Serbia’s data protection authority (the “Commissioner”) recently issued a publication which allows data protection lawyers and the public at large to get a better understanding of the Commissioner’s practice under current legislation.
Serbia’s Data Protection Act of 2018 became applicable in August 2019. The law for the most part copies provisions of the GDPR. As the Commissioner only publishes its decisions online in exceptional cases, it is difficult, or even impossible, to anticipate its position on a particular issue not expressly regulated by the Data Protection Act. For that reason, the Commissioner’s Viewpoints and Opinions, vol. 6, published on January 28, 2021, serves as a helpful tool for understanding and predicting its approach.
A good number of the decisions included in the Viewpoints and Opinions, vol. 6 read as a primer on data protection law, because they restate the law’s provisions on basic things such as the conditions for valid consent and the elements of a data processing notice.
More seasoned data protection practitioners will nevertheless find useful and non-obvious pronouncements by the Commissioner. One example deals with the provisions in the Data Protection Act that might be read as departing from equivalent GDPR provisions. In places, Serbian words denoting the key concepts in the relevant provisions of the Data Protection Act do not exactly match those in the GDPR. The linguistic differences in fact reflect imprecisions in the translation, rather than the specific intent by the Serbian legislator to depart from the GDPR. Therefore, it would only make sense to disregard the translation oversights and interpret the provisions in their GDPR meaning. Indeed, the Commissioner took this approach in a decision from December 2019, explaining that the term “seat” in the law’s provision on its territorial scope should be read and interpreted as the term “establishment” in the equivalent GDPR provision. This is an important clarification – even if made public with a one-year delay – which impacts the applicability of the law to branches and representative offices of foreign companies in Serbia. Those branches and offices are “establishments” (not “seats”), but the Data Protection Act nevertheless applies.
This approach is not taken in all cases, however. In a decision of September 11, 2020, concerning the legal processing of job candidates’ personal data, the Commissioner did not favor an interpretation consistent with the GDPR. In a decision that is important due to its potentially precedential nature, it seems, from the excerpt that the Commissioner published, that the only legal bases for the processing of personal data of job candidates are compliance with the employer’s legal obligation and the exercise of official authority vested in the employer. If true, this would mean that employers cannot process personal data of job candidates on the basis of a legitimate interest or when taking steps at the request of the candidate prior to entering into a contract. The Commissioner arrives at this reductionist view by relying on a reference in the Data Protection Act to the employment laws as additional sources applicable to the processing of personal data in the employment context. A reference to employment laws also exists in GDPR Article 88, however it does not result in a similar narrowing of legal bases for the processing of job candidates’ data. Several decisions in the publication, from September and November 2019, are helpful applications of the law’s general principles and rules to the specific context of video surveillance. The clarity and comprehensiveness of the analyses makes those decisions informal “laws” on video surveillance for companies and other data controllers who consider using video surveillance but cannot find explicit guidance in the Data Protection Act itself.
The Commissioner’s publication would have benefitted from restating the statutory provisions less and reciting the facts more, because vivid descriptions of the real-life situations would help the reader to better understand data protection law “in action.” The Viewpoints and Opinions, vol. 6 is nevertheless an important contribution to the development of data protection law in Serbia. For further, faster development, making the Commissioner’s decisions public in real time, rather than with a year- or longer delay, would be essential.
By Bogdan Ivanisevic, Partner, BDK Advokati