Commissioner for Information of Public Importance and Personal Data Protection is addressing the public, on occasion of the news about the forwarding of the data held by telecom operators’ clients to the Credit Bureau, asking for comment and opinions of a large number of media representatives and citizens.
In this regard, the Commissioner informs the public that his position on the intended data processing is already known and that the said position was communicated to the telecom operators late last year.
The Constitution of the Republic of Serbia guarantees personal data protection under Article 42, and stipulates that collecting, keeping, processing and using of personal data shall be regulated by law. The law provides that any processing of personal data requires legal grounds. The legal grounds for personal data processing can be the authority contained in a law or the consent of the data subject.
Processing of personal data in the Credit Bureau is not regulated by law; therefore, there is no liability of the telecom operators to forward the data on their customers to the Credit Bureau in order to assess their creditworthiness. Since there are no legal grounds for processing in the law, the legal grounds can only be the data subject’s consent.
In order for the consent to be considered a valid legal ground for personal data processing, the statement of consent must meet certain conditions. First, the statement of consent must be freely given, i.e. it should not be given under threat, fraud, duress or mistake. It must be specific, i.e. given for a clearly defined purpose and informed, which means that the person giving the consent has to know who the data controller is, the kind of data it processes, for what purpose, and how the data will be used, data storage duration, etc. The manner of informing data subjects about the processing must be clear, understandable and unambiguous so that a person who is a complete layman, and unfamiliar with the data controller’s remit, can understand everything of importance for deciding whether to agree to the processing of his/her personal data. The information must be provided directly to the person whose data is being processed. Referral by the operator that data processing conditions are publicly available (on a bulletin board, on the Internet, etc.) is not enough.
Finally, and relating to the particular case and regardless of it, the Commissioner reiterates his position that (taking into account the type, scope and number of personal data which are normally processed in the Credit Bureau, and the very large number of persons whose data are processed, and at the same time taking into account the purpose of processing data in it (check of the solvency of persons who would like to take a loan and borrow from banks, leasing companies, fraud prevention, etc.), the legitimate interests of different economic entities to perform such processing, as well as the broader social interest) personal data processing in the Credit Bureau would have to be regulated by law, including potential processing of the data of the telecom operators’ customers which would be enabled by the operators.