Rodoljub Sabic, Commissioner for Information of Public Importance and Personal Data Protection – Business people better prepared for GDPR than the state

Three weeks have passed since the EU General Data Protection Regulation (GDPR) came into effect. Although not an EU member, Serbia is also subject to it when it comes to companies doing business with EU residents.

According to Rodoljub Sabic, Commissioner for Information of Public Importance and Personal Data Protection, the biggest problem in Serbia so far has been the fact that business entities are not sure whether they are obliged to harmonize with the GDPR or not and whether they've performed the harmonization properly, leading them to ask for advice.

eKapija: At the conference held directly before the new regulation came into effect, you said that business people in Serbia were not ready for its implementation. What did you mean by that?

– To be more precise, I said that I would like for them to be better prepared for the implementation of the GDPR. Unlike the state, companies fortunately deal with this issue a bit more responsibly. Big multinational corporations and organizations are harmonizing their operations with the GDPR, which includes all their branches in any country, including Serbia. I can see that in communicating with those who address me for opinion and consultations. They will seek and find a way to harmonize their operations with the GDPR.

The question remains, however, what happens with small and medium enterprises, which are not part of big global companies, and which do business with the EU. This question shouldn't be underestimated, but the state has so far not showed any serious interest in dealing with it adequately. In April, the Commissioner's office organized a truly big and quality two-day conference dedicated to the GDPR, as well as several more conferences in cooperation with the civil sector, but that's certainly not enough. The lack of a global strategic approach definitely remains our main problem.

The new law on personal data protection, which has been “prepared” for nearly six years now, as you know, has not been adopted. The Data Protection Strategy, adopted back in 2010, is obsolete, and a pertinent action plan has never even been adopted. The state seems to be chronically oblivious as to the importance of this issue. Business entities are therefore left to their own devices, and they often don't know where to turn to for help.

eKapija: Considering that a national law on personal data protection harmonized with the GDPR has not yet been adopted, what happens if the regulation is violated, that is, if somebody files a complaint concerning a violation of the regulation's provisions?

– The regulation came into effect on May 25, 2018, and has since been implemented in all EU member states directly. The member states themselves are often uncertain when it comes to details of implementation. The practice is yet to be built. The European Data protection Board, founded by the Regulation, will certainly play an invaluable role there. The Regulation proscribes remarkably steep fines in case of violation.

eKapija: To which institution would complaints over the violation of the GDPR be filed in Serbia? To local or foreign courts?

– A person within the territory of the EU, whether a resident or not, may file a complaint to any supervisory institution for data protection, especially in a member state they are staying in, working in, or in the place of the alleged violation of the Regulation, if they believe that an instance of the processing of their personal data is in violation of the Regulation. Furthermore, the Regulation guarantees court protection against decisions of the supervisory data protection institution.

eKapija: It has been 20 days since the new regulation was implemented. What has changed in doing business since then in concrete terms? Have there been examples of violation?

– This is a question for the Ministry of Economy and other competent ministries. In order to avoid confusion, one needs to remember that Serbia is not an EU member, which means that the Regulation is not implemented directly in Serbia, so the Commissioner is not authorized to supervise the harmonization with the GDPR. But, as we've already said, the GDPR does have an impact on the operations of numerous subjects in Serbia due to a specific territorial clause.

It is not the Commissioner's formal obligation, then, but the good will and intention to help business entities in the way I've already discussed.

eKapija: In your opinion, what will be the biggest problem in the implementation of the GDPR in Serbia? How widespread is the awareness of the necessity of the protection and careful use of data in our country?

– Ignorance and lack of awareness of the importance of personal data protection rights are exacerbated by the lack of the state's approach to the question of personal data protection, that is, the failure to understand the scope and the importance of the problem.

eKapija: As you've said, your institution is not in charge of assessing the harmonization with the GDPR. Also, there is no special institution in Serbia in charge of deciding whether someone's operations are in line with the new regulation or not. Who is in charge of it?

– In Serbia – no one. Unfortunately, what I assume will happen is that a business entity in Serbia doing business with the EU, offering goods and services to persons located on the EU territory and tracking those persons' behavior, will serve as a scapegoat and pay a very high price due to not being harmonized with the GDPR.

eKapija: Have you been addressed for help by citizens and business people since the GDPR was implemented?

– A lot of them. Various business entities and their lawyers address the Commissioner every day, looking for opinions on the implementation of and the harmonization with the GDPR.

K.S.

Poverenik za informacije od javnog značaja Srbija

Ministarstvo privrede Republike Srbije

General Data Protection Regulation

GDPR

harmonization with the GDPR

personal data

Law on Personal Data Protection

Personal Data Protection Strategy

violation of the GDPR