PERSONAL DATA PROTECTION

Transcription

1 PERSONAL DATA PROTECTION

2 Protection of Personal Data and Relevant European Legislation (1) 1. Guidelines for the Regulation of Computerized Personal Data Files adopted by General Assembly resolution 45/95 of 14 December 1990; 2. Organization for Economic Cooperation and Development (OECD): Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, adopted by the council on 23 September 1980; 3. European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8; 4. Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28 January 1981) - Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (Strasbourg, 8 November 2001);

3 Protection of Personal Data and Relevant European Legislation (2) 5. Treaty on the Functioning of the European Union, Article 16; 6. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; 7. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; 8. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC;

4 Protection of Personal Data and Relevant European Legislation (3) 9. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; 10. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; 11. Charter of Fundamental Rights of the EU of 7 December 2000

5 Regulations of the Republic of Serbia Constitution of the Republic of Serbia ( Official Gazette of RS, no. 98/06); Law on Personal Data Protection ( Official Gazette of RS, no. 97/08, 104/09 oth. law, 68/12 UC and 107/12); Law Confirming the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ( Official Gazette of FRY International Agreements, no. 1/92, Official Gazette of SMNE International Agreements, no. 11/05 and Official Gazette of RS International Agreements no. 98/08 oth. law and 12/10); Law Confirming the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows ( Official Gazette of RS International Agreements no. 98/08); Strategy on Personal Data Protection ( Official Gazette of RS, no. 58/10).

6 Laws of Importance for the Protection of Personal Data Law on the General Administrative Procedure; Misdemeanour Law; Law on Administrative Disputes; Law on the Free Access to Information of Public Importance; Law on Data Secrecy; Law on Police; Law on Healthcare Protection; Labour Law; Law on Electronic Communications; Criminal Procedure Code; Law on Banks; Other laws.

7 Bylaws Adopted Pursuant to the Law on Personal Data Protection Decree on the Form for and Manner of Keeping Records of Personal Data Processing ( Official Gazette of RS, no. 50/09); Bylaw on the Manner of Prior Verification of Personal Data Processing Actions ( Official Gazette of RS, no. 35/09); Rulebook on the Form of ID for Persons Authorized to Undertake Supervision as per the Law on Personal Data Protection ( Official Gazette of RS, no. 35/09); Acts of the Commissioner for Information of Public Importance and Protection of Personal Data on Staffing Available Workplaces in the Professional Service of the Commissioner and the work of the Professional Service. The preparation of the text of the Provision on the Method of Archival and Measures of Protection for Particularly Sensitive Personal Data is under way, to be adopted by the Government with the previously obtained opinion by the Commissioner and the Action plan for the Implementation of the Strategy for Personal Data Protection, adopted by the Government.

8 Institutional Framework Commissioner for Information of Public Importance and Personal Data Protection (deputy Commissioner for Personal Data Protection, persons authorized for supervision, professional service of the Commissioner); Ministry of Justice and Public Administration (drafting of regulations); Data controllers (public authorities, natural persons and legal entities), data processors and data users.

9 Activities of the Commissioner in the Field of Personal Data Protection Executed 184 prior checks of data processing activities, with irregularities found in 118 cases; Executed 365 supervisions, with 223 violations of law found in 103 cases; Adopted 67 warnings regarding irregularities in processing; Ordered 14 measures; Submitted a proposal to the Constitutional Court for the assessment of Article 286 of the Criminal Procedure Code; Submitted 35 requests for initiating misdemeanour proceedings and one case of criminal charges; Acted on 174 appeals; Undertaken entry into the Central Registry of 303 handlers and 1,575 records on collections of personal data; Acted on 12 requests for the transmission of personal data outside the Republic of Serbia.

10 Administrative Capacities Commissioner, Deputy Commissioner, professional service with 46 employees, Supervision Sector with 12 employees; Department for Normative Affairs in the Judiciary at the Ministry of Justice and Public Administration; Internal organizational units, i.e. individual employees in public administration bodies.

11 Harmonization of Laws with the Relevant European Legislation (1) The Law on Personal Data Protection is Partially harmonized. Harmonization needs to be ensured with regards to: Precisely defining some of the fundamental terms; Territorial jurisdiction of the law; Precise definition of fundamental principles; Precise definition of provisions on particularly sensitive data, conditions for their processing and method for processing; Providing data for use to another controller or user; Data processing for the purposes of media, artistic or literary expression; Contracting of processing operations; Precisely defining the authorizations of the Commissioner; Transfer of data outside the Republic of Serbia.

12 Harmonization of Laws with the Relevant European Legislation (2) Other laws and bylaws A large number of laws need to be harmonized with the provision of Article 42 of the Constitution, envisaging that the collection, processing and use of data needs to be regulated by the law, provisions of the Law on Personal Data Protection and international standards.

13 Criminal Prosecution, Judicial Cooperation and Protection of Personal Data (1) The right to respect for the private and family life, home and correspondence may be limited under the criminal procedure pursuant to the Constitution and the Criminal Procedure Code; Provisions on the protection of personal data in automatic databases also relate to personal data kept in records in the criminal field; The rights regarding personal data protection (right to information and right of access) may be limited for the prevention, discovery, investigation and criminal prosecution of criminal offences pursuant to the Law on Personal Data Protection and the Criminal Procedure Code;

14 Criminal Prosecution, Judicial Cooperation and Protection of Personal Data (2) In regards to data already collected, and after a decision on not using these data for criminal prosecution, Article 163 of the Criminal Procedure Code envisages that the judge shall adopt a decision as per the previous procedure on the destruction of materials collected using special evidentiary activities, including personal data, unless the public prosecutor initiates criminal proceedings within 6 months of the date of being introduced to the materials, or states they will not use it in the proceedings. There is a possibility of notifying the person against whom such special activities were implemented on such a decision if their identity was determined during the implementation of the activity, and if this would not jeopardize the possibility of holding criminal proceedings; The competence of the Commissioner includes supervision over the protection of personal data in the field of criminal law and supervision over the transfer of personal data in judicial cooperation.

15 JUDGMENTS OF THE EUROPEAN COURT OF JUSTICE (1) 1. Judgment of the Court of 20 May 2003 in Joined Cases C-465/00, C-138/01 and C- 139/01, Rechnungshof; 2. Judgment of the Court of 6 November 2003 in Case C -101/01 OJ C 7, Bodil Lindqvist; 3. Judgment of the Court (Grand Chamber) of 30 May 2006, Joined Cases C 317/04 OJ 228, and C-318/04 OJ C 228 passenger data records; 4. Judgment of the Court of 16 December 2008 in Case C-524/06 OJ 44 - Huber general processing of personal data and concept of necessity; 5. Judgment of the Court of 16 December 2008 in Case C-73/07 OJ c 44- Satakunnan processing and flow of tax data of a personal nature;

16 JUDGMENTS OF THE EUROPEAN COURT OF JUSTICE (2) 6. Judgment of the Court of 9 March 2010 in Case C-518/07 OJ C 113 independence of national supervisory authorities; The Law on Personal Data Protection is harmonized with this Judgment, envisaging that personal data protection activities shall be performed by the Commissioner for Information of Public Importance and Personal Data Protection, as a separate state authority, independent in executing its competence 7. Judgment of the Court of 7 May 2009 in Case C- 553/07 OJ C 153- Rijkeboer; 8. Judgment of the Court of 9 November 2010 in Case C- 92/09 OJ C 317 и C 93/09 - Volker und Markus Schecke. 9. Judgment of the Court of 9 March 2010 European Commission vs. Germany 10. Judgment of the Court of 16 October 2012 European Commission vs. Austria

17 European Commission Decisions (1) 1. ARGENTINA Commission Decision C (2003) 1731 of 30 June L 168; 2. CANADA Commission Decision 2002/2/EC of 20 December L 2 on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act; 3. SWITZERLAND Commission Decision 2000/518/EC of 26 July 2000 L 215; 4. UNITED STATES OF AMERICA Safe Harbor Commission Decision 2000/520/EC of 26 July L 215; 5. GUERNSEY Commission Decision 2003/821/EC of 21 November 2003, on the adequate protection of personal data L 308; 6. ISLE OF MAN Commission Decision 2004/411/EC of 28 April 2004 on the adequate protection of personal data L 151;

18 European Commission Decisions (2) 7. JERSEY Commission Decision оf 8 May 2008 on the adequate protection of personal data L 138; 8. FAROE ISLANDS Commission Decision оf 5 March 2010 on the adequate protection of personal data L 58; 9. ANDORRA Commission Decision оf 19 October 2010 on the adequate protection of personal data L 227. Article 53 of the Law on Personal Data Protection envisages that personal data can be transferred from the Republic of Serbia to a state party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as to other country or international organization, if they provide a level of protection equivalent to that envisaged by the Convention, with the permission of the Commissioner..

19 Model of the Contract for the Transfer of Personal Data to Third Countries 1. Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries L 181; 2. Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries L 358; 3. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC L 39. Article 53 of the Law on Personal Data Protection envisages that personal data can be transferred from the Republic of Serbia to a state party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as to other country or international organization, if they provide a level of protection equivalent to that envisaged by the Convention, with the permission of the Commissioner.

20 Personal Data Protection in European Institutions and the European Data Protection Supervisor 1. Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data L 8; 2. Decision No 1247/2002/EC of the European Parliament, of the Council and of the Commission of 1 July 2002 on the regulations and general conditions governing the performance of the European Data-protection Supervisor's duties L 183; /55/EC: Decision of the European Parliament and of the Council of 22 December 2003 appointing the independent supervisory body provided for in Article 286 of the EC Treaty (European Data Protection Supervisor) L 12. Applicable as of the date of accession of the Republic of Serbia to the European Union

21 Future Activities Amendments to the Law on Personal Data Protection, and/or the adoption of a new law; Harmonization of sectoral laws; Adoption of laws in areas currently unregulated. Having in mind the number of relevant international documents, as well as the sensitivity of the issue, the time limit for the final adoption of the above law should be a mid-term period of at most two years.

22 REPUBLIC OF SERBIA The Negotiating Team for Accession of the Republic of Serbia to the European Union THANK YOU FOR YOUR ATTENTION QUESTIONS