The Commissioner for Information of Public Importance Mr. Rodoljub Sabic, who has been receiving an increasing number of complaints from citizens and the media in this regard, warned today all public and private law entities which have or could have responsibilities under the Law on Personal Data Protection about the need to take adequate action in order to be able to tackle such responsibilities. The Commissioner emphasized in particular that the periods set for bringing the data files and records established before the effectiveness of that Law in compliance with the standards specified therein had already begun.
Among other things, Commissioner Rodoljub Sabic also said the following:
“At this moment, due to rather incongruous formulations of the transitional provisions of the Law, we are in a situation in which we have two currently applicable personal data protection laws, but neither of them is actually being implemented. The implementation of the new Law will not start until 1 January 2009, but we should not let the time slip by until then; indeed, we should make the best of it.
It is vital that all entities involved in personal data protection in all fields take action in the spheres of logistics, organization, education of human resources and other relevant actions in order to prepare themselves for proper discharge of their responsibilities under the Law. Evidently, major problems could arise in this regard. Although I cannot act upon them before the 1st of January, I am already receiving petitions from citizens and other entities to support this. For example, there are some serious indications that citizens' personal data are often made available to third parties without their knowledge and consent, for the purposes for which they were not originally collected, i.e. for commercial purposes. Paradoxically, it appears that even some public enterprises, otherwise very keen to conceal information from the public's eye if it relates to their transactions, salaries, etc., are taking recourse to such action.
It is important that entities which process personal data timely adopt new standards and bring their activities in compliance with such standards. Allowing situations in which data processing could be banned even if it might be justified and useful simply because there is no compliance with the Law would be bad and irresponsible. We should start treating personal data protection as a real problem, not an imaginary one. In this context, it seems reasonable to point out that unauthorized processing of personal data could also constitute a criminal offence.
Of course, in order to properly commence with the implementation of the Law, the Government of Serbia should provide by the 1st of January at least the barest necessities for the operation of the supervisory authority responsible for enforcement of the Law and it should adopt the necessary secondary legislation. Unfortunately, the Government has already created a huge backlog in this regard. The de facto non-functionality of the supervisory authority, coupled with certain legal obstacles which somehow, inexplicably, found their way into the text of the Law, could undoubtedly have adverse effects in terms of proper implementation of the Law. This could damage our country's international reputation, because of the failure to execute the commitments assumed under the SAA, and, even more importantly, and, which is more important, it could damage the country internally, because of the human rights enshrined in the Constitution and the law. This is why I am of the opinion that such delay on behalf of the Government, such neglect of the duty to facilitate the operation of a new public authority, is indeed beyond understanding and I hereby once again urge the Government and its services to change their current attitudes.”