The Draft Law on Personal Data Protection, which was the subject of contention between Rodoljub Sabic, the Commissioner for Information of Public Importance and Personal Data Protection, and the Work Group for the preparation of the draft law for months, has been greenlit by the European Commission and Eurojustice. Their suggestions have been implemented in the draft law, which has been available on the website of the Ministry of Justice since Tuesday. The law is now to be reviewed by the ministries and then sent to the Government and, finally, put before the National Assembly.
– The suggestions of the EC and Eurojustice were technical in character and we have complied with them. The biggest set of suggestions pertained to changing the terms. For example, they asked us to put “legitimate interest” instead of “justified interest”. This proves that the draft law we prepared after the public discussion meets EU standards – says professor Sasa Gajin, a member of the Work Group.
The Law is harmonized with the new General Data Protection Regulation (GDPR), which proscribes draconian measures for those who mishandle or in any way misuse others' personal data. Whereas penalties in the EU go up to EUR 2 million, the new Serbian law limits them to RSD 2 million, while also proscribing penalties of 5,000 to 500,000 dinars.
The right to erasure, that is, the right to be forgotten, is also implemented. A person can ask for the data on them to be erased if they are no longer necessary for the realization of the purpose for which they were collected, if the person has revoked their consent to the processing of the said data, if the data has been processed in violation of the law...
Another new provision pertains to the citizen's consent to the processing of personal data, which can be given in person. The draft law forbids the processing of personal data revealing someone's race or ethnicity, political opinions, religious or philosophical beliefs or union membership, as well as the processing of genetic and biometric data to the end of the identification of data on a person's health, sex life or sexual orientation, except in previously defined situations.
Databases can't go online
Stricter technical and other measures of protection are proscribed as well. Only those personal data that are necessary for the realization of a certain purpose of the processing may be collected. Personal data may not be available to an unlimited number of people, as was the case before when they could be found online and when databases were so poorly protected that they could be accessed by amateur hackers.