The Serbian Data Protection Commissionaire holds broad inspection powers under both the Data Protection Law and the Inspection Supervision Law. These powers also include one that has gained significant traction in recent months – sending an email with a checklist to companies and requesting them to prepare and submit a self-assessment report to the Commissionaire. This checklist is comprised of a series of quiz-like questions concerning the company’s data protection compliance, where every answer is scored with a certain number of points, the sum of which allocates the company into one of the pre-determined risk categories, spanning from insignificant to critical risk. Needless to say, the companies are warned about the legal consequences that provision of false information may cause.
Based on the answers received, the Commissionaire prepares an annual inspection plan, designating the companies in higher-risk categories as the first in line for a direct inspection, together with the ones which failed to provide their answers upon request. Implementing this self-assessment tool enables the Commissionaire to quickly scan the overall compliance status of a large number of companies, without any of its inspectors stepping out of their offices. This obviously came in very handy during the COVID-19 pandemic but will likely continue to be used once it ends as well, especially due to Commissionaire’s notorious understaffing problems.
According to data from the Commissionaire’s Annual Work report for 2020, from the total of 484 entities that received the checklists, 116 failed to provide their answers, putting themselves directly under Commissionaire’s radar in 2021. Since almost the same number of checklists have been sent-out in the first three months of 2021 alone, it is fair to assume that Commissionaire has become very fond of this instrument and will probably turn up the heat for the rest of 2021 as well, spreading anxiety throughout the business community.
The Serbian companies, which on average are yet to fulfil the very basic data protection requirements, suddenly became much more vulnerable, as their self-assessment reports are likely to expose numerous compliance gaps. The Commissionaire’s incentive therefore has a strong preventive nature, urging the companies to minimize the potential exposure in advance, ideally before they receive the Commissionaire’s request. To do so, a company should at least analyse its processing activities and ensure that key data processing principles are complied with, prepare the mandatory documents (e.g. privacy notices, internal rulebooks, data processing agreements and records of processing activities), regulate the transfers of personal data abroad and, where required, appoint a data protection officer.
“By failing to prepare, you are preparing to fail”, goes the old saying. And since all of this usually takes more than those eight days the Commissionaire generally leaves for answering the checklist, this may be a good moment to drop an email to your compliance officer and check if your company has done its homework. If you do not, the Commissionaire probably will at some point.
The Commissionaire’s Checklist is available here (in Serbian only).