If the presidential elections in the USA were held after May 25, 2018, Donald Trump might not be sitting in the White House, and not just for his controversial biography either, but because of the public revelation, two years after the election campaign, of the fact that the data of 50 million Facebook users had been used by Cambridge Analytica, related to Trump`s election staff.
Personal data of around 2.7 million European users of this social network might be among them, the European Commission announced, citing data provided to it by Facebook.
Beginning with May 25, 2018, when the new General Data Protection Regulation (GDPR)
of the EU comes into effect, personal data of the users of this social network will be treated as any other personal property.
Although the collection of these data has been regulated by law before, the new regulation brings many new features, but also severe penalties in case of violation.What is GDPR?
If your inbox has been loaded with notifications by various organization of the change of the manner of data collection lately, don`t ignore them. Pay attention to what they say, that is, what kind of your personal data they have.
The GDPR pertains to a new legal framework which defines the manner of use of personal data of EU citizens, such as the name, personal identity number, email address, phone number, but also web browsing history and data showing not just who the person is but how to reach them as well.
In line with this document, each organization processing the data of EU citizens, but also those persons only living within the EU borders, without being its citizens, will have to comply with the new personal data protection rules.
According to the GDPR, any citizen of the European Union can ask any company why the data are being collected and to have the data collected by the company deleted. It is important to emphasize that the new regulation pertains not just to organizations from the EU, but to legal persons registered outside the Union, but operating with EU residents.
The regulation also defines obligations for legal and natural persons from outside the EU. Among other things, the regulation says that companies headquartered outside the EU shall have a representative within the Union in charge of certain questions regarding data protection
and run a record of activities of personal data processing in certain cases.
Also, all those who offer their services and goods in the territory of a member state or directing their online business towards the EU will have to implement the regulation. Those offering special services and discounts in the language of a member state or directed at the EU residents will also have to comply with the new regulation.
Therefore, although the national regulation in this field has not yet been adopted, companies from Serbia doing business with EU residents need to harmonize their operations with the GDPR.
Let us also note that, as Serbia is not on the EC list of countries which implement adequate personal data protection measures, the GDPR proscribes additional protection measures if data travels from the EU to Serbia (contract clauses, conduct codices, mandatory corporate rules).
Also, as said at the recently held Digital Day, Serbia doesn`t have a certification body that would determine whether the company is operating in line with the provisions of this regulation or not
.Law on Personal Data Protection to be adopted by the end of 2018?
The GDPR was adopted in 2016 and companies have had two years to adapt to its provisions. Serbia`s Law on Personal Data Protection should be adopted by the end of 2018. According to Sasa Gajin of the Center for Advanced Legal Studies, it has been approved by the EU authorities and it is up to local politicians to adopt it now.
The draft law largely matches the GDPR provisions, so companies in Serbia will need to implement nearly everything that legal and natural persons from the EU are already starting to implement regarding personal data protection, which entails many more obligations than are currently proscribed for third countries by the GDPR.