The participants agreed that the main criteria to be taken into account when determining if some processing is considered as transfer or not is whether intentional transmission or otherwise making available the personal data to controllers and/or processors in third countries exists.
The Commissioner clarified that transfer, like any other processing operation, must be conducted in accordance with the principles from Article 5 of the Act and relied upon one or more legal bases from Article 12 of the Act. Moreover, the Commissioner emphasised that Serbian controllers, according to Article 5 of Standard Contractual Clauses, adopted by the Commissioner, must perform an assessment of risks in regard to the security of processing from Article 50 of the Act and cover within the said assessment risks related to the impact of legislation of the country where personal data are transferred to data subjects’ rights. In accordance with the performed assessment, technical and organisational measures shall define and implemented in Annexes 3 and 6 of the standard contractual clauses approved by the Commissioner.
All participants agreed the guidance of the Commissioner is the crucial thing for the successful implementation of provisions governing transfer in the Act. The Commissioner informed participants that he is planning to amend the Standard Contractual Clauses in connection with the provision of Article 10 thereof and to issue guidelines for the application of the Act in the case of transfers of personal data.
At the beginning of each year, the Commissioner publishes on his website a plan for conducting regular inspections, which includes the industries in which he will conduct inspections.
It was confirmed by the Commissioner that risks assessment from Article 50 of the Act must be performed by controllers, based on the methodology chosen by controllers. If controllers do not perform the said risk assessment, they will not be able to define and implement adequate organisational and technical measures for personal data to reduce risks for personal data to an appropriate level. Moreover, the absence of the risk assessment significantly decreases the chances for the controller to prove „adequacy “of organisational and technical measures in case of a data breach. The absence of the said risk assessment significantly increases the volume of fines imposed in case of data breach and represents a breach of accountability principle.
If risk assessment from Article 50 of the Act results in a high risk for personal data, the assessment of the impact of high-risk processing operations on the rights and freedoms of citizens (Data Protection Impact Assessment, DPIA) shall be carried out. In simple words, this means that in such cases high risks for rights and freedoms of citizens exists (item 3 of the Commissioner’s Decision on the list of types of personal data processing operations for which an assessment of the impact on personal data protection must be performed and the opinion of the Commissioner for information of public importance and personal data protection must be sought (Official Gazette of the Republic of Serbia, no. 45/2019). This DPIA is also carried out in other cases in accordance with the said Decision.
For further explanations on provisions related to transfer, the purpose and meaning of the checklist of the Commissioner, and performing a risk assessment of the security of processing and DPIA, you can send e-mail to ivan.milosevic@jpm.rs and andrea.cvetanovic@jpm.rs
We hope that the conference fulfilled the expectations of the participants and are looking forward to new challenges in applying the Act on the market.