Data Protection in the Education Sector
BDK's senior associate Milica Basta participated in the International Symposium for Directors of Primary and Secondary Schools, organised by the publishing company Klett from Belgrade. The event took place on 27-29 February 2020 in Vrnjačka Banja, and gathered almost 400 school directors from Serbia and Montenegro.
Serbia Gets its Standard Contractual Clauses
The Serbian Commissioner for Information of Public Importance and Personal Data Protection issued on 16 January 2020 the long-awaited Standard Contractual Clauses that became applicable on 30 January 2020.
Serbian SCCs are not designed as a cross-border transfer instrument first and foremost. Rather, the clauses apply to a controller-processor relationship irrespective of where the controller and the processor operate. In line with that, Serbian SCCs follow the structure of the data processing agreement as prescribed by Article 28 of the GDPR, i.e. by the corresponding Article 45 of the Serbian DP Act (2018).
Steps towards Compliance with Serbia’s New Data Protection Act
BDK Advokati's senior associate Milica Basta participated in a conference on initial results and the most frequent dilemmas in the implementation of the new Data Protection Act. The conference, held on 27 November 2019 in Belgrade, gathered nearly 50 representatives from companies operating in the Serbian market. The agency Forum Media organised the event.
What is the Cost of a “Like”? (Case no. C-40/17 - Fashion ID)
The development and widespread use of the online social network Facebook has changed not only the dynamics of social relationships, but also - together with other online platforms and tools - the manner in which enterprises advertise their business. More and more companies are adopting new advertising strategies that focus primarily on product recognition. Given its popularity, Facebook is proving to be an ideal platform for businesses (especially online traders) to pursue such strategies with little investment - at least at first glance.
Linking online stores to content on Facebook may have unintended consequences - especially in terms of consumer protection and data protection law - as illustrated in the ECJ’s judgement in case C-40/17 of 29 July 2019.
ECJ: Storing Cookies Requires User’s Active Consent
On 1 October 2019, the European Court of Justice (the “ECJ”) handed down its long-awaited preliminary ruling on the meaning of consent regarding cookies following a request from the German Federal Court of Justice during a case between the Federation of Consumer Organisations and the lottery services provider Planet49 GmbH (Case C673/201, Planet49 GmbH v. Bundersverband der Verbraucherzentralen und Verbraucherverbaende – Verbraucherzentrale Bunderverband e.V). In a nutshell, Planet49 GmbH operated an online lottery scheme which (i) asked via a pre-ticked box for user’s consent for placing web analytics cookies and (ii) required users to provide mandatorily their consent to receiving marketing emails by third parties as a precondition for their participation in the lottery.
Advantages of Serbia’s New Data Protection Law
BDK Advokati has contributed to the Serbia chapter in the 2020 edition of Getting the Deal Through – Data Protection & Privacy (August 2019). The chapter presents the regulatory frameworks both under the data protection law from 2008 and under the law which became applicable in August 2019. The exposition of the two laws allows the reader to understand the changes which the new law brings into the legal regime governing the processing of personal data in Serbia.
The new law is modelled under the EU General Data Protection Regulation. As the Serbia chapter shows, the law dispenses with most of the unnecessary restrictions on the processing of personal data. At the same time, the law strengthens the individuals’ rights and introduces new, but realistic, requirements from the data controllers and data processors
Clarity Needed on Data Protection Compliance Audit
For the second consecutive time, CEE Legal matters organised Balkan GC Summit in Belgrade. The event gathered general counsels, compliance officers and lawyers from the region to discuss vibrant topics in the legal industry.
BDK Advokati’s partner Bogdan Ivanisevic held a presentation in which he addressed the issue of misunderstandings that often occur between companies and law firms concerning data protection compliance audits. Law firms consider such audit as a complex legal task which requires a comprehensive approach, while some companies believe it can be performed fairly quickly, or prefer a partial approach.
BDK Advokati Holds a Seminar on Data Processing in the Workplace
Milica Basta, senior associate at BDK Advokati, has held a seminar on the processing of personal data in the employment context for the representatives of Serbian companies. The event took place on 26 September 2019 in Belgrade and was hosted by Forum Media.
New Data Protection Law Discussed at the Serbian Chamber of Commerce
Bogdan Ivanisevic, partner at BDK Advokati, spoke on 23 September 2019 about Serbia’s new Data Protection Act to representatives of the leading Serbian companies. The event took place in the packed conference hall of the Serbian Chamber of Commerce. The Chamber co-organised the event with the Ministry of Justice.
Greece Enters Officially the GDPR Era by Implementing Law 4624/2019
Greek Parliament finally adopted the long-awaited New Data Protection Law 4624/2019 “on the Greek Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019). The territorial scope of the new Law extends to Greek Public authorities, as well as private entities, which either: i. have an establishment in Greece or ii. process personal data within the territory of Greece or iii. process personal data of Greek citizens. Such new Law, structured mainly on the German Data Protection Law (DSAnpUG-EU) aims to adapt Greece's current data protection law to the General Data Protection Regulation (GDPR) by making use of opening clauses in order to complement the GDPR, to transpose the Law Enforcement Directive into Greek law and to regulate the establishment and functioning of the competent supervisory authority.
A Misguided Call to Put Serbian Data Protection Law on Hold
In the past two days, the recently appointed head of Serbian data protection supervisory authority announced one radical move and sharply criticised some provisions in Serbia’s new data protection law. The commitment and audacity of Milan Marinovic should be encouraging to those who feared that the new data protection tsar would be the exact opposite of his very vocal predecessor, Rodoljub Sabic. However, when examined on the merits, Marinovic’s statements give a reason for concern.
The main point Marinovic made in his appearance on the state-run television and in a statement to a news portal is that, in his opinion, implementation of the Data Protection Act 2018 should be postponed. The law, adopted in November last year, provided for a nine-month grace period. Therefore, the implementation of the law should commence on 21 August 2019. Marinovic is now calling for an additional one-year deferral. To strengthen his case, Marinovic made a few policy and legal arguments which are of dubious validity.
First GDPR Fines in Romania
NNDKP's head of the Data Protection practice, Roxana Ionescu, published two articles in relation to the first two fines notified by the Romanian Data Protection Authority (DPA).
In applying its first fine, the Romanian DPA has reinforced its past practice on minimising the processing of personal numeric codes (equivalent to social security numbers) while making use of new concepts under the General Data Protection Regulation, like the accountability principle and data protection by design and by default. The second fine was imposed due to a data breach.
