In this article, we will address personal data, looking not only at the legal definition but also at practical examples that will help you distinguish between what is and what is not personal data.
As you will see, what constitutes personal data and what does not depends heavily on the context.
Sadržaj/Table of Contents
What is Personal Data – What Does the ZZPL Say?
Article 4 of the Serbian Law on Personal Data Protection (ZZPL) defines personal data as:
Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The definition is extensive and practically adopted from the GDPR (as is a large part of the ZZPL), but colloquially, in its most essential part, it could be boiled down to the following:
Personal data is any information based on which a person can be identified, directly or indirectly.
Let us break down the most essential elements of the personal data definition from the ZZPL:
Evo nastavka prevoda na engleski jezik, uz dosledno poštovanje definisanih terminoloških pravila:
#1 Personal Data Always Relates to a Natural Person
For information to be considered personal data, it must relate to a specific natural person – an individual. This means that data belonging to legal entities is not considered personal data; thus, the ZZPL (as well as foreign laws dealing with this field) applies only to data used to identify a natural person.
In other words, data regarding companies, associations, public institutions, and the like are not considered personal data and are not subject to the ZZPL. This also includes registration numbers, tax identification numbers (PIB), addresses, and websites of legal entities.
Pay attention to sole proprietors (entrepreneurs), who are natural persons engaged in a specific business activity for profit. Although sole proprietors have a tax identification number (PIB), a registration number, a registered activity, an activity code, and other business data, they are still natural persons. Therefore, the ZZPL applies to the personal data of sole proprietors if it is processed in the manner prescribed by law.
#2 Personal Data (Can) Reveal a Person’s Identity
Personal data is any information that can lead to a person’s identity, either directly, based solely on that piece of data, or indirectly, in combination with other information.
An example of personal data that can directly reveal the identity of a natural person is the JMBG – the unique master citizen number of every citizen of the Republic of Serbia. This data is sufficient on its own to identify a natural person.
On the other hand, a first name alone is usually not enough to identify a person—in larger groups, there are often many people named Lazar. However, if I were the only one in a legal department at my company, it would be enough to say “Lazar, Legal,” and everyone would know it refers to me. In this case, the combination of name + profession would constitute personal data, as this additional information would be sufficient for other colleagues in the company to identify me, even without my full first and last name.
The same would apply to other personal characteristics – for instance, “redhead” or “bald” will often be enough to identify a person in a smaller collective, even based on that information alone, which makes it personal data.
Nowadays, traditional identification data such as first and last names, street numbers, and even birth dates are no longer the most practical for identifying natural persons, especially when used in isolation.
Technical data such as usernames on social networks, email addresses, IP addresses, and IMEI numbers of electronic devices are much more useful for identifying and tracking natural persons. Consequently, these are precisely the types of data most frequently involved in personal data breaches and other privacy violations.
This is exactly why it is crucial to emphasize that personal data can be any information that directly or indirectly identifies a natural person. What exactly will be considered personal data often depends on the context, which is why the legal definition itself is so broad.
Special Categories of Personal Data
Article 17 of the Law on Personal Data Protection (ZZPL) prohibits the processing of special categories of personal data, which may be carried out only exceptionally.
Except in cases explicitly stated in the second paragraph of the same article, the processing of data revealing the following is prohibited:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
Furthermore, except in explicitly specified cases, it is prohibited to process:
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
All the aforementioned categories of data constitute particularly sensitive information that delves deeply into the privacy of the data subjects. For this reason, the legislator allows the processing of this data only in exceptional cases, which will be discussed in a separate article.
Example: To fill a “sales representative” position, an employer cannot ask a candidate to provide information regarding their political opinions, sexual orientation, or religious and philosophical beliefs when applying for the job.
The Form of Personal Data Does Not Matter
The Law on Personal Data Protection has defined personal data very broadly (“any information”). The definition itself does not specify the form of the data; rather, it is considered personal data if it can be directly or indirectly identified as relating to a data subject – regardless of whether it exists in physical, electronic, or any other form.
In practice, data processing agreements will often specify forms, explicitly listing various modes of transfer (written, oral, electronic, specific types of data carriers, types of business correspondence, etc.). While they do no harm, such details are not absolutely necessary.
If you overlook a particular form of information transfer, a data processing agreement will always be interpreted in accordance with its purpose and the law it references – both the ZZPL and the GDPR have defined personal data equally broadly, regardless of the form in which it exists.
Personal Data is Not the Same as Private Data (At Least Not in the ZZPL)
In everyday speech, you will often hear even professionals say “private data” (Serbian lični podaci) instead of “personal data” (Serbian term podaci o ličnosti). Although it sounds more natural and easier, there is a difference.
Granted, the phrase “podaci o ličnosti” sounds a bit clunky in Serbian, but the legislator likely wanted to avoid the confusion that would arise from using the colloquial term “lični podaci”.
The word “lični” (private/personal/own) corresponds more to a category of ownership, in the sense of data belonging to someone. An example of the everyday use of the word “lični” would be “lični automobil” (private/own car) or “lično mišljenje” (personal/own opinion), where the adjective “lični” corresponds to “vlastiti” (one’s own) and denotes who owns the car or the opinion.
On the other hand, “podaci o ličnosti” relate to the persona/individual itself. The purpose of “podaci o ličnosti” is not to show who owns the data, but to point out who the data relates to, rather than whose data it is.
From the previous example, we could hardly characterize “Lazar, Legal” as private data in the colloquial sense, yet these two words are enough to identify a person, which undoubtedly makes them personal data.
However, it is noticeable that not all legislators have taken the same stance. The GDPR uses the term “personal data”, which could be directly translated into Serbian as “lični podaci”.
However, precision is beneficial, especially since the phrase “podaci o ličnosti” clearly refers to a legal category we will encounter infrequently in everyday language.
Conclusion
Personal data is so important that it is often called the oil of the 21st century. The processing of personal data is precisely the reason why big corporations allow us to use popular search engines, social networks, and other electronic services “for free.” Although we do not pay for the service with money, the personal data collected while we use popular applications is later (indirectly) shared with advertisers, helping them profile and target us with ads very effectively.
Therefore, it is a good thing that we have the Law on Personal Data Protection, which addresses such a major topic as the processing of personal data. The ZZPL is not perfect, but its full implementation and enforcement will contribute to the protection of personal data, and consequently, our privacy.