Sadržaj/Table of Contents
1. Independent status
Supervisory Body
Article 73
To protect the fundamental rights and freedoms of natural persons in relation to processing, the Commissioner, as an independent public authority, performs the tasks related to monitoring the application of this Law in compliance with the prescribed authorizations.
The Commissioner has a deputy for personal data protection.
The provisions of the law regulating free access to information of public importance apply to the seat of the Commissioner, the election of the Commissioner and Deputy Commissioner, termination of their term, the procedure of their removal, their position, and expert service of the Commissioner, as well as to financing and reporting, unless this Law specifies otherwise.
Independence
Article 74
In exercising their powers and performing the tasks per this Law, the Commissioner acts completely independently, is free from any external influence, whether direct or indirect, and neither seeks nor takes orders from anybody.
The Commissioner can not pursue any other commercial activity or engage in any other occupation, whether gainful or not, and can not perform any other public function, exercise any other public authorization, or be politically active.
To ensure the effective exercise of the legally prescribed powers, the necessary financial means and premises for work, as well as the necessary technical, organizational and staff-related conditions for the Commissioner’s work, will be provided in compliance with the law regulating the budget and the laws regulating public administration and the position of public officers.
The Commissioner independently selects staff among candidates who fulfill the legally prescribed requirements for work with public authorities and will be subject to the Comissioner’s exclusive independent direction. The State Audit Institution controls expenditures on the means for the Commissioner’s work, in compliance with the law, in a manner that does not impact the Commissioner’s independence.
Conditions for Election of Commissioner
Article 75
In addition to the conditions for the election of the Commissioner prescribed by the law regulating free access to information of public importance, the Commissioner must possess the required expertise and experience in personal data protection.
Duty of Professional Secrecy
Article 76
The Commissioner, deputy Commissioner and staff of the Commissioner are subject to the duty of professional secrecy concerning any confidential information that has come to their knowledge in the course of the exercise of their function or the performance of their tasks, including any data relating to the infringement of this Law reported to them by the persons not employed with the Commissioner. The obligation referred to in paragraph 1 of this Article remains both during and after the term of office of the Commissioner or deputy Commissioner and/or termination of employment of staff of the Commissioner.
2. Competencies of the Commissioner
General Competence
Article 77
The Commissioner exercises their powers in compliance with this Law on the territory of the Republic of Serbia.
In exercising its powers, the Commissioner acts in compliance with the law regulating the general administrative procedure, as well as with mutatis mutandis application of the law regulating inspection supervision, unless this Law specifies otherwise.
The Commissioner is not competent to supervise personal data processing operations courts perform in exercising their judicial powers.
Tasks of the Commissioner
Article 78
The Commissioner shall:
1) supervise and ensure the application of this Law in compliance with their powers;
2) take care of the promotion of public awareness of the risks, rules, safeguards and rights relating to processing, in particular, if it is a case of processing of data on an underage person;
3) provide an opinion to the National Assembly, Government, other public authorities and organizations, in compliance with the regulations, on the statutory and other measures relating to the protection of rights and freedoms of natural persons regarding processing;
4) take care of the promotion of the awareness of controllers and processors of their obligations prescribed by this Law;
5) at the request of the data subject, provide information on their rights laid down by this Law;
6) handle complaints of the data subjects, determine whether or not there has been an infringement of this Law, and inform the complainant of the progress and the outcomes of the proceeding conducted by them in compliance with Article 82 of this Law;
7) cooperate with supervisory authorities of other states regarding the protection of personal data, in particular in the exchange of information and in providing mutual legal assistance;
8) perform inspection supervision over the application of this Law, in compliance with this Law and by mutatis mutandis application of the law regulating inspection supervision, and file motions to initiate misdemeanor proceedings if they determine infringements of this Law, in compliance with the law regulating misdemeanors;
9) monitor the development of information and communication technology, as well as business and other practices of significance for the protection of personal data;
10) draw up standard contractual clauses referred to in Article 45, paragraph 11 of this Law;
11) draw up and make public the lists referred to in Article 54, paragraph 5 of this Law;
12) provide opinion in writing as referred to in Article 55, paragraph 4 of this Law;
13) maintain records of the data protection officers referred to in Article 56, paragraph 11 of this Law;
14) encourage drawing up of the codes of conduct pursuant to Article 59, paragraph 1 of this Law and provide opinions and consents to the codes of conduct in compliance with Article 59, paragraph 5 of this Law;
15) carry out the tasks pursuant to Article 60 of this Law;
16) encourage issuing of certificates of the protection of personal data and of relevant seals and marks in compliance with Article 61, paragraph 1 and prescribe criteria for certification in compliance with Article 61, paragraph 5 of this Law;
17) carry out periodical reviews of certificates in compliance with Article 61, paragraph 8 of this Law;
18) prescribe and publish criteria for accreditation of a certification body and carry out the tasks in compliance with Article 62 of this Law;
19) authorize provisions of a contract or an agreement referred to in Article 65, paragraph 3 of this Law;
20) approve binding corporate rules in compliance with Article 67 of this Law;
21) maintain internal records of infringements of this Law and of measures taken in carrying out of inspection supervision in compliance with Article 79, paragraph 2 of this Law;
22) carry out other tasks specified by this Law.
The Commissioner carries out the supervision tasks referred to in paragraph 1, items 1) and 8) of this Article through authorized persons from the Commissioner’s expert service.
The records referred to in paragraph 1, item 21) of this Article include: data on controllers or processors who have infringed this Law (their name and surname or the name, domicile, residence, or seat), information on infringements of this Law (descriptions of infringements and Articles of the Law that has been breached), information on measures taken and information on actions of the controllers or processors taken in compliance with the measures ordered.
The Commissioner prescribes the form of the records referred to in paragraph 3 of this Article and the method of keeping it.
In order to simplify the submission of a complaint, the Commissioner prescribes a complaint form and enables its submission electronically, without excluding other means of communication.
The Commissioner carries out their tasks free of charge for the data subject and the data protection officer.
In cases where a complaint submitted to the Commissioner is clearly unfounded, excessive, or overly repetitive, the Commissioner may charge a fee for the necessary costs or refuse to act on such a complaint, stating the reasons proving that it is an unfounded, excessive, or overly repetitive request.
Inspection and Other Powers
Article 79
The Commissioner has the powers to:
1) order the controller and the processor, and, if applicable, their representatives, to provide all pieces of information that he/she requires in exercising his/her powers;
2) check and assess the application of legal provisions and otherwise carry out supervision over the protection of personal data by using his/her inspection powers;
3) verify compliance with the requirements for certification in compliance with Article 61, paragraph 8 of this Law;
4) notify the controller and/or the processor of potential infringements of this Law;
5) request and obtain from the controller access to all pieces of personal data, as well as to information necessary for exercising his/her powers;
6) request and obtain access to all the premises of the controllers and the processors, including access to all the means and equipment.
The Commissioner is authorized to take the following corrective measures:
1) to issue warnings to a controller and to a processor through delivery of a written opinion that intended processing operations may infringe provisions of this Law in compliance with Article 55, paragraph 4 of this Law;
2) to issue reprimands to a controller and/or to a processor if processing operations have infringed provisions of this Law;
3) to order the controller and the processor to comply with the data subject’s requests to exercise his or her rights, in compliance with this Law;
4) to order the controller and the processor to bring processing operations into compliance with the provisions of this Law, in a precisely specified manner and within a precisely specified time limit;
5) to order the controller to inform the data subject of a breach of personal data;
6) to impose a temporary or definitive limitation on processing operations, including a ban on processing;
7) to order rectification and /or erasure of personal data or to limit the performance of processing operations in compliance with Articles 29 through 32 of this Law, as well as to order the controller to notify another controller, the data subject and the recipients to which the personal data has been disclosed or transmitted thereof, in compliance with Article 30, paragraph 3 and Articles 33 and 34 of this Law;
8) to withdraw a certificate or to order the certification body to withdraw a certificate issued pursuant to Articles 61 and 62, as well as to order the certification body to refuse to issue a certificate if the requirements for issuing thereof are not met;
9) to impose a fine based on a misdemeanor order, if it is determined in the course of an inspection supervision that a misdemeanor has been committed for which a fine of a fixed amount is prescribed by this Law, instead of other measures prescribed by this paragraph or in addition thereto, depending on the circumstances of each individual case;
10) to suspend the transfer of personal data to a recipient in another country or to an international organization.
The Commissioner additionally has the powers to:
1) draw up the standard contractual clauses referred to in Article 45, paragraph 11;
2) provide opinion to the controller in the procedures of prior obtaining of opinions from the Commissioner, in compliance with Article 55 of this Law;
3) provide an opinion to the National Assembly, Government, other public authorities and organizations, on his/her own initiative or at their request, as well as to the public, on all the issues relating to the protection of personal data;
4) register and publish codes of conduct, which he/she has previously approved, in compliance with Article 59, paragraph 5 of this Law;
5) issue certificates and prescribe criteria for certificate issuing, in compliance with Article 61, paragraph 5 of this Law;
6) prescribe criteria for accreditation in compliance with Article 62 of this Law;
7) authorize contractual provisions and/or provisions to be entered into an agreement, in compliance with Article 65, paragraph 3 of this Law;
8) authorize the binding corporate rules in compliance with Article 67 of this Law.
The control of acts of the Commissioner adopted based on this Article are performed by the court, in compliance with the law.
In exercising their powers, the Commissioner may initiate a proceeding before a court or another authority in compliance with the law.
Reporting of Infringements of the Law
Article 80
The competent authority carrying out processing for special purposes is obliged to ensure that effective mechanisms for confidential reporting of cases of infringements of this Law to the Commissioner are applied.
Reporting
Article 81
The Commissioner is obliged to draw up annual reports on his/her activities, which include information on the types of infringements of this Law and the measures taken regarding these infringements, as well as submit them to the National Assembly.
The report referred to in paragraph 1 of this paragraph will additionally be delivered to the Government and made available for inspection to the public in an appropriate manner.