Personal data is any information based on which one’s identity can be determined, directly or indirectly. This includes, for example, name and surname, personal identification number, location or movement data, data from phone listings and logs, bank account number, recordings from surveillance cameras with facial recognition software, as well as any other information that point out to someone's physical, physiological, genetical, mental, economic, cultural and societal characteristics.

Term personal data processing is used for any type data usage. It includes each action conducted over personal data - collection, multiplication, sharing data to third parties, etc.… Even the simple act of inspecting data, such as those contained in medical records, is a type of personal data processing. Other examples of personal data processing are: inspection of personal ID, audio or video recording of a person (for example, made by cameras in a mall), collection of different types of personal data (personal identification number, address, employment data) for the purposes of opening a bank account or to exercise certain rights before social protection institutions, collecting data for registering for loyalty cards (cards which enable different types of discounts when shopping), taking fingerprints at the police station, logging working hours by using personalized cards…

It is considered that the processing of personal data is legal if it is performed in accordance with the Law on Personal Data Protection, as well as other laws that regulate the field of personal data processing. In reality, this means that controllers and processors are obliged to harmonize their activities with the provisions of the Law on Personal Data Protection, prior to initiating any processing.

According to the Law on Personal Data Protection, in cases when consent is required for data processing, the controller is obliged to provide basic information about themselves, and to provide the data subject with information related to the processing of data, purpose of said processing, type of data collected, legal basis for processing; with whom the controller potentially shares the data (locally or internationally); period in which personal data will be kept, rights of persons regarding data processing, as well as on whether data processing implies automated data processing and profiling.

The controller is obliged to present this information to the data subject prior to seeking consent for data processing. When it comes to various websites and apps, this information is most often found within the privacy policy of the website/app. After the person has had the opportunity to get acquainted with the privacy policy (or some other online document) they can choose whether to give their consent to the processing of data. Consent is often given by checking the accept option (during the first access to the website, or after downloading the app) and thus confirm they agree to the terms of use of the app/website. 

At the same time, the Law on Personal Data Protection states that the data subject may withdraw their consent at any given time. This means that you can always contact the controller and ask them to stop processing your data. They are obliged to simplify the consent withdrawal procedure, i.e. not make it more complex than the procedure for giving consent. 

It is important to emphasize that the withdrawal of a given consent usually entails some consequences, especially when it comes to the processing of personal data for commercial purposes, for the provision of various "free" services. 

For example, after withdrawing your consent, you will not be able to continue using the downloaded mobile app, or the advanced features provided by some websites. This most often happens when downloading free apps, which are, in reality, “paid” by providing access to our data.

If you suspect that your personal data is being processed illegally, you can contact the controller with a request to provide you with information regarding the processing of your personal data. 

Acting upon your request, the controller is obliged to provide you in a clear and comprehensible manner all information related to the processing of your data (what types of data is processed, for what purposes, time frame for keeping the data, whether third parties have insight into the data, etc.), within 15 days, and if they fail to do so, the data subject can contact the Commissioner for Information of Public Importance and Personal Data Protection and file a complaint. In case the controller responds to the request and it turns out that the conditions for legal processing of personal data have not been met (i.e. personal data is no longer relevant achieve the purpose for which it was collected), the data subject can ask the controller to delete data, in accordance with the Article 30 of the Law on Personal Data Protection. 

In addition to contacting the Commissioner, you can file a lawsuit to protect your rights (this lawsuit is filed to a higher court), against a controller/processor who considered to have violated the data subject’s rights and failed to act in accordance with the Law on Personal Data Protection. One can also initiate a procedure to claim for damages due to illegal processing of personal data. 

Likewise, if the processing of personal data is based on the consent given to the controller, the data subject can withdraw the consent at any given time.

Since the implementation of the new Law on Personal Data Protection, you may have noticed that various apps, websites, as well as enterprises, have been sending you notifications about new or improved privacy policies they want you to get acquainted with. 

This is a consequence of the novelties brought by the European Union General Data Protection Regulation (GDPR), which were later taken over by our Law on Personal Data Protection. These novelties primarily refer to the data subjects’ rights, and the controller is required, among other things, to make data processing transparent. This means they are obliged to inform data subjects, clearly and simply, about the processing of their personal data, prior to undertaking data processing activities. They do this by updating or a privacy policy. The list of information that needs to be available to data subjects can be found in Articles 22 and 23 of the Law, and they may vary depending on whether the controller is the one who collects data directly from the data subject, or the data is collected from a third party. It is important to point out that the data subject must have access to information about their rights regarding data processing, including information on available protection mechanisms. All this information must be presented in an easy-to-read manner, making it understandable to the average reader.

The answer to this question depends on several factors. As a rule, controllers and processors are obliged to keep records of personal data processing activities, in writing, which includes electronic form. These records must be kept permanently.

However, this obligation shall not apply to enterprises and organizations with less than 250 employees, unless:

• The processing they perform may pose a high risk to the rights and freedoms of the data subjects.
• The processing is not occasional.
• The processing includes special types of personal data or personal data relating to criminal convictions, criminal offenses, and safety measures.

Personal data breach is the breach of the security of personal data which results in an accidental or unlawful destruction, loss, editing, unauthorized disclosure, or access to personal data that has been transmitted, stored or otherwise processed. Violation of personal data can be, for example, intrusion into computer system (hack) or loss of computer containing personal data, unintentional publication of database, etc. 

The controller is obliged to inform the Commissioner about the violation of personal data which may pose a risk to rights and freedoms of natural persons without undue delay, or, if possible, within 72 hours of becoming aware about the violation. 

If the data breach can cause a high less risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject about the breach, without any undue delay.

In case of non-compliance with the provisions of the Law, a fine of 50.000 to 2.000.000 RSD may be imposed on the controller/processor with the status of a legal entity, and the responsible person with a fine of 5.000 to 150.000 RSD. 

A fine of 5.000 to 150.000 RSD may also be imposed on a natural person who does not keep personal data as a professional secret, and who became aware of the said data while performing their duties. 

Article 146 of the Criminal Code provides for the criminal offense of Unauthorized Collection of Personal Data, with possible fine or imprisonment of up to one year. If the criminal offense was committed by an official, while performing their duties, they shall be punished by imprisonment for a term between three months and three years. 

Unlike the domestic legislation, the fines/penalties provided by the European Union General Data Protection Regulation (GDPR) are significantly higher and can amount to up to 20 million Euros or 4% of global annual revenue.