Independent data protection authorities (“DPA”), such as Commissioner for Information of Public Importance and Personal Data Protection in the Republic of Serbia (“Commissioner”), have significant role and authorities in case of personal data breach.
Quis custodiet ipsos custodes? (Who watches the watchers?)
Since DPAs are also the controllers of certain personal data, breach of personal data may also refer to some data under their control.
This has recently happened to the Danish DPA – Datatilsynet. Namely, at the end of August, Datatilsynet published a notice on personal data breach on its premises which occurred when paper waste containing documents with confidential and sensitive information was not disposed by shredding but as regular paper waste (in integral form). It was established that such practice existed in the period from February until August 2020, with Datatilsynet staff working from home in the period from March until June which certainly reduced the scope of breach.
As it was indicated, the documentation contained information about employees and persons complaining against their personal data protection (name, subject of complaint, address etc.).
Considering the obligation of controllers from Art. 33 and 34 of GDPR, Datatilsynet reported the breach in the same manner as other controllers are bound to, however there was also an omission in this case because the prescribed 72-hour deadline for reporting was exceeded for additional 24 hours. Datatilsynet stated that the employee who missed this deadline was also reprimanded and that its internal procedures were revised, including those referring to the disposal of paper waste. At the same time, Datatilsynet notified the breach to the persons possibly at risk due to this breach.
What is the situation in the Republic of Serbia?
Under the Law on Personal Data Protection (“LPDP”), controller shall be obliged to undertake relevant technical, organisational and personnel measures to ensure that processing is done in accordance with law and to be able to notify this considering the nature, scope, circumstances and purpose of processing, as well as possibility of risk and the level of risk to the rights and freedoms of natural persons. Controller shall be obliged to examine and update these measures and to apply relevant internal acts on personal data protection when it corresponds to data processing.
Data processor shall also guarantee for application of relevant technical, organisational and personnel measures in such a manner so as to ensure that processing is done in accordance with LPDP provisions and that the protection of rights of data subjects is ensured.
Therefore, controllers and processors are primarily obliged to act preventively in order to avoid the breach.
What to do when breach nevertheless happens?
LPDP regulates this issue alike GDPR. Controller shall notify the Commissioner of the breach of personal data that may impose risk to rights and freedoms of natural persons without necessary delay and, if possible, within 72 hours after finding out about the breach, including the obligation to elaborate possible reasons for failure to act within the stated deadline.
This notice shall be submitted in the prescribed form, along with records of processing activities that the controller keeps in accordance with Article 47 of LPDP. The notice shall be submitted in writing, directly or by mail, while a scanned copy may be submitted to a specially designated e-mail address of the Commissioner.
Controller shall also be obliged to document any breach of personal data, including facts about the breach, its consequences and measures undertaken for their elimination.
On the other hand, if the breach occurred with the processor, the latter shall notify the controller thereof without unnecessary delay, and the controller shall undertake the prescribed measures.
If the personal data breach may generate high risk to the rights and freedoms of natural persons, controller shall also be obliged to notify the breach to the data subjects.
This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.
By Ivana Ruzicic, Managing Partner, PR Legal