Due to the various restrictions imposed by the Serbian Government to prevent the emergence and spread of the infectious illness COVID-19, the DPA has now issued guidelines relating to the processing of personal data during the state of emergency. It emphasized that, although certain human rights are temporarily restricted due to the declaration of the state of emergency (i.e., the right to freedom of movement and freedom of assembly), the right to the protection of personal data is not covered by these restrictions and data controllers and processors must perform their activities in accordance with the Serbian Law on Personal Data Protection (the "Law") and other regulations governing this matter. This means that data controllers and data processors are still obliged to comply with various data protection requirements in each case of personal data processing (existence of an adequate legal basis and purpose for processing, that only appropriate, relevant and limited data necessary to achieve the purpose of the processing can be processed, informing the persons whose data is being processed about the processing, implementation of adequate protection measures against unauthorized and unlawful processing, and complying with other processing principles set out by the Law).
The DPA has particularly emphasized the following:
- Data pertaining to the health status of individuals represent a special type of personal data, the processing of which is generally prohibited, except in case the restrictive conditions prescribed by the Law are met.
- Information on infected and diseased persons should not be disclosed as to enable identification of these persons, except when this is necessary under the Law.
- Processing by the employer, of data relating to symptoms of potential coronavirus infection of employees, job applicants and other persons entering the employer's premises can be carried out in accordance with the regulations issued by the competent authorities to combat the coronavirus pandemic, while respecting the processing principles set out by the Law.
- Data controllers and processors who organize work from home are obliged to provide appropriate measures of personal data protection, which include measures such as checking link security and correspondence through official emails, etc. Data processors are not authorized to make decisions independently on how to proceed with data processing under changed conditions.
- Processing of data relating to COVID-19 for the purposes of scientific research may be done only if an organization registered for performing scientific research activity acts as data controller.
- Data controllers are still obliged to act on the requests of individuals relating to the right of protection of their personal data.
The DPA concluded that it will continue to act on complaints of individuals regarding the processing of their personal data, in a manner that is adapted to the measures adopted by the Serbian Government and other competent authorities. The DPA also stated that it will continuously inform the public about all the relevant issues pertaining to the processing of personal data during the declared state of emergency.