Aug 30, 2017

An issue raised by many investors in the Serbian market, whether in the service, research, manufacturing or agricultural industry is the legal basis for lawful collection and processing of personal data of its clients and potential customers.

The question posed to the Commissionaire for Information of Public Importance and Personal Data Protection (DPA) may provide some guidance is under what circumstances is information to be collected and processed, under Serbian law, and what is the future outlook in this regards.

With respect to the most controversial aspect of data acquisition and processing; that of ex lege processing and collection (i.e. without prior informed consent), the Serbian Law on the protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012)) (‘LDP’) sets out two separate legal bases for the collection and processing of personal data. The collection and processing of personal data may either be: (i) based on statute; or (ii) based on the prior informed consent of the person whose data is being collected and processed i.e. the data subject.

Pursuant to the Article 12 of the LDP, statutory based collection and processing of personal data without prior informed consent of the data subject is allowed in the following circumstances:

  1. To achieve or protect vital interests of the data subject or a third party, in particular their life, health and physical integrity;
  2. For the purpose of discharging duties laid down by a law, an enactment adopted pursuant to a law or a contract concluded between the person concerned and the controller, as well as for the purpose of contract preparation;
  3. In other cases envisaged by the LDP or another regulation adopted pursuant to the LDP for the purpose of achieving a prevailing justifiable interest of the person concerned, the controller or a user.

It should also be noted that the Law on contracts and torts does not regulate the scope of personal data necessary to be provided to, for example, an insurer, for conclusion and execution of the insurance agreement.

Taking into account the above, and while it is unambiguously prescribed by the LDP that collection and processing of personal data is allowed for the purpose of discharging duties laid down by the law, the issue as to whether the mere fact that an agreement is regulated by the Law on contracts and torts, although it does not state which data is necessary for conclusion of the insurance agreement and execution of duties thereof, provides a legal statutory basis for collection and processing of personal data.

Having in mind this lacuna in the Law on contracts and torts regarding the scope of the personal data necessary for conclusion and execution of the insurance agreement, the Serbian DPA stated in its Opinion that the collection and processing of personal data based solely on the Law on contacts and torts is not allowed and that collection and processing of personal data between insurers and insured persons is allowed only based on the prior informed consent of the data subject.

While the Serbian DPA is clear about the limitations of the collection and processing of personal data pursuant to the Law on contracts and torts, it is interesting that in its Opinion the Serbian DPA does not set out expressly whether the collection and processing of personal data in insurance sector is allowed in other cases set by the LDP in which prior informed consent is not required such as for the purpose of execution of an agreement concluded between the person concerned and the controller, as well as for the purpose of preparation of an agreement.

To the extent that an organisation processes personal data in Serbia it should examine the legal basis on which it is doing so. Based on the Opinion, strictly it should ensure that it has the prior consent of its data subjects to do so, however the practicalities of doing so, and what appears to be market practice, may mean that a careful balancing exercise will need to be undertaken.


Source: www.lawinserbia.com