisely determined deadline;
- to order the controller to inform the person to whom the personal data relate about the violation of personal data;
- to impose a temporary or permanent restriction on the processing operation, including a ban on processing;
- to order the rectification or erasure of personal data or to restrict the processing in accordance with Art. 29 to 32 of this Law, as well as to order the controller to inform the other controller, the data subject and the recipients to whom the personal data were disclosed or transferred about above-said changes, in accordance with Article 30, paragraph 3 and Art. 33 and 34 of this Law;
- to impose a fine on the basis of a misdemeanor warrant if during the inspection it is determined that there was a breach for which this law prescribes a fine in a fixed amount, instead of other measures prescribed by this paragraph or with them, depending on the circumstances of the case.
Article 14 of the Law on Inspection Supervision ("Official Gazette of the RS", No. 36/15, 44/18 - other law and 95/18) stipulates that the inspection is obliged to compile checklists in its field of inspection supervision, publish them on its website and apply in the procedure of regular inspection supervision and mixed inspection supervision in the part related to regular supervision, as well as in the inspection supervision at the state border which is performed regularly. Further, the Inspection may submit a checklist to the supervised entity and with the request to prepare and submit to the Inspection a self-assessment report on compliance with the checklist requirements and self-assessment of risk.
In accordance with Article 14 of the Law on Inspection Supervision, the Commissioner also compiled checklists on his website www.poverenik.rs in the section entitled "Data Protection", as follows:
checklist for Controllers who are public authorities (Article 4, item 25 of the Law on Personal Data Protection: "public authority" is a state body, a body of territorial autonomy and local self-government, a public company, institution and other public service, organization and other legal or natural person exercising public authority);
a checklist for non-government controllers.
By publishing checklists on www.poverenik.rs, the Commissioner acts preventively, educationally and informatively, thus helping the supervising bodies to know in advance exactly what their obligations are and what they need to do in order to harmonize their business and actions with regulations and prevent damage, as well as what the authorized person from the competent office of the Commissioner checks in the supervision process.
All of the above can be found on the Commissioner's website www.poverenik.rs.
II
Based on the authorizations from Articles 77 and 78 of the Law on Personal Data Protection and Article 10 of the Law on Inspection Supervision, the Commissioner adopted the Plan of Inspection Supervision for 2021, number 021-03-10 / 21-04 from March 31, 2021. where regular inspections for online trading are planned as part of regular inspections. The Commissioner's plan can be found on the Commissioner's website: www.poverenik.rs/sr/aktuelni-akti/3534-plan-inspekcijskog-nadzora-za-2021-godinu.html .
The Commissioner's website within the section "About us" shows the "Organization of the Commissioner", which lists all the basic internal units - Sectors, including the Sector for Supervision with the description of the work of that sector.
According to the above-said:
1. During 2021, the Sector for Supervision did send checklists to the addresses of 1,007 (one thousand seven) controllers in the Republic of Serbia. The checklist was sent to the controller, ie the supervised entity, whose one of the activities is the online sale of wine, on March 5, 2021. by e-mail. The controller sent the checklist on March 16, but it was not filled out. The Commissioner requested the correction of the checklist on March 18, and the controller submitted it on March 19, but the correction was requested again, and after the correction, the list was sent on the same day.
2. The published Annual Supervision Plan for 2021 states that the Sector for Supervision in 2021 plans regular inspections of companies engaged in online trading.
3. During the month of April, cases were formed for a total of 186 (one hundred and eighty-six) subjects of supervision, in which regular supervision was planned to be performed. Among these entities are companies that sell furniture, food, books, cars, alcohol, computer equipment, clothing and footwear, sports equipment. The subject of inspection supervision for the controller who, among other things, deals with the online sale of wine, was opened on April 20, 2021.
4. In accordance with the Law on Inspection Supervision, a notification on the forthcoming regular inspection supervision, scheduled for November 10 at 10:00 AM, was sent to the said controller on November 4.
5. At the scheduled time, the authorized persons of the Commissioner appeared in the premises of the controller. Upon entering the premises, the director of the controller allowed them to conduct normal supervision, for which a record was made. On the same occasion, no irregularities were found in the application of LPDP.
All activities of the Commissioner, including inspections, will be included in the Commissioner's annual report for 2021, which shall be submitted to the National Assembly for consideration at the beginning of 2022, within the legally prescribed deadline.
III
Based on the stated legal authorizations and all data related to the regular inspection supervision from November 10, 2021. over the application of the Law on Personal Data Protection at the controller whose one of the activities is the online sale of wine, the Commissioner reiterates that it was performed on the basis of the Inspection Plan for 2021 from March 31,2021, that the case was opened on April 20, 2021. and the said regular inspection cannot be related to any intentions directed against any natural person. And especially not towards the President of Serbia and his son.
Therefore, the claim that the said inspection was carried out in a targeted manner concerning any employee in the supervised entity is false.
As the Commissioner supervises the protection of personal data, the data obtained during inspections must be protected in the best practice of application of the Law on Personal Data Protection.
The Commissioner hopes that this announcement will remove all doubts that were discussed in the mentioned television show and the text published in the daily newspaper and on the "Informer’s" website. The Commissioner also hopes that this statement will influence the consideration of the Commissioner's competence in the area of supervision over the implementation of the Law on Personal Data Protection.
Finally, no irregularities in the application of the law were found in the application of LPDP by the controller who was the subject of regular inspection, which speaks in favor of good practice in the field of personal data protection in the Republic of Serbia as an important human right guaranteed by Article 42 of the Constitution of Republic of Serbia.