Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 1 August 2016
One of the first issues raised by insurance companies when they are confronted with the Serbian data protection regulatory framework and their obligations thereunder is the issue of legal basis for lawful collection and processing of personal data of its customers and potential customers.
In that sense the question posed by some insurance companies to the Commissionaire for information of public importance and personal data protection (the "Serbian DPA") may provide some guidance. Insurance companies approached the Serbian DPA with the question as to whether personal data of customers and potential customers could be collected and processed ex lege (i.e. without prior informed consent of a person) on the basis that the relevant data protection legislation allows such collection and processing in certain cases, or whether such collection and processing must be based upon prior informed consent of a customer.
The Serbian Law on the protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012 and 107/2012)) (the "LDP") sets out two separate legal bases for the collection and processing of personal data. Pursuant to the LDP, collection and processing of personal data may either be: (i) based on statute; or (ii) based on the prior informed consent of the person whose data is being collected and processed i.e. the data subject.
Pursuant to the Article 12 of the LDP, statutory based collection and processing of personal data without prior informed consent of the data subject is allowed in the following circumstances:
The relationship between the insurer and insured person including the conclusion of the insurance agreement is regulated by the Serbian Law on contracts and torts (Official Gazette of the SFRY, nos. 29/78, 39/85, 45/89 and 57/89, Official Gazette of the FRY, no. 31/93 and Official Gazette of SMNE, no. 1/2003) in its Articles 897 – 965. However, the Law on contracts and torts does not regulate the scope of personal data necessary to be provided to insurer for conclusion and execution of the insurance agreement.
Taking into account the above, and while it is unambiguously prescribed by the LDP that collection and processing of personal data is allowed for the purpose of discharging duties laid down by the law, certain insurers raised the issue to the Serbian DPA whether the mere fact that insurance agreement is regulated by the Law on contracts and torts, although it does not state which data is necessary for conclusion of the insurance agreement and execution of duties thereof, provides a legal statutory basis for collection and processing of personal data.
In response to this question, the Serbian DPA issued an opinion (the "Opinion") which stated that the Law on contracts and torts is not in line with the Constitution of the Republic of Serbia and the LDP regarding the collection and processing of personal data.
Having in mind this lacuna in the Law on contracts and torts regarding the scope of the personal data necessary for conclusion and execution of the insurance agreement, the Serbian DPA stated in its Opinion that the collection and processing of personal data based solely on the Law on contacts and torts is not allowed and that collection and processing of personal data between insurers and insured persons is allowed only based on the prior informed consent of the data subject.
While the Serbian DPA is clear about the limitations of the collection and processing of personal data pursuant to the Law on contracts and torts, it is interesting that in its Opinion the Serbian DPA does not set out expressly whether the collection and processing of personal data in insurance sector is allowed in other cases set by the LDP in which prior informed consent is not required such as for the purpose of execution of an agreement concluded between the person concerned and the controller, as well as for the purpose of preparation of an agreement.
However, the search of the Central Data File Register shows that most insurers state as a legal basis for collection and processing of personal data of insured persons Law on contracts and torts, despite the opinion of the Serbian DPA and, also, Article 12 of the LDP which allows data controllers to collect and process personal data without the consent of insured person (i.e. data subject).
To the extent that an organisation processes personal data in Serbia it should examine the legal basis on which it is doing so. Based on the Opinion, strictly it should ensure that it has the prior consent of its data subjects to do so, however the practicalities of doing so, and what appears to be market practice, may mean that a careful balancing exercise will need to be undertaken.
The Opinion may be accessed here (Serbian).
Submitted by Aleksa V. Andjelkovic of Andjelkovic Law Office – Belgrade, Serbia
About the author:
Aleksa V. Andjelkovic is an attorney at law from Belgrade, Serbia and the principal in Andjelkovic Law Office. Aleksa V. Andjelkovic obtained LL.M. degree at Central European University in Budapest, Hungary and specialization degrees on the same University and on the European University Institute in Florence, Italy. Aleksa V. Andjelkovic has been acting as counsel for Serbian and international clients in areas of general corporate law, data protection, M&A, highly regulated areas of business including insurance sector, electronic communications and competition law.