Enhancing Personal Data Protection through Decentralization: A Case Study of Nis, Serbia

Enhancing Personal Data Protection through Decentralization: A Case Study of Nis, Serbia

Lets begin with the end! In other words, we shall begin with the conclusion, where we first reflect on the relationship between two seemingly unrelated topics, but we will connect them based on one common point, which is the City of Nis, Serbia. In the following, we will merge the topic of decentralization with the topic of personal data protection and how one can influence the other.

The detailed analysis of personal data protection practices within the City of Ni? reveals significant challenges and inconsistencies in complying with legal obligations. These challenges highlight the need for a systemic and strategic approach to improve data protection measures.

Connecting decentralization with data protection at a local level offers a framework to address these issues effectively. Decentralization, by promoting local autonomy and closer governance to citizens, can enhance the implementation of data protection laws like the GDPR. Local self-government units, such as the City of Ni?, can tailor their data protection policies to meet the specific needs and contexts of their communities, ensuring that personal data is handled responsibly and transparently.

The principles of subsidiarity and local governance allow for more responsive and accountable data protection practices. Local authorities can engage more effectively with stakeholders, including citizens, businesses, and civil society, to foster a culture of data protection awareness and compliance. By decentralizing the responsibility and resources for data protection, local governments can ensure that personal data is safeguarded in a manner that aligns with both national and international legal standards, such as the GDPR.

Implementing the recommendations outlined in the following analysis, with a focus on local context and needs, aims not only to enhance the protection of personal data but also to reinforce the trust of citizens in their local government. Through a decentralized approach, the City of Ni? can set a precedent for other local self-governments in Serbia, demonstrating how robust data protection measures can be achieved at the local level, ultimately contributing to the overall security and privacy of personal data across the nation.

BRIEF INTRODUCTION IN THE LEGAL FIELD OF PERSONAL DATA PROTECTION

This legal field is relatively young, but given that it recently experienced a revolution in Europe and in our country, we feel we are just at the beginning of something called "Personal Data Protection Law," a new branch of law, with its legislative framework, international acts, and unique institutes.

This field must be viewed from three perspectives:

  • The perspective of the individual whose data is being processed;
  • The perspective of companies, i.e., the owners of personal data databases;
  • The perspective of the state, as the most extensive data processor.

For every individual, personal data is their FREEDOM. For an individual, personal freedoms are extremely important, whether they are aware of their significance or not. With the advancement of technology, our data is increasingly being misused, taken out of the country, and ending up in the possession of third parties or legal entities. Individuals must have security in knowing which of their data is being processed, when, how, under what conditions, and what happens with that data afterward, who uses it, and for what purposes. Many other freedoms are based on the control of our personal data. For example, we exercise our voting rights directly through identification, but in many situations, identification is not mandatory, yet it is still required of us.

For companies, personal data is the new OIL. One of the greatest resources for a company is its databases. New regulations raise the question of the validity and thus the security of these databases for legal entities (companies). If a state authority has the power to order us to delete databases previously declared unlawfully collected, there is a risk that our market advantage could be erased in an instant. Many companies base their market value on the databases they own. Many companies are bought and sold because of these databases. Imagine a company that markets all its products and services through a mailing list and email marketing (newsletter). Then imagine that this company receives a decision ordering the deletion of such a database because it was not collected lawfully. In this case, it is much more expensive to pay on the bridge rather than on the pier.

For the state, personal data is CONTROL. The state tends to achieve control over the territory and population, in terms of managing information. Control involves security and the simplicity of carrying out public functions. The state maintains many public records, and then with the help of these public records, conducts many public legal proceedings. State authorities must always have access to information concerning citizens to fulfill all state obligations. The eternal question remains as to how much information and in what place is sufficient for a function to be performed satisfactorily.

As you can see, the area of personal data protection is significant to all actors in these private-law and public-law relations. We are all affected by these issues, but still, not enough of us are dealing with them.

For the purposes of this proposal, we will focus on state authorities, specifically, those operating in the territory of the City of Ni?.

When we talk about the normative or legal regulation of this area in the Republic of Serbia, personal data protection is primarily guaranteed by Article 42 of the Constitution of the Republic of Serbia from 2006, while the collection, holding, processing, and use of personal data are regulated by law. When we say by law, we refer to the Law on Personal Data Protection (hereinafter: LPDP), which brings many innovations to this area, i.e., branch of law.

In general terms, new legislative solutions from 2019 prohibit and penalize the use of personal data beyond the purpose for which they were collected, in accordance with the law, except for the purposes of conducting criminal proceedings or protecting the security of the Republic of Serbia, as prescribed by law. Everyone has the right to be informed about the collected data concerning their person, in accordance with the law, and the right to judicial protection due to their misuse. The authority for oversight of its application is given to the Commissioner for Information of Public Importance and Personal Data Protection.

Considering the obligations of the Republic of Serbia undertaken in the process of European integration in the area of harmonizing the national legal framework with the legal framework of the European Union, and the fact that the existing Law on Personal Data Protection was outdated and could not keep pace with changes conditioned by technological development, the Republic of Serbia adopted a new Law on Personal Data Protection (LPDP) in 2018, which largely relies on the General Data Protection Regulation (GDPR) adopted in the European Union, and has been in practice since August 22, 2019.

LEGAL REGULATION, COMPETENCES, AND OBLIGATIONS OF LOCAL SELF-GOVERNMENT UNITS BASED ON SERBIAN LAW ON PERSONAL DATA PROTECTION

As the most important part of any branch of law, if we consider data protection as a special branch of law, principles are the most important rules of any branch of law.

In young branches of law that are not extensively regulated by laws and by-laws, general principles will be used more frequently. Each individual situation that is not described by law or by-laws is viewed through the prism of general principles, and a solution is sought that will satisfy all principles. Therefore, principles in the area of personal data protection play a special role, considering that in this area the legislator decided to break with the legal tradition in Serbia and prepare a completely new legal act that regulates this area from scratch. The decision was to adopt the LPDP in line with GDPR, which is also an act written to emphasize principles, where the primary obligation is to respect the principles. It is not clearly prescribed how to behave in certain situations; it is only clear that in all these situations the controller must strive to comply with these principles.

Article 5 of the LPDP highlights the following principles: the principle of legality, the principle of fairness, the principle of transparency, the principle of purpose limitation, the principle of data minimization, the principle of storage limitation, and the principle of integrity and confidentiality.

As highlighted in the first practical manual in this area, principles represent a logical system and sequence, communicate with each other, and within this chapter, we will study these principles.

In addition to principles, the Law on Personal Data Protection defines the obligations of data controllers and processors where a "controller" is a natural or legal person, or a public authority that alone or jointly with others determines the purpose and means of processing, while a "processor" is a natural or legal person, or a public authority that processes personal data on behalf of the controller. A "public authority" is a state authority, a body of territorial autonomy and local self-government, a public enterprise, an institution, and other public services, organizations, and other legal or natural persons that exercise public powers. Accordingly, the law does not foresee special rules for the processing and protection of data by local self-government units, but defines them generally as public authorities to which all provisions of the law apply, which they must implement in practice.

The Law on Personal Data Protection prescribes numerous obligations for data controllers, and depending on whether the obligations apply to all or only specific controllers, we can divide them into general and special obligations. General obligations apply to all controllers, regardless of the specifics of the controller, as is the case with public authorities, and regardless of the volume of processing or the number of employees of the controller as an employer. Some controllers have special obligations due to either the type of controller, the data being processed, or the way it is processed.

General Obligations:

  1. Application of all data processing principles: the principle of legality (lawfulness, fairness, and transparency), the principle of purpose limitation, the principle of data minimization, the principle of data accuracy, the principle of storage limitation, the principle of data security, the principle of accountability (Art. 5)
  2. Responding to requests (Art. 21-22)
  3. Notification of processing (Art. 23-24)
  4. Exercising the rights of the individual (Art. 26-40)

Special Obligations:

  1. Contractual relationship with the processor (Art. 45)
  2. Record-keeping of processing activities (Art. 47)
  3. Logging of processing activities by competent authorities for special purposes (Art. 48)
  4. Notification of a data protection breach (Art. 52-53)
  5. Data protection impact assessment (Art. 54-55)
  6. Data protection officer (Art. 56-58)
  7. Code of conduct (Art. 59)
  8. Special obligations regarding the transfer of personal data to other countries and international organizations

Therefore, numerous obligations for controllers can significantly impact the daily operations of local self-governments, both organizationally and in terms of personnel and financial resources. Local self-governments process data in two different categories:

  1. Primarily, data of citizens, i.e., users of their services;
  2. Secondarily, data of their employees.

Given all the above, it is of utmost importance to adequately implement the "new" provisions and establish practices and standards for the protection of personal data, with the most important obligations being:

  1. Appointing a data protection officer
  2. Publishing the contact details of the data protection officer
  3. Providing the Commissioner with the contact details of the data protection officer
  4. Implementing appropriate internal acts on data protection
  5. Maintaining records of personal data processing activities
  6. Implementing appropriate security measures when processing personal data
  7. Conducting a data protection impact assessment and obtaining the Commissioner's opinion if necessary
  8. Recording every data breach, including the facts about the breach, its consequences, and measures taken to rectify it
  9. Notifying the Commissioner of data breaches that may pose a risk to the rights and freedoms of individuals within 72 hours
  10. Complying with specific rights and obligations when transferring personal data to another country or international organization
  11. Complying with specific rights and obligations when processing special categories of personal data
  12. Appointing processors to process personal data on behalf of controllers and regulating the relationship by contract or other legally binding act

From all the above, it can be concluded that local self-governments have numerous obligations regarding this "new" area, especially with the adoption of new solutions from 2018 and 2019. Local self-governments, as data controllers, are expected and required to approach the implementation of the solutions prescribed by the Law with a complex systemic, as well as organizational and systematic approach. Additionally, as obligated entities under the Law on Free Access to Information of Public Importance, local self-governments often find themselves in situations where they must assess which of the two rights is more significant: the right to personal data protection or free access to information, which is often not an easy task, as practice has shown and numerous focus groups conducted by the proposer of this proposal have established. Therefore, this is also more precisely defined by the Law on Personal Data Protection, which stipulates that information of public importance containing personal data may be made available to the requester by public authorities in a manner that ensures that the right of the public to know and the right to personal data protection can be realized together, to the extent prescribed by the law regulating free access to information of public importance and this law.

CHALLENGES IN PERSONAL DATA PROTECTION AT THE CITY LEVEL OF NI? AS A LOCAL SELF-GOVERNMENT UNIT

The City of Ni?, as the third largest city in the Republic of Serbia, is a complex system comprised of 5 city municipalities (which do not have the status of local self-government units but only city municipalities), as well as numerous institutions, public enterprises, organizations, and other legal entities that fall into the category of public authorities. For the purposes of this text, all the mentioned legal entities are obliged to comply with all provisions defined by the Law on Personal Data Protection. The number of these provisions is extremely large, and some of them represent very complex and complicated processes and procedures that must be implemented and respected. In the following, only some general provisions of these categories of procedures will be listed.

Additionally, even for the Commissioner's office for Information of Public Importance and Personal Data Protection (which has its regional office in Ni?), it is difficult to create a sufficiently precise catalog of public authorities to which the provisions of the Law on Free Access to Information of Public Importance and the Law on Personal Data Protection apply.

According to this Catalog of Public Authorities, last updated at the beginning of 2024, there are over 250 different public authorities recorded in the City of Ni?. Of course, a large number of them are public authorities under the jurisdiction of the Republic of Serbia (central authorities), i.e., legal entities from the fields of education, health, justice, economy, etc., so for the purposes of this text, only the public authorities directly under the jurisdiction of the City of Ni? as a local self-government unit have been considered. However, such public authorities are still not few, with the number exceeding 125 public authorities, so for the purposes of this text, the largest and most significant public authorities under the jurisdiction of the City of Ni? as a local self-government unit, which process the largest amount of personal data of citizens, were selected, including: the City Administration (all accompanying administrations), public institutions, and public enterprises, totaling 45 public authorities, whose complete list is given in Annex 1 of this document.

The analysis of publicly available information from selected public authorities, which are under the jurisdiction of the City of Ni? as a local self-government unit and obliged to comply with the Law on Personal Data Protection, initially showed that there are numerous omissions and/or deficiencies related to the transparency of their work in this area.

The internet presentations of the analyzed public authorities are mostly outdated and rarely updated with new information needed by citizens. They do not provide the public with enough necessary information about their work in this area or do not provide it at all, and even when information is publicly available, it is not easy to find due to the way internet presentations or official websites are organized and designed.

In such a situation, the analysis of how the selected public authorities under the jurisdiction of the City of Ni? as a local self-government unit fulfill their obligations defined by the Law on Personal Data Protection was very difficult, and it is possible that the real situation is not exactly as presented here based on publicly available information. What significantly helped in this analysis was the work of the local civil society organization Pravilaw (read Pravilo), which deals with the issue of the implementation of the Law on Personal Data Protection at the local and regional levels. Recently, based on the Law on Free Access to Information of Public Importance, they requested data on the implementation of the Law on Personal Data Protection from public authorities, based on which, with the support of the European Union, the Otisak platform was created, offering citizens of the Republic of Serbia a unique opportunity to check how secure and protected their personal data is when left to a public authority. The Otisak platform was used for a comparative analysis of publicly available information in the area of implementing obligations defined by the Law on Personal Data Protection by selected public authorities under the jurisdiction of the City of Ni? as a local self-government unit, as it was shown that many of them at least partially comply with the obligations, but unfortunately, the data about it is not publicly available.

The general conclusion after the analysis is that in this area among local public authorities at the level of the City of Ni? as a local self-government unit, there is a significant degree of inconsistency, both in fulfilling obligations in implementing the Law on Personal Data Protection and in publicly available information on this topic. Information and the real situation differ from one public authority to another, even though they are all under the jurisdiction of the same local self-government unit, the City of Ni?, and apply the same Law on Personal Data Protection. Unfortunately, among public authorities at the level of the City of Ni? as a local self-government unit, the situation is similar with the implementation of the Law on Free Access to Information of Public Importance, which should ensure their transparency in work and make information about it easily and simply accessible to citizens. Although it is the legal obligation of all public authorities to publish Information on their work, this is unfortunately not the practice of all local public authorities analyzed, at least according to publicly available information. It also happens in practice that the Information on Work is made but is only published in the Unified Information System of Information on Work led by the Commissioner's office for Information of Public Importance and Personal Data Protection and not on the internet presentation of the local public authority that created the information on their work. Conversely, it happens that the Information on Work is published on the internet presentation of the public authority but not in the Unified Information System of Information on Work. Although the Information on Work of public authorities should be unified, i.e., equally made in accordance with the Instruction for the Preparation and Publication of Information on Work of Public Authorities, in practice, they often do not provide equal and/or all necessary information about their work and are not regularly updated as they should be, within a maximum of 30 days from the day of any change. Thus, in some cases, all necessary data on the appointed data protection officer is fully published, but sometimes only the name of the person without contact details, or there is no information at all about whether such a person has been appointed, although it is a legal obligation of the public authority. Unfortunately, according to publicly available information, the fact that the Information on Work does not contain data on the appointed data protection officer does not necessarily mean that such a person has not been appointed.

The situation in fulfilling the obligations in implementing the Law on Personal Data Protection and publicly available information on this matter is also very different depending on what specific form of public authority under the jurisdiction of the City of Ni? as a local self-government unit is in question, whether it is a public administration body, public institution, or public enterprise. Even among the same forms of public authorities under the jurisdiction of the City of Ni? as a local self-government unit, there are significant differences, even though they all apply the same Law on Personal Data Protection. For example, all City Administrations of the City of Ni? on their internet presentations have clearly and visibly highlighted the appointed data protection officers with appropriate contact details, while in the Information on Work such information exists for some administrations and not for others, and they do not have internal acts on data protection. On the other hand, for the Mayor of Ni?, the City Council of Ni?, and the Assembly of Ni?, this is not the case, and according to publicly available information, it cannot be concluded whether such persons have been appointed or whether internal acts on data protection exist, and there is no information about it in the Information on Work. In City municipalities, the situation is even more diverse, so according to publicly available information, the City Municipality of Crveni Krst does not have either an appointed data protection officer or internal acts on data protection, the City Municipality of Medijana should have only an appointed data protection officer but no information about him, the City Municipality of Pantelej should have both internal acts on data protection and an appointed data protection officer but without publicly available information about it, the City Municipality of Palilula has only an appointed data protection officer whose name and surname appear only in the Information on Work and nowhere else, while the City Municipality of Ni?ka Banja should have both an internal act and an appointed data protection officer, but without publicly available information about it.

The situation among public institutions of the City of Ni? as public authorities is also very diverse when it comes to implementing the Law on Personal Data Protection and publicly available information on this matter. Of the total 17 public authorities from this category that were analyzed, for as many as 10 there is no publicly available information on whether they have internal acts and appointed data protection officers, which of course does not mean that they do not have them and do not implement their legal obligations. The National Theatre Ni? does not have an internal act but has an appointed data protection officer, but they have published a form on their internet presentation with which the information about the appointed data protection officer is provided to the Commissioner's office for Information of Public Importance and Personal Data Protection, which is not even adequately filled out. In it, instead of the official contact details of the appointed data protection officer, their private contact details are published! In such a situation, to say the least, it is questionable how much the appointed data protection officer can fulfill legal obligations when they have not even protected their personal data. The data protection officer is appointed based on their professional qualifications, especially professional knowledge and experience in the field of personal data protection, as well as the ability to fulfill the obligations from Article 58 of the Law on Personal Data Protection. The Ni? Symphony Orchestra and the Historical Archive of Ni? should have internal acts on personal data protection, but these documents are not publicly available, and they do not have an appointed data protection officer, although they have created internal acts. The National Museum Ni? should only have an appointed data protection officer, but there is no publicly available information about him, while the National Library Stevan Sremac has only an appointed data protection officer whose name and surname are published only in the Information on Work but without contact details, and this is the assistant director, a graduate sociologist. The Public Preschool Institution P?elica, the Children's Cultural Center Ni?, and the Pharmacy Institution Ni? should have both internal acts and appointed data protection officers, but information about this is not publicly available on their internet presentations. Only the Center for Social Work Sveti Sava Ni? certainly has both an internal act and an appointed data protection officer because they are publicly available on their internet presentation with all necessary contact details.

The situation among public enterprises of the City of Ni? as public authorities regarding the implementation of the Law on Personal Data Protection and publicly available information on this matter is not better compared to public institutions. Of the 13 public enterprises analyzed, for as many as 5 there is no publicly available information on this matter. The JKP for market services Tr?nica should have an appointed data protection officer but not an internal act, and there is no information about the officer on their internet presentation. The City Housing Agency should have an internal act on personal data protection which is not publicly available and does not have an appointed data protection officer. The JKP Gorica should have both an internal act and an appointed data protection officer, but none of this is available on their internet presentation. The JKP Public Transport Directorate of the City of Ni? should have an internal act on personal data protection which is not publicly available and has an appointed officer published on their internet presentation but without any contact details. The JKP Unified Collection has an internal act on personal data protection available on their internet presentation, as well as an appointed officer, but without contact details. The JKP Parking Service has an internal act on personal data protection available on their internet presentation, as well as an appointed officer, but without contact details, and these two things are not even in the same category of available information. The JKP City Heating Plant and JKP Mediana should have both internal acts and appointed data protection officers, but only information about the officers is publicly available along with contact details.

At the end of this overview of the current situation (for the period 2021-2024) in the implementation of the Law on Personal Data Protection and publicly available information on this matter among public authorities under the jurisdiction of the City of Ni? as a local self-government unit, related to the appointment of officers, publication of contact details of the officers, and adoption of internal acts on personal data protection, it should be noted that not all public authorities are REQUIRED to have appointed officers and internal acts for personal data protection but MAY have them.

The controller and processor of personal data are REQUIRED to appoint a data protection officer in the following situations if:

  1. Processing is carried out by a public authority, except if it is processing conducted by a court in the performance of its judicial powers;
  2. The core activities of the controller or processor consist of processing operations that by their nature, scope, or purposes require regular and systematic monitoring of data subjects on a large scale;
  3. The core activities of the controller or processor consist of processing special categories of personal data as per Article 17, paragraph 1, or personal data relating to criminal convictions and offenses as per Article 19 of this law, on a large scale.

Considering this fact, it is very possible that some of the analyzed public authorities under the jurisdiction of the City of Ni? as a local self-government unit that do not have appointed officers and internal acts for personal data protection are not required to have them because they do not meet the legally required conditions (which are certainly not concise on this matter), but based on publicly available information, it was impossible to adequately assess this for all. However, for example, it is expected that among public enterprises as public authorities under the jurisdiction of the City of Ni? as a local self-government unit, there are those that should be required to have internal acts and appointed data protection officers because they process a large number of individuals' data in their daily operations, such as the JKP for water supply and sewerage Naissus or the JP for housing services Ni?stan. The same probably applies to at least some public institutions as public authorities under the jurisdiction of the City of Ni? as a local self-government unit, such as the National University Ni?, the Center for Providing Services in the Field of Social Protection Mara, and the Safe House for Women and Children Victims of Domestic Violence, the last two public institutions probably processing special categories of personal data, e.g., about the health status of individuals who are users of their services, which would additionally require them to fulfill obligations defined by the Law on Personal Data Protection in such cases.

In addition to appointing officers, publishing contact details of the officers, and adopting internal acts on personal data protection, public authorities are required to fulfill many other obligations defined by law, as previously mentioned. However, there is no publicly available data on how much these obligations are indeed being fulfilled, even if they are defined in internal acts on personal data protection by those public authorities under the jurisdiction of the City of Ni? as a local self-government unit that have adopted such acts. For example, it cannot be verified whether the contact details of the appointed data protection officers, of those public authorities under the jurisdiction of the City of Ni? as a local self-government unit that have appointed them, have indeed been submitted to the Commissioner's office for Information of Public Importance and Personal Data Protection, because the unified record of this is not publicly available. It is also impossible to determine from publicly available information whether the analyzed public authorities maintain records of personal data processing activities, whether they indeed implement appropriate security measures during data processing even if they have defined internal acts on data protection that determine this. The same applies to the obligation to record every data breach, including the facts about the breach, its consequences, and measures taken to rectify it, as well as the data protection impact assessment and obtaining the Commissioner's opinion if necessary. It is also difficult to verify whether the determination of processors to process personal data on behalf of controllers and the regulation of this relationship by contract or other legally binding act is implemented in practice based on publicly available information.

It must be emphasized that it is very possible that the public authorities under the jurisdiction of the City of Ni? as a local self-government unit indeed fulfill all their legal obligations in this area in practice, but unfortunately, the Law on Personal Data Protection does not foresee the legal obligation to submit regular annual reports on this to the Commissioner's office for Information of Public Importance and Personal Data Protection, as is the case with the Law on Free Access to Information of Public Importance. Therefore, in general, there is little publicly available information on how public authorities practically implement their obligations defined by the Law on Personal Data Protection, and from publicly available information, it can be concluded that they generally do not keep a systematic and systematized record of this. A particular problem is that some public authorities refuse to be transparent and provide information about this even upon requests for free access to information of public importance, which can be concluded from the information available on the already mentioned internet platform for checking the security and protection of personal data Otisak.

RECOMMENDATIONS FOR IMPROVING PERSONAL DATA PROTECTION AT THE CITY LEVEL OF NI? AS A LOCAL SELF-GOVERNMENT UNIT

The analysis of the current situation regarding the implementation of the Law on Personal Data Protection in the City of Ni? showed that there are significant problems, and to improve the current situation on this matter, it is necessary to implement the following recommendations in practice, noting that not all recommendations apply to all public authorities:

  • Form a special working group composed of representatives of all forms of public authorities (administrations, enterprises, and institutions) that would conduct a detailed analysis of the implementation of obligations defined in the Law on Personal Data Protection by all public authorities under the jurisdiction of the City of Ni? as a local self-government unit.
  • Provide City subsidies for compliance with the law, aimed both at public authorities in the form of additional budget increases for these needs, as well as for a small and medium enterprises, as an incentive for the local economy to alleviate bureaucratic burdens on the private sector, which should be the primary driver of the local economy – the city's readiness to stimulate local economic development and raise the level of protection of constitutionally guaranteed citizens' rights in the city and city municipalities;
  • For all public authorities under the jurisdiction of the City of Ni? as a local self-government unit, conduct a self-check of the fulfillment of obligations and risks defined in the Law on Personal Data Protection in accordance with the Checklist for Controllers developed by the Commissioner's office for Information of Public Importance and Personal Data Protection.
  • For public authorities that do not have appointed officers and adopted internal acts on personal data protection, clearly determine whether they are required to have them in consultation with the Commissioner's office for Information of Public Importance and Personal Data Protection.
  • For public authorities required to appoint officers and adopt internal acts on personal data protection and have not yet done so, fulfill these obligations as soon as possible in accordance with the Law on Personal Data Protection.
  • Update existing and/or adopt new internal acts defining the rights, obligations, and division of responsibilities of employees regarding personal data protection, as well as other relevant aspects of personal data protection.
  • Inform all employees about the adopted standards and policies of personal data protection within all public administration bodies under the jurisdiction of the City of Ni? as a local self-government unit.
  • For appointed data protection officers, open separate email accounts and special mobile or landline numbers in accordance with the recommendations of the Commissioner's office for Information of Public Importance and Personal Data Protection.
  • Update all Information on Work published by public authorities with information about appointed data protection officers and their official contact details, email accounts, and phone numbers.
  • Conduct training for appointed data protection officers on fulfilling obligations defined in the Law on Personal Data Protection in cooperation with the Commissioner's office for Information of Public Importance and Personal Data Protection.
  • Establish and regularly update records of personal data processing activities in all public authorities under the jurisdiction of the City of Ni? as a local self-government unit in accordance with obligations defined in the Law on Personal Data Protection.
  • Delete all data for which there is no legal basis for processing (or ensure a legal basis for their processing), which are no longer necessary for the purpose of data processing by public authorities or for which the storage period has expired.
  • Clearly determine retention periods for data in all public administration bodies under the jurisdiction of the City of Ni? as a local self-government unit for those data for which this is not prescribed by law or previously determined.
  • Develop and regularly update internal procedures for exercising the rights of individuals based on the Law on Personal Data Protection in all public authorities under the jurisdiction of the City of Ni? as a local self-government unit.
  • Recognize the need to improve capacities in the field of personal data protection to an adequate extent in the annual budgets of all public authorities under the jurisdiction of the City of Ni? as a local self-government unit and allocate appropriate financial resources for this.
  • Constantly work on improving personal data protection measures and increasing the security of information and communication systems in which they are stored, as well as on improving procedures for accessing and processing personal data.
  • Increase general transparency and visibility of the implementation of obligations defined in the Law on Personal Data Protection by public authorities and make the results of their activities in this area available to the public.
  • Update the internet presentations of all public authorities so that the public can quickly and easily find information about appointed data protection officers and their contact details, without wandering and wasting time.
  • Update the internet presentations of all public authorities so that they must have a special section for documents of public significance and publish all internal acts on personal data protection there.
  • Update the internet presentations of all public authorities so that documents made available to the public are clearly and precisely named so that everyone can quickly and easily find the document they need.

Based on the conducted analysis, it can be concluded that the public authorities under the jurisdiction of the City of Ni? as a local self-government unit are aware of the existence of a legal framework for personal data protection, which is no longer so new since it has been applied for more than five years, but they have not sufficiently fulfilled their legal obligations in the field of personal data protection, nor do they have enough capacities to implement the Law on Personal Data Protection. Although it could be assumed that the City of Ni?, as one of the most developed local self-government units in the Republic of Serbia, should have higher standards of personal data protection, based on the data collected in this research, such a conclusion could not be reached, unfortunately.

However, there is a visible awareness among local decision-makers that it is necessary to improve the implementation of obligations defined in the Law on Personal Data Protection by all public authorities under the jurisdiction of the City of Ni? as a local self-government unit. Namely, in mid-December last year, the Commissioner for Information of Public Importance and Personal Data Protection paid an official visit to the City of Ni?, and the reason for the visit was an agreement on planning and implementing the opening of the Commissioner's office, as already exists, for example, in Novi Sad, because this is in the interest of all public authorities under the jurisdiction of the City of Ni? as a local self-government unit, the Commissioner's office for Information of Public Importance and Personal Data Protection, and especially the citizens of the City of Ni?.

By implementing the recommendations resulting from this conducted analysis in practice, new information and ways to further improve personal data protection in the local community will certainly be obtained, so that citizens can be assured that their personal data is safe and cannot be (mis)used. Unfortunately, in Ni?, there was one of the biggest breaches of the Law and misuse of personal data of thousands of citizens for political purposes in the analyzed period (2021-2024), where neither procedural nor fundamental justice has been satisfied to this day, thus emphasizing that the hygiene of privacy and the security of citizens at the local level must be raised to the highest possible level prescribed by applicable laws.

ANNEX 1

List of public authorities whose implementation of the Law on Personal Data Protection was analyzed

City Administration of Ni?:

  • Mayor of Ni? Website
  • City Council of Ni? Website
  • City Assembly of Ni? Website
  • City Administration for City Bodies and Civil Status Website
  • City Administration for Communal Affairs and Inspection Website
  • City Administration for Property and Sustainable Development Website
  • City Administration for Construction Website
  • City Administration for Finance Website
  • City Administration for Social Affairs Website
  • City Municipality Crveni Krst Website
  • City Municipality Medijana Website
  • City Municipality Pantelej Website
  • City Municipality Palilula Website
  • City Municipality Ni?ka Banja Website

Public Institutions of Ni?:

  • National University Ni? Website
  • National Theatre Ni? Website
  • Puppet Theatre Ni? Website
  • Ni? Cultural Center Website
  • Ni? Symphony Orchestra Website
  • Gallery of Contemporary Fine Art Website
  • National Museum Ni? Website
  • National Library Stevan Sremac Website
  • Historical Archive Ni? Website
  • Institute for the Protection of Cultural Monuments Ni? Website
  • Sports Center ?air Website
  • Regional Center for Professional Development of Employees in Education Website
  • Public Preschool Institution P?elica Ni? Website
  • Children's Cultural Center Ni? Website
  • Center for Providing Services in the Field of Social Protection Mara Ni? Website
  • Safe House for Women and Children Victims of Domestic Violence Website
  • Center for Social Work Sveti Sava Ni? Website
  • Pharmacy Institution Ni? Website

Public Enterprises of Ni?:

  • JKP City Heating Plant Website
  • JKP Mediana Website
  • JKP Gorica Website
  • JKP for Water Supply and Sewerage Naissus Website
  • JKP Unified Collection Website
  • JKP Parking Service Website
  • JKP Public Transport Directorate of the City of Ni? Website
  • JKP for Market Services Tr?nica Website
  • JP City Housing Agency Website
  • JP Directorate for Construction of the City of Ni? Website
  • JP for Housing Services Ni?stan Website
  • JP Institute for Urban Planning Website
  • Tourist Organization Ni? Website

Ala Uddin

Experts in making websites and software | Generate 5X more revenue with a high-converting website | Sr. Software Engineer | Founder @KodeIsland.

4 个月

fair assessment connects sensitive topics. thought-provoking take; let's constructively explore solutions. Tadija Mitic

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了