Return the constitutional provision to the Law on Personal Data Protection


Legal restriction enabling the police, information agencies or private companies to enter the privacy of citizens only when it is prescribed by law has been deleted from the Bill of the Law on Personal Data Protection. The Bill was adopted by the Government of Serbia at its session on 24 September and it is currently in the parliamentary procedure.

Following Article 23 of the new European General Data Protection Regulation – GDPR, Article 40 of the Draft which was an object of public debate since 1 December 2017, explicitly stipulated that the citizens’ rights related to insight, deletion, change and other measures of control over the processing of their data ‘may be restricted by law’ in cases such as: protection of national security, defense, public safety, rights and freedoms of others, etc.

However, the obligation of such restriction being prescribed by law was deleted from the Bill submitted to the Parliament for adoption. This would practically mean that state bodies or private companies processing personal data of citizens may restrict the rights of citizens arbitrarily and without any explicit legal authorization.

Wording which makes everyone processing personal data of citizens obligated to act in line with law is not a phrase which can be omitted because the obligations of processors are implied. On the contrary, a random restriction of rights can be prevented only by an explicit provision of the law which strictly defines when processor may restrict the rights of citizens.

This obligation is also a part of Article 42 of the Constitution of the Republic of Serbia, stating that collecting, keeping, processing and using personal data is regulated by law (paragraph 2), as well as that ‘everyone shall have the right to be informed about personal data collected about them, in accordance with the law, and the right to court protection in case of their abuse’ (paragraph 4).

We wish to remind that this is not the first time that our legal system includes a solution contrary to constitutional provisions. Namely, on 30 May 2012, at the proposal of the Commissioner for Information of Public Importance and Personal Data Protection, the Constitutional Court passed a decision determining that parts of Articles 12, 13, and 14 of the current Law on Protection of Personal Data are not compliant with the Constitution of the Republic of Serbia because they enable restricting the rights of citizens based on ‘another regulation’. Having in mind Article 42 of the Constitution, the Constitutional Court concluded that only ‘law can regulate collecting, keeping, processing and using of data’, therefore any option of regulating this field based on ‘another regulation’ is unconstitutional.

Such decision of the Constitutional Court suggests that the new definition of Article 40 of the Bill could face the same fate, too.

Since the restrictions from the Bill are in fact copied from the GDPR, it is important to understand the intention of the European legislator. Namely, the new regulatory framework primarily enabled the EU member states to, in their own regulations specify restrictions when it comes to the rights of citizens which certainly does not mean that such restrictions are necessary. For example, the overview of laws of the EU member states implementing the GDPR showed that some of them, such as Germany, Austria, Sweden or Croatia either do not have any specific articles referring to restrictions of citizens’ rights or these restrictions are narrowly defined.

The laws on personal data protection in Germany and Austria contain restrictions only in parts referring to data processing for police and defense purposes, purposes of criminal acts investigations, conducting criminal sanctions and similar, whereas the Law on Implementation of the General Data Protection Regulation in Croatia, does not contain articles referring to restrictions of the rights of citizens. Legislators in Sweden left a possibility of passing additional laws to prescribe restrictions of the rights of citizens in the context of Article 23 of the GDPR.

We have been waiting for the new Law on Protection of Personal Data, to be adopted for quite long, because it is supposed to ensure new rights to citizens, such as the right to correction, addition, deletion, restriction of processing and portability of data, just like in the General Data Protection Regulation – GDPR.

Key objections to the Draft during the public debate referred precisely to the structure and wording of the proposed text of the Law, which copied provisions from the European regulation without connection with domestic legal system. In spite of a great criticism coming from experts, civil society organizations and the Commissioner for Information of Public Importance and Personal Data Protection, most objections were not adopted.

Since the Bill has already been submitted for adoption, SHARE Foundation urges the members to use amendment of the Parliament to return to the initial wording of Article 40.

Find more on citizens’ rights guaranteed by a new legislative framework in our Guidebook My data – my rights.