Personal Data Protection: What Every Company Must Know

ByNaumović i partneri
personal data protection Serbia

If you run a company that processes personal data, it is clear to you that the Law on Personal Data Protection (ZZPL) also applies to you and that the protection of personal data is something you need to pay attention to.If you run a company that processes personal data, it is clear to you that the Law on Personal Data Protection (ZZPL) also applies to you and that the protection of personal data is something you need to pay attention to.

Therefore, we will not waste your time on legal definitions and theoretical introductions. This text is here to clearly and concretely guide you through what is really important: what your obligations are as an owner or a responsible person – whether in relation to clients, users, employees or other persons.

We will show you what is considered personal data, which data you are allowed to collect and for what purposes, what you must never do with them, when you are obliged to appoint a data protection officer, how this is done, what fines you face if you fail to do so – and what to do if there is a “leak” of the collected data.

At a time when a carelessly sent e‑mail or a missed backup can lead to a serious violation, understanding and implementing the rules on data protection is the minimum of business responsibility.

Therefore, read the rest of this text and stay on the right side of the law.

What is considered personal data?

The Law on Personal Data Protection provides a clear definition of personal data:

“Personal data” is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identity mark, such as a name and identification number, location data, an identifier in electronic communications networks or one or more features of their physical, physiological, genetic, mental, economic, cultural or social identity.

The statutory definition is quite broad and covers any information – textual, numerical, visual or audio – that relates to a determined (for example, Ivana Petrović) or determinable natural person (if the person’s identity can be learned by combining information, for example, a woman from Kraljevo who works in the only veterinary station there).

Therefore, it is important that the information does not relate to a legal entity, but to a human being – an employee, client, user, etc.

Personal data includes, and for which personal data protection is guaranteed, for example:

  • First and last name,
  • JMBG, ID card number or passport number,
  • Home address,
  • Phone number, e‑mail address if it contains the first and/or last name,
  • GPS coordinates (location),
  • An IP address of a user in communication networks.

But also features of physical, physiological, genetic, mental, economic, cultural and social identity such as height, weight, fingerprint, genetic data, health data (diagnoses), data on salaries, debts, memberships in associations, religious affiliation, etc.

Moreover, when it comes to these features, it is important to know that they fall into a special category of personal data (so‑called sensitive data) and that their processing is prohibited, except in strictly defined exceptions (for example, with explicit consent, for the fulfilment of obligations from employment, for the protection of life, for the exercise of a legal claim in court proceedings, if the information is of public interest, etc.).

To conclude, only information that does not allow the identification of an individual is not personal data under the ZZPL.

Which data is a company allowed to collect and process in its operations?

In its operations, a company may collect and process only those personal data that are necessary for achieving a specific purpose, provided that it has a legal basis for doing so (for example, the consent of the person whose data is collected and/or processed, performance of a contract, legal obligation or some other basis).

For example, when concluding a service agreement with a client who is a natural person, the company collects their identification and contact data (first name, last name, JMBG, address, contact details) and bank account number for payment.

However, it is not permitted to process data that are not necessary for the performance of that contract – for example, health data.

Likewise, the company processes personal data of its employees that are necessary for the exercise of rights and obligations arising from employment (for example, identification and contact data, bank account number for salary payment, data on education and work experience), but must keep confidential their validation numbers, medical history and other sensitive data if not required by law.

It is also necessary to observe the principle of data minimisation, i.e. to ensure that the company does not collect more data than it needs.

In this way, full protection of personal data is ensured.

Who is obliged to have a data protection officer in the company?

The Law on Personal Data Protection clearly prescribes three situations in which you must appoint a data protection officer (Data Protection Officer – DPO):

  • If you are a public authority (this applies to public enterprises, municipalities, schools, hospitals, public institutions, but also to all others that exercise public powers – except courts when performing judicial functions);
  • If you carry out processing activities which by their nature, scope or purposes require regular and systematic monitoring of a large number of persons (for example, you have an app for that), you process data of a large number of users (for example, through video surveillance or loyalty programs), or you generally profile users based on their habits and behaviour;
  • If you process special categories of data on a large scale (this includes data on health, religion, ethnicity, sexual orientation, trade union membership, etc. – for example, if you are a private clinic).

All others are not obliged to do so, but may voluntarily appoint a personal data protection officer (for example, a lawyer), who may have a supporting team, which can be useful if:

  • you want to demonstrate your commitment to data protection to clients and partners;
  • you have complex internal processes;
  • you process personal data of persons from the EU (for example, in outsourcing projects).

In any case, it is advisable to consult a legal expert whose expertise is personal data protection when conducting the analysis of the (non‑)existence of the obligation to appoint a data protection officer.

What are the fines if you do not appoint a data protection officer?

If you are obliged to appoint a DPO but fail to do so, you face a misdemeanor fine in the amount of 50,000 to 2,000,000 dinars, or 20,000 to 500,000 dinars if you are an entrepreneur.

It is important to note that there is also a fine if you have appointed a person, but have not published and submitted their contact details to the Commissioner for Information of Public Importance and Personal Data Protection.

Who appoints the data protection officer and what is their position?

The data protection officer is appointed by the competent body of the controller or processor. Keep in mind that the DPO must have certain professional qualifications and an independent position, and that the controller or processor must provide them with the necessary resources to perform their duties, access to personal data and processing activities, as well as professional training.

The data protection officer may perform other tasks and duties, and the controller or processor is obliged to ensure that the performance of other tasks and duties does not lead the data protection officer into a conflict of interest.

What if there is a personal data breach in the company?

If a personal data breach occurs (for example, a data leak or unauthorised access), it is clear that such an event may endanger the rights and freedoms of the natural persons whose data you have collected, and precisely because of this the controller of these data is obliged to report such an incident to the Commissioner for Information of Public Importance and Personal Data Protection without undue delay and, where possible, within 72 hours of becoming aware of the breach.

The notification must contain a description of the nature of the personal data breach, the contact details of the data protection officer or another point of contact where more information can be obtained, a description of the possible consequences of the breach and a description of the measures taken. If the controller does not act within the deadline, it must also explain the reasons for the delay.

Under the ZZPL, if it is established that the controller did not notify the Commissioner of the breach, a fine of 50,000 to 2,000,000 dinars (for a legal entity) is imposed, and for failure to notify the data subjects of a breach that may result in a high risk to the rights and freedoms of natural persons, fines of up to 2,000,000 RSD also apply.

In addition to monetary fines, the company suffers reputational damage and may be civilly liable for any damage suffered by the individuals whose data were compromised.

Does your company need to request an opinion from the Commissioner for Personal Data Protection before processing personal data?

The ZZPL provides that, before starting high‑risk processing (for example, systematic monitoring, large‑scale processing of sensitive data), the controller must carry out a data protection impact assessment (DPIA), and if the DPIA shows that the intended processing is likely to result in a high risk if measures to mitigate the risk are not taken, it must request prior written opinion of the Commissioner before starting the processing activities.

Consulting the Commissioner is also advisable in cases of more complex questions in the field of data protection (for example, determining an adequate legal basis, transfer of data to other countries, etc.), in which case you can request an opinion from the Commissioner for Personal Data Protection.

Need a legal advice?

Schedule a consultation >

Follow for more legal insights:

Similar Posts