Personal data is any information based on which one’s identity can be determined, directly or indirectly. This includes, for example, name and surname, personal identification number, location or movement data, data from phone listings and logs, bank account number, recordings from surveillance cameras with facial recognition software, as well as any other information that point out to someone's physical, physiological, genetical, mental, economic, cultural and societal characteristics.
Term personal data processing is used for any type data usage. It includes each action conducted over personal data - collection, multiplication, sharing data to third parties, etc.… Even the simple act of inspecting data, such as those contained in medical records, is a type of personal data processing. Other examples of personal data processing are: inspection of personal ID, audio or video recording of a person (for example, made by cameras in a mall), collection of different types of personal data (personal identification number, address, employment data) for the purposes of opening a bank account or to exercise certain rights before social protection institutions, collecting data for registering for loyalty cards (cards which enable different types of discounts when shopping), taking fingerprints at the police station, logging working hours by using personalized cards…
Subjects that process personal data – natural and legal persons, business entities and state authorities – are data controllers or data processors. Data controllers determine the purpose and the way in which data is processed unless it has already been determined by relevant legislation. That can be, for example, an employer when processing data in order to establish employment, the Ministry of Interior when issuing a passport, health institutions when providing medical exams… Data processors process data for data controllers, and that role is often given to different service providers, such as marketing agencies, IT companies, enterprises that provide video surveillance services...
Your personal data is in possession of state authorities, employer, universities, banks, other numerous legal entities.
Personal data processing is not within itself illegal, but it is of great importance for the legal justification to exist and for the purpose of data processing to be clearly defined, one that does not oppose the legislation. Employers, for example, collect data such as: name and surname, address, date and place of birth, identification number, ID number, health insurance and bank account number, all for the purpose of payroll taxes, paychecks, taxes and social contributions, exercising rights during sick leave… In these cases, legal justification for processing data is the law, namely respecting data controllers’ legal obligations.
In addition, legal data processing can be conducted based on the consent of the person the data relates to. Such example is checking the “ACCEPT” box when downloading apps from Play Store. The majority fail to read the accompanying text, where we check that we agree with the terms and conditions under which a company operates or an app works. Here you can find information relating to the use of our personal data. Some of those apps, for example, may request access to the Photo Gallery, Contacts, etc.
Other possible reasons for data processing are also: the legitimate interest of data controllers or third parties (such as business interests, protection of security of persons and property, etc.); preparation for concluding or executing contracts (for example, in order to deliver the bought goods, the seller needs your address); protection of person’s vital interests (in cases when one's life needs saving), and performing activities in the public interest or within the legally prescribed powers of the data controllers (and, in this case, the public interest must be recognized in the law).The Law on Personal Data Protection prescribes that each data processing has to be LEGAL, TRANSPARENT and FAIR.
Each institution, employer, or company, is obligated to, following your request, inform you why they are using your personal data, what is the legal basis for personal data collection, whether they are sharing them with third parties, how long the data is kept, etc.
In case the data controller is in possession of your personal data, following your request, they are obligated to deliver them to you for inspection. This inspection includes reviewing, reading, listening to data recordings, etc. They are also obligated to provide you the copy of the data. Following the inspection, you have the right to ask for correction, amendment, updating, and deletion of data, as well as interruption and temporary suspension of the processing.
The data controller can also be requested to transfer personal data to other data processors, when it is technically feasible to do so, and when the legal requirements are met. For example, your bank can transfer your personal data to another bank, following your request.
The law does not provide the template for the form requesting access to personal data, issuance of a copy, correction, amendment, update, deletion of data… However, the Commissioner for Information of Public Importance and Personal Data Protection has developed two forms, that should make it easier for citizens to exercise these rights. The first refers to the situations in which citizens want to check whether data holders are in possession of their personal data, want insight into the data or a copy of it. The second form is intended to seek correction, amendment, update, deletion of data etc. Both these requests can be downloaded on the following link.
In situations when consent is the legal basis for personal data processing, you have the right to withdraw it at any given moment. Therefore, you can always ask the data controller to interrupt data processing, as well as to delete your data.
In case you are suspecting that your personal data is being processed contrary to the provisions of the law, you have the right to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection.
Aside from referring to the Commissioner, the person whose data is processed can submit a lawsuit for to protect their rights, against data controllers or data processors, whom he suspects have violated one of the rights guaranteed by the Law on Personal Data Protection, by unlawfully processing personal data. It is also possible to initiate proceedings for claiming damages due to illegal personal data processing.
For over ten years, Partners Serbia has been dealing with legal regulations in the field of personal data processing. If you suspect that your right to personal data protection has been violated, you can contact us by filling out this form.
We will review your submission and provide commentary about possible violation of your rights and refer you to different ways in which you can exercise your rights.