The Serbian Ministry of Justice released a Data Protection Strategy Proposal for 2023-2030 and invited stakeholders to participate in public discussion.
The document sets an ambitious goal: harmonisation of data protection legislation with acquis communautaire resulting in obtaining EU decision on the adequate protection of personal data and resulting in a free flow of personal data with EU. We would be glad to participate in public discussion providing suggestions resulting from our long-term practice for the improvement of the proposal.
On June 11, 2021, the Serbian Government formed a Working Group consisting of all relevant stakeholders processing personal data in the state administration, representatives of the Commissioner, courts and prosecution office competent for data protection matters with the task to draft a Data Protection Strategy Proposal for 2023-2030 and Action Plan for Strategy implementation. The Ministry of Justice, a competent state body for proposing public policies in the field of data protection released Data Protection Strategy Proposal for 2023-2030 (Proposal) on March 15, 2023.
It is the first time during 25 years of application of data protection in Serbia that such an ambitious goal in some public document is proclaimed – to harmonise data protection legislation with acquis communautaire and to receive verification by EU – to be recognised as the country with adequate protection of personal data.
I Reference and Connection with other Documents
The Proposal makes a reference to:
- existing applicable Serbian public policies important for the development of data protection such as public policy for the development of artificial intelligence, development of information security and information society, promotion of digital skills, prevention of violence against women and violence in the family, consumers’ protection, promotion of the position of persons with disabilities, integral governance at borders. The Proposal explains the connection and applicability of data protection in these areas;
- European integration processes and framework by which the European Union assesses the progress of EU membership candidates in the field of data protections such as: the International Covenant on Civil and Political Rights, UN Convention on the Rights of the Child, General Data Protection Regulation, Police Directive, the Council of Europe Convention 108, European Convention for the Protection of Human Rights and Elementary Freedoms;
- the applicable Serbian regulations governing data protection enforcement and sectorial laws subject to the protection of personal data.
II Goals to Be Achieved and Measures to Achieve the Goals
The common goal to be achieved: is respect for the right to protection of personal data in all segments of life.
The common goal is to be achieved by achieving the indicator of effects of the Strategy – EU Commission Decision on Adequate Protection of Personal Data;
and by achieving the following three specific goals of the Strategy:
- Promoted functional mechanisms for the protection of personal data;
- Promotion of conscience on the importance of protection of personal data and manners for the accomplishment of the rights;
- Improved system of protection of personal data in regard to the development and implementation of information communication technologies in digitalisation processes.
A) Promoted functional mechanisms for the protection of personal data.
This goal is to be achieved by achieving two indicators of effects: i) enabled transfer of personal data between EU and Serbia without administrative burdens; ii) the possibility to submit a complaint related to breach of data protection rights and to track the flow of complaints electronically
This goal shall be achieved by the following measures:
Measure 1 – to be coordinated by the Ministry of Justice
- Amendment of the Law on Personal Data;
- Amendment of Law on Misdemeanours applying solution, which is applied in case of Commission for Protection of Competition, i.e., authorising the Commissioner to impose fines in the range as defined in GDPR;
- Improved Criminal Code;
- Harmonisation of sectorial laws with the Law on Personal Data
Measure 2 – to be implemented by the Commissioner
- Opening of the new offices of the Commissioner in Nis, Novi Sad and Kragujevac (3);
- Increased number of qualified DPOs in state bodies (300);
Measure 3 – to be implemented by the Commissioner
- Increased number of natural persons who completed specialised education programme at university engaged by controllers and processors (3000);
- Increased number of controllers and processors which communicated DPO contact details to the supervisory authority DPO (12000);
- Number of controllers and processors which adopted internal documents (3000);
- Number of controllers and processors which established register of processing activities (15000);
- Increased number of foreign controllers and processed which have appointed representative in Serbia (100);
- Increased number of resolved files (complaints, misdemeanour, criminal) – 100%.
B) Promotion of conscience on the importance of protection of personal data and manner for the accomplishment of the rights.
This goal is to be achieved by achieving the indicator of effects – an increased number of visitors to the Commissioner’s website, communication through call centres and sending e-mails, complaints, etc. (50,000 per year).
Measure 1 – to be implemented by the Ministry of Education
- Increased number of subjects in education plans and programmes containing data protection topics and digital privacy (5);
- Increased number of teachers trained for teaching data protection matters (2,000);
- Increased number of subjects at universities containing data protection topics and digital privacy (20);
- Increased number of students acquiring education in the field of data protection (50, 000)
Measure 2 – to be implemented by the National Administration Academy
- Number of accredited educational programmes covering thematic topic of data protection (5);
- Number of trained personnel in state administration in the data protection (1, 000);
Measure 3 – to be implemented by the Judiciary Academy
- Number of training programmes covering thematic topic of data protection (2);
- Number of trained judges and public prosecutors trained for data protection matters (1, 000).
Measure 4 – to be implemented by the Commissioner
- Number of seminars and campaigns in the field of data protection (100);
- Number of attendants at seminars and campaigns in the field of data protection (5, 000);
- Number of specialised publications in the field of data protection (50).
C) Improved system of protection of personal data in regard to the development and implementation of information communication technologies in digitalisation processes.
This goal is to be achieved by achieving two indicators of effects: i) drafting guidelines for carrying out Data Protection Impact Assessment (DPIA); ii) a percentage of software solutions for which DPIA carried out in accordance with guidelines for carrying out DPIA.
Measure 1 – to be implemented by the Office for Information Technology and eGovernment
- Adoption of laws governing automated processing of genetic, biometric and personal data processed by usage of video and audio surveillance (2023-24)
Measure 2 – to be implemented by the Commissioner
- Number of state bodies and legal entities engaged in processing of genetic/biometric data (10);
- Number of natural persons specialised for processing of genetic/biometric data (50);
- Number of state bodies and legal entities engaged in processing of personal data processed by usage of video and audio surveillance (30);
- Number of state bodies and legal entities engaged in processing of personal data processed by usage of video and audio surveillance (30).
III Implementation of the Goals and Measures and Monitoring
The Ministry of Justice is responsible for the implementation of the Strategy and the Action Plan.
Monitoring of the implementation of measures and activities will be defined by the Action Plan and shall be carried out by the Working Group. The Working group will be formed by the Ministry of Justice within 90 days of the adoption of the Strategy and will be consisted of all relevant stakeholders processing personal data in the state administration, representatives of the Commissioner, courts and prosecution office competent for data protection matters.
All tasks of the Working Group will be defined by the decision of the Ministry of Justice.
The Working Group is obliged to provide annual reports which will be published by the Ministry of Justice.
To measure the effects of the Strategy, the Ministry of Justice will organise three post-analysis – one at the end of 3rd year of implementation of the measures, the second in 2028 and the third one in 2030.